[ubuntu/saucy-proposed] chromium-browser 28.0.1500.52-0ubuntu2 (Accepted)
Chad MILLER
chad.miller at canonical.com
Wed Jun 26 20:55:42 UTC 2013
chromium-browser (28.0.1500.52-0ubuntu2) saucy; urgency=low
[Chad MILLER]
* New stable release 28.0.1500.52
* New stable release 28.0.1500.45
* New stable release 27.0.1453.110:
- CVE-2013-2855: Memory corruption in dev tools API.
- CVE-2013-2856: Use-after-free in input handling.
- CVE-2013-2857: Use-after-free in image handling.
- CVE-2013-2858: Use-after-free in HTML5 Audio.
- CVE-2013-2859: Cross-origin namespace pollution.
- CVE-2013-2860: Use-after-free with workers accessing database APIs.
- CVE-2013-2861: Use-after-free with SVG.
- CVE-2013-2862: Memory corruption in Skia GPU handling.
- CVE-2013-2863: Memory corruption in SSL socket handling.
- CVE-2013-2864: Bad free in PDF viewer.
* New stable release 27.0.1453.93:
- CVE-2013-2837: Use-after-free in SVG.
- CVE-2013-2838: Out-of-bounds read in v8.
- CVE-2013-2839: Bad cast in clipboard handling.
- CVE-2013-2840: Use-after-free in media loader.
- CVE-2013-2841: Use-after-free in Pepper resource handling.
- CVE-2013-2842: Use-after-free in widget handling.
- CVE-2013-2843: Use-after-free in speech handling.
- CVE-2013-2844: Use-after-free in style resolution.
- CVE-2013-2845: Memory safety issues in Web Audio.
- CVE-2013-2846: Use-after-free in media loader.
- CVE-2013-2847: Use-after-free race condition with workers.
- CVE-2013-2848: Possible data extraction with XSS Auditor.
- CVE-2013-2849: Possible XSS with drag+drop or copy+paste.
* Drop unneeded patches,
safe-browsing-sigbus.patch
dont-assume-cross-compile-on-arm.patch
struct-siginfo.patch
ld-memory-32bit.patch
dlopen_sonamed_gl.patch
* Temporarily disable webapps patches.
* Update arm-neon patch, format-flag patch, search-credit patch,
title-bar-system-default patch.
* Make get-orig-source nicer. Package tarball contents from upstream
correctly.
* Reenable dyn-linking of major components of chromium for 32-bit machines.
Fix a libdir path bug in debian/chromium-browser.sh.in .
* No longer try to use system libraries. Generally, Security Team would
hate bundled libraries because they provide a wide liability, but
Chromium Project is pretty good about maintaining their bundled-source
libraries. We can not pull cr-required lib versions forward in older
Ubuntus, and we can't guarantee all the distro versions of libraries work
with chromium-browser. The default security policy might be worse. Bundled
libraries is less work overall.
* Exclude included XDG files even if they are built.
* Use NEON instructions on ARM, optionally. This might use run-time checks
for hardware capability, but even if it doesn't we can add it later.
* Clean up difference checks in debian/rules that make sure that all files
that the build makes are used in packages, and no longer hide any, and no
longer consider it an error if some are unused. Treat it as a warning,
not a fatality.
* Use legible shell instead of make-generated shell in setting the rpath
in rules.
* Add new build-dep, "chrpath".
[Chris Coulson]
* debian/rules: Disable tcmalloc on all component builds, not just on
arm builds.
chromium-browser (26.0.1410.63-0ubuntu3) saucy; urgency=low
* Work around SEGV on ARMHF that's caused by tcmalloc.
chromium-browser (26.0.1410.63-0ubuntu2) saucy; urgency=low
* Work arround missing Apparmour feature. Set environment explicitly
to disallow breaking out of apparmor protection. (LP: #1045986)
* Use more system libraries, libxml, libjpeg, bzip2, libxslt, flac,
libevent, protobuf, speex, xdg_utils, yasm, but not a few others -- in
particular,
- libpng causes render hangs,
- sqlite causes link failures.
Updating debian/rules, and dropping the removed ones from debian/control .
* debian/rules:
- Use actual original upstream tarball. No SVN snapshots, no gclient.
- Rip out compiler-targeting. All versions should work.
- Always use sandbox. It shouldn't be an option. Nothing works without it
any more.
* Drop build-dep on subversion. Not required with pristing orig.tar
get-original-source.
* Simpify debian/rules and use the built-in parameter for telling GYP config
to include debug symbols.
* Include upstream patch debian/patches/ld-memory-32bit.patch that makes
32 bit machines more likely to use BDF linker and include parameters
that make it more memory efficient.
* GCC doesn't allow -Wno-format with hardening -Werror=format-security .
Add debian/patches/format-flag.patch .
* Since we're Depending on xdg-settings, don't try to install one from
upstream. Change debian/chromium-browser.install .
* Invert sense of a quantal+ test so that we don't have to track things
forever. Name things we know about, instead of things that don't exist
yet. Update debian/rules .
* Drop old unused sizes of icons to install from debian/rules .
* Always default chromium to using the system title bar. Add
debian/patches/title-bar-default-system.patch .
* Default third-party cookies to most secure to users: off. Add
debian/patches/third-party-cookies-off-by-default.patch .
* Remove flags that make several useful application actions only appear
on Unity. Update debian/chromium-browser.desktop .
* Add a lp:app-install-data-ubuntu flag that names the package. Update
debian/chromium-browser.desktop .
* Remove full path from freedesktop default-apps file. Update
debian/chromium-browser.xml .
chromium-browser (26.0.1410.63-0ubuntu1) raring; urgency=low
[Chris Coulson]
* Make it possible to build armv7 without neon optimizations
- update debian/patches/arm-neon.patch
* Don't assume that arm linux builds are cross-builds
- add debian/patches/dont-assume-cross-compile-on-arm.patch
- update debian/patches/series
[Chad MILLER]
* debian/chromium-browser.desktop: No absolute path to executable. Use PATH
from environment. LP:1008741
* Make the "clean" rule behave better. Test differently for src/obj/ and
never involve the upstream Makefile. Update debian/rules .
* Don't over-clean. The makefiles generated by GYP are fine to include in
orig tarball.
* Use Google API keys in Ubuntu, as approved by Paweł Hajdan @ Google.
* New stable version 26.0.1410.63. No CVEs to report.
* New stable version 26.0.1410.43:
- CVE-2013-0916: Use-after-free in Web Audio.
- CVE-2013-0917: Out-of-bounds read in URL loader.
- CVE-2013-0918: Do not navigate dev tools upon drag and drop.
- CVE-2013-0919: Use-after-free with pop-up windows in extensions.
- CVE-2013-0920: Use-after-free in extension bookmarks API.
- CVE-2013-0921: Ensure isolated web sites run in their own processes.
- CVE-2013-0922: Avoid HTTP basic auth brute force attempts.
- CVE-2013-0923: Memory safety issues in the USB Apps API.
- CVE-2013-0924: Check an extension’s permissions API usage again file
permissions.
- CVE-2013-0925: Avoid leaking URLs to extensions without the tabs
permissions.
- CVE-2013-0926: Avoid pasting active tags in certain situations.
* Update webapps patches.
* debian/patches/arm-crypto.patch . Drop patch. Unnecessary now.
* Always use verbose building. Update debian/rules .
* Always use sandbox. It shouldn't be an option. Nothing works without it
any more. Update debian/rules .
* Always use extra debugging "-g" flag. Update debian/rules .
* Try to be more multiarch aware. Update debian/control .
* Drop many lintian overrides. Update debian/source/lintian-overrides .
* Include autotoools-dev in build-deps so that cdbs will update autoconf
helper files in source automatically. Update debian/control .
* Update standards version to 3.9.4 in debian/control .
* When executable is split into libraries, strip debug symbols from
enormous libraries even in dbg packages. This affects webkit only,
in actuality. Update debian/rules .
* Clean up some "tar" usage in debian/rules .
* Don't include hardening on armhf. Update debian/rules .
* Drop extraneous no-circular-check in debian/rules GYP run.
* Work around a SIGBUS on ARM. Added
debian/patches/safe-browsing-sigbus.patch
* Insert multilib info directly into nss runtime library loading. Update
debian/rules .
* Enable NEON support for hard-float ARM. Actual use should be a
runtime check, or is a bug.
Date: Thu, 20 Jun 2013 14:54:43 -0400
Changed-By: Chad MILLER <chad.miller at canonical.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Signed-By: Chris Coulson <chris.coulson at canonical.com>
https://launchpad.net/ubuntu/saucy/+source/chromium-browser/28.0.1500.52-0ubuntu2
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 20 Jun 2013 14:54:43 -0400
Source: chromium-browser
Binary: chromium-browser chromium-browser-dbg chromium-browser-l10n chromium-codecs-ffmpeg chromium-codecs-ffmpeg-dbg chromium-codecs-ffmpeg-extra chromium-codecs-ffmpeg-extra-dbg chromium-chromedriver
Architecture: source
Version: 28.0.1500.52-0ubuntu2
Distribution: saucy
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Chad MILLER <chad.miller at canonical.com>
Description:
chromium-browser - Chromium browser
chromium-browser-dbg - chromium-browser debug symbols
chromium-browser-l10n - chromium-browser language packages
chromium-chromedriver - WebDriver driver for the Chromium Browser
chromium-codecs-ffmpeg - Free ffmpeg codecs for the Chromium Browser
chromium-codecs-ffmpeg-dbg - chromium-codecs-ffmpeg debug symbols
chromium-codecs-ffmpeg-extra - Extra ffmpeg codecs for the Chromium Browser
chromium-codecs-ffmpeg-extra-dbg - chromium-codecs-ffmpeg-extra debug symbols
Launchpad-Bugs-Fixed: 1045986
Changes:
chromium-browser (28.0.1500.52-0ubuntu2) saucy; urgency=low
.
[Chad MILLER]
* New stable release 28.0.1500.52
* New stable release 28.0.1500.45
* New stable release 27.0.1453.110:
- CVE-2013-2855: Memory corruption in dev tools API.
- CVE-2013-2856: Use-after-free in input handling.
- CVE-2013-2857: Use-after-free in image handling.
- CVE-2013-2858: Use-after-free in HTML5 Audio.
- CVE-2013-2859: Cross-origin namespace pollution.
- CVE-2013-2860: Use-after-free with workers accessing database APIs.
- CVE-2013-2861: Use-after-free with SVG.
- CVE-2013-2862: Memory corruption in Skia GPU handling.
- CVE-2013-2863: Memory corruption in SSL socket handling.
- CVE-2013-2864: Bad free in PDF viewer.
* New stable release 27.0.1453.93:
- CVE-2013-2837: Use-after-free in SVG.
- CVE-2013-2838: Out-of-bounds read in v8.
- CVE-2013-2839: Bad cast in clipboard handling.
- CVE-2013-2840: Use-after-free in media loader.
- CVE-2013-2841: Use-after-free in Pepper resource handling.
- CVE-2013-2842: Use-after-free in widget handling.
- CVE-2013-2843: Use-after-free in speech handling.
- CVE-2013-2844: Use-after-free in style resolution.
- CVE-2013-2845: Memory safety issues in Web Audio.
- CVE-2013-2846: Use-after-free in media loader.
- CVE-2013-2847: Use-after-free race condition with workers.
- CVE-2013-2848: Possible data extraction with XSS Auditor.
- CVE-2013-2849: Possible XSS with drag+drop or copy+paste.
* Drop unneeded patches,
safe-browsing-sigbus.patch
dont-assume-cross-compile-on-arm.patch
struct-siginfo.patch
ld-memory-32bit.patch
dlopen_sonamed_gl.patch
* Temporarily disable webapps patches.
* Update arm-neon patch, format-flag patch, search-credit patch,
title-bar-system-default patch.
* Make get-orig-source nicer. Package tarball contents from upstream
correctly.
* Reenable dyn-linking of major components of chromium for 32-bit machines.
Fix a libdir path bug in debian/chromium-browser.sh.in .
* No longer try to use system libraries. Generally, Security Team would
hate bundled libraries because they provide a wide liability, but
Chromium Project is pretty good about maintaining their bundled-source
libraries. We can not pull cr-required lib versions forward in older
Ubuntus, and we can't guarantee all the distro versions of libraries work
with chromium-browser. The default security policy might be worse. Bundled
libraries is less work overall.
* Exclude included XDG files even if they are built.
* Use NEON instructions on ARM, optionally. This might use run-time checks
for hardware capability, but even if it doesn't we can add it later.
* Clean up difference checks in debian/rules that make sure that all files
that the build makes are used in packages, and no longer hide any, and no
longer consider it an error if some are unused. Treat it as a warning,
not a fatality.
* Use legible shell instead of make-generated shell in setting the rpath
in rules.
* Add new build-dep, "chrpath".
.
[Chris Coulson]
* debian/rules: Disable tcmalloc on all component builds, not just on
arm builds.
.
chromium-browser (26.0.1410.63-0ubuntu3) saucy; urgency=low
.
* Work around SEGV on ARMHF that's caused by tcmalloc.
.
chromium-browser (26.0.1410.63-0ubuntu2) saucy; urgency=low
.
* Work arround missing Apparmour feature. Set environment explicitly
to disallow breaking out of apparmor protection. (LP: #1045986)
* Use more system libraries, libxml, libjpeg, bzip2, libxslt, flac,
libevent, protobuf, speex, xdg_utils, yasm, but not a few others -- in
particular,
- libpng causes render hangs,
- sqlite causes link failures.
Updating debian/rules, and dropping the removed ones from debian/control .
* debian/rules:
- Use actual original upstream tarball. No SVN snapshots, no gclient.
- Rip out compiler-targeting. All versions should work.
- Always use sandbox. It shouldn't be an option. Nothing works without it
any more.
* Drop build-dep on subversion. Not required with pristing orig.tar
get-original-source.
* Simpify debian/rules and use the built-in parameter for telling GYP config
to include debug symbols.
* Include upstream patch debian/patches/ld-memory-32bit.patch that makes
32 bit machines more likely to use BDF linker and include parameters
that make it more memory efficient.
* GCC doesn't allow -Wno-format with hardening -Werror=format-security .
Add debian/patches/format-flag.patch .
* Since we're Depending on xdg-settings, don't try to install one from
upstream. Change debian/chromium-browser.install .
* Invert sense of a quantal+ test so that we don't have to track things
forever. Name things we know about, instead of things that don't exist
yet. Update debian/rules .
* Drop old unused sizes of icons to install from debian/rules .
* Always default chromium to using the system title bar. Add
debian/patches/title-bar-default-system.patch .
* Default third-party cookies to most secure to users: off. Add
debian/patches/third-party-cookies-off-by-default.patch .
* Remove flags that make several useful application actions only appear
on Unity. Update debian/chromium-browser.desktop .
* Add a lp:app-install-data-ubuntu flag that names the package. Update
debian/chromium-browser.desktop .
* Remove full path from freedesktop default-apps file. Update
debian/chromium-browser.xml .
.
chromium-browser (26.0.1410.63-0ubuntu1) raring; urgency=low
.
[Chris Coulson]
* Make it possible to build armv7 without neon optimizations
- update debian/patches/arm-neon.patch
* Don't assume that arm linux builds are cross-builds
- add debian/patches/dont-assume-cross-compile-on-arm.patch
- update debian/patches/series
.
[Chad MILLER]
* debian/chromium-browser.desktop: No absolute path to executable. Use PATH
from environment. LP:1008741
* Make the "clean" rule behave better. Test differently for src/obj/ and
never involve the upstream Makefile. Update debian/rules .
* Don't over-clean. The makefiles generated by GYP are fine to include in
orig tarball.
* Use Google API keys in Ubuntu, as approved by Paweł Hajdan @ Google.
* New stable version 26.0.1410.63. No CVEs to report.
* New stable version 26.0.1410.43:
- CVE-2013-0916: Use-after-free in Web Audio.
- CVE-2013-0917: Out-of-bounds read in URL loader.
- CVE-2013-0918: Do not navigate dev tools upon drag and drop.
- CVE-2013-0919: Use-after-free with pop-up windows in extensions.
- CVE-2013-0920: Use-after-free in extension bookmarks API.
- CVE-2013-0921: Ensure isolated web sites run in their own processes.
- CVE-2013-0922: Avoid HTTP basic auth brute force attempts.
- CVE-2013-0923: Memory safety issues in the USB Apps API.
- CVE-2013-0924: Check an extension’s permissions API usage again file
permissions.
- CVE-2013-0925: Avoid leaking URLs to extensions without the tabs
permissions.
- CVE-2013-0926: Avoid pasting active tags in certain situations.
* Update webapps patches.
* debian/patches/arm-crypto.patch . Drop patch. Unnecessary now.
* Always use verbose building. Update debian/rules .
* Always use sandbox. It shouldn't be an option. Nothing works without it
any more. Update debian/rules .
* Always use extra debugging "-g" flag. Update debian/rules .
* Try to be more multiarch aware. Update debian/control .
* Drop many lintian overrides. Update debian/source/lintian-overrides .
* Include autotoools-dev in build-deps so that cdbs will update autoconf
helper files in source automatically. Update debian/control .
* Update standards version to 3.9.4 in debian/control .
* When executable is split into libraries, strip debug symbols from
enormous libraries even in dbg packages. This affects webkit only,
in actuality. Update debian/rules .
* Clean up some "tar" usage in debian/rules .
* Don't include hardening on armhf. Update debian/rules .
* Drop extraneous no-circular-check in debian/rules GYP run.
* Work around a SIGBUS on ARM. Added
debian/patches/safe-browsing-sigbus.patch
* Insert multilib info directly into nss runtime library loading. Update
debian/rules .
* Enable NEON support for hard-float ARM. Actual use should be a
runtime check, or is a bug.
Checksums-Sha1:
ffe5e29cb4661bbc289e42c8072a959cd2904d2b 2960 chromium-browser_28.0.1500.52-0ubuntu2.dsc
dc65e326a562c0d880cbddbcedb75c2f6915e138 158405280 chromium-browser_28.0.1500.52.orig.tar.xz
a6fd10b05c598e4f95a8df3d10333d4e18df2e56 242652 chromium-browser_28.0.1500.52-0ubuntu2.debian.tar.gz
Checksums-Sha256:
a56697602f38808e6c8a4b68b7881d2e13a4c47453e945aa38f6e33f0802c170 2960 chromium-browser_28.0.1500.52-0ubuntu2.dsc
217b58cb828db31082f10833998f5570021319f11bd1fae3da738727432f0f8f 158405280 chromium-browser_28.0.1500.52.orig.tar.xz
49e48db4487822b68e37cea89e34dc019e7deb9b9c7439638121528ff5aa947d 242652 chromium-browser_28.0.1500.52-0ubuntu2.debian.tar.gz
Files:
c70a939eb592c2debd1305c2ccb06452 2960 web optional chromium-browser_28.0.1500.52-0ubuntu2.dsc
78da96960a30055ad7d554a906f7c720 158405280 web optional chromium-browser_28.0.1500.52.orig.tar.xz
a70814cae1408bdb061406f80a99e78b 242652 web optional chromium-browser_28.0.1500.52-0ubuntu2.debian.tar.gz
Original-Maintainer: Micah Gersten <micahg at ubuntu.com>, Fabien Tassin <fta at ubuntu.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBAgAGBQJRy1NvAAoJEGEfvezVlG4PlFkH/0KIML4GYFbXCsXdVhSM6z8m
WODhBfzqrEprHz3CWI55xtJu+M2w+zb6DleTMJkAh++SxIBbawdqs5P4oAaBEyRF
UWFDYTrJIOB1JZpz84O6djvYMn8tT2SE7eN3NnJgL8j6Ta0W7AfrXx4F7taf/8qm
fw0jVzm/kojJ15Wj7IvWrvHXQPl0JVci4ytq1TjlB5SJP6arr0lzdcmJd1KwMOWq
saTVIgniMvxIeSgANLoH3ZILOaYuEGW0N/Cqddn7+6EYSB0pe3skD3HkzXlm2wiP
rFJLTsueVWai1fTH5fy+mTZtNeNmdKpEcSoeZyzmENDGCWKevFO+YTqXQyf6huw=
=AoDp
-----END PGP SIGNATURE-----
More information about the Saucy-changes
mailing list