[ubuntu/trusty-security] chromium-browser 52.0.2743.116-0ubuntu0. (Accepted)

Chris Coulson chrisccoulson at ubuntu.com
Tue Sep 6 16:44:12 UTC 2016

chromium-browser (52.0.2743.116-0ubuntu0. trusty-security; urgency=medium

  * Upstream release 52.0.2743.116:
    - CVE-2016-5141 Address bar spoofing.
    - CVE-2016-5142 Use-after-free in Blink.
    - CVE-2016-5139 Heap overflow in pdfium.
    - CVE-2016-5140 Heap overflow in pdfium.
    - CVE-2016-5145 Same origin bypass for images in Blink.
    - CVE-2016-5143 Parameter sanitization failure in DevTools.
    - CVE-2016-5144 Parameter sanitization failure in DevTools.
    - CVE-2016-5146: Various fixes from internal audits, fuzzing and other
  * Exclude harfbuzz from system-library use.
  * Upstream release 52.0.2743.82:
    - CVE-2016-1706: Sandbox escape in PPAPI.
    - CVE-2016-1707: URL spoofing on iOS.
    - CVE-2016-1708: Use-after-free in Extensions.
    - CVE-2016-1709: Heap-buffer-overflow in sfntly.
    - CVE-2016-1710: Same-origin bypass in Blink.
    - CVE-2016-1711: Same-origin bypass in Blink.
    - CVE-2016-5127: Use-after-free in Blink.
    - CVE-2016-5128: Same-origin bypass in V8.
    - CVE-2016-5129: Memory corruption in V8.
    - CVE-2016-5130: URL spoofing.
    - CVE-2016-5131: Use-after-free in libxml.
    - CVE-2016-5132: Limited same-origin bypass in Service Workers.
    - CVE-2016-5133: Origin confusion in proxy authentication.
    - CVE-2016-5134: URL leakage via PAC script.
    - CVE-2016-5135: Content-Security-Policy bypass.
    - CVE-2016-5136: Use after free in extensions.
    - CVE-2016-5137: History sniffing with HSTS and CSP.
    - CVE-2016-1705: Various fixes from internal audits, fuzzing and other
  * Upstream release 51.0.2704.106
  * Upstream release 51.0.2704.103:
    - CVE-2016-1704: Various fixes from internal audits, fuzzing and other
  * debian/control: remvove build-dep on clang.
  * Sync many things from debian:
    - No longer build remoting, or install its locale files.
    - Use many system libraries, adding build-dep on
        - libre2-dev,
        - yasm,
        - libopus-dev,
        - zlib1g-dev,
        - libspeex-dev,
        - libspeechd-dev,
        - libexpat1-dev,
        - libpng-dev,
        - libxml2-dev,
        - libjpeg-dev,
        - libwebp-dev,
        - libxslt-dev,
        - libsrtp-dev,
        - libjsoncpp-dev,
        - libevent-dev,
    - Clean up many parts of debian/rules, wrt variable names
    - Set hardening on.
    - Use gold linker.
    - Disable Google Now. Creepy. Might mean downloads of opaque programs too.
    - Disable Wallet service.
  * debian/compat: Use dh version 9.
  * debian/rules: Improve "cd;foo" logic.
  * debian/rules: Remove files in tar-copy pipelines, to conserve space. Fixes
    build failures in servers.
  * debian/rules: Move check steps into install steps. No need to be separate,
    and simplifies target names.
  * debian/rules: Make en-us locale files less magical, and simplify install.
  * debian/rules: Work around change to tar command param order with
  * debian/rules: Don't use tcmalloc on armhf.
  * debian/rules: Remove precise-specific conditions. More simple.
  * debian/rules: In install-validation, don't use mktemp. Hard-code
  * debian/patches/gsettings-display-scaling: Disable because code moved and
    needs refactoring.
  * debian/patches/display-scaling-default-value: Disable because probbly not
    needed any more.
  * debian/rules: widevine cdm is not really available in this source. No
    longer lie about that.
  * Set new GOOG keys to bisect service overuse problem.

Date: 2016-08-24 23:24:13.155866+00:00
Changed-By: Chad Miller <chad.miller at canonical.com>
Signed-By: Chris Coulson <chrisccoulson at ubuntu.com>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Trusty-changes mailing list