[ubuntu/trusty-security] chromium-browser 58.0.3029.81-0ubuntu0.14.04.1172 (Accepted)
Chris Coulson
chrisccoulson at ubuntu.com
Wed Apr 26 11:46:34 UTC 2017
chromium-browser (58.0.3029.81-0ubuntu0.14.04.1172) trusty; urgency=medium
* Upstream release: 58.0.3029.81
- CVE-2017-5057: Type confusion in PDFium.
- CVE-2017-5058: Heap use after free in Print Preview.
- CVE-2017-5059: Type confusion in Blink.
- CVE-2017-5060: URL spoofing in Omnibox.
- CVE-2017-5061: URL spoofing in Omnibox.
- CVE-2017-5062: Use after free in Chrome Apps.
- CVE-2017-5063: Heap overflow in Skia.
- CVE-2017-5064: Use after free in Blink.
- CVE-2017-5065: Incorrect UI in Blink.
- CVE-2017-5066: Incorrect signature handing in Networking.
- CVE-2017-5067: URL spoofing in Omnibox.
- CVE-2017-5069: Cross-origin bypass in Blink.
* debian/patches/arm.patch: removed, no longer needed
* debian/patches/gtk-ui-stdmove: removed, no longer needed (upstreamed)
* debian/patches/screen_capturer: removed, no longer needed (upstreamed)
* debian/patches/default-allocator: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default: refreshed
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/snapshot-library-link: refreshed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/fix-gn-bootstrap.patch: added
* debian/rules: disable the use of Vulcanize, the required node.js modules
are not readily available
chromium-browser (57.0.2987.98-0ubuntu1) UNRELEASED; urgency=medium
* debian/rules: Use gold linker, and not its threads args to avoid
bfd "missing DSO" bug.
* Upstream release: 57.0.2987.98.
- CVE-2017-5030: Memory corruption in V8.
- CVE-2017-5031: Use after free in ANGLE.
- CVE-2017-5032: Out of bounds write in PDFium.
- CVE-2017-5029: Integer overflow in libxslt.
- CVE-2017-5034: Use after free in PDFium.
- CVE-2017-5035: Incorrect security UI in Omnibox.
- CVE-2017-5036: Use after free in PDFium.
- CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer.
- CVE-2017-5039: Use after free in PDFium.
- CVE-2017-5040: Information disclosure in V8.
- CVE-2017-5041: Address spoofing in Omnibox.
- CVE-2017-5033: Bypass of Content Security Policy in Blink.
- CVE-2017-5042: Incorrect handling of cookies in Cast.
- CVE-2017-5038: Use after free in GuestView.
- CVE-2017-5043: Use after free in GuestView.
- CVE-2017-5044: Heap overflow in Skia.
- CVE-2017-5045: Information disclosure in XSS Auditor.
- CVE-2017-5046: Information disclosure in Blink.
* debian/patches/arm64-support no longer needed
* debian/patches/stdatomic: Support gcc48.
* debian/patches/snapshot-library-link: Add missing libsnapshot link
* debian/patches/gtk-ui-stdmove: fix && pointer return with std::move
* debian/control: Drop binary arch "any" and explicitly list four.
* debian/patches/arm64-vpx-alignment: Avoid ARM64 alignment bug on some
compilers.
* debian/rules: Fix armhf float ABI and remove unnecessary envvars.
(LP: #1673276)
* Upstream release: 56.0.2924.76
- CVE-2017-5007: Universal XSS in Blink.
- CVE-2017-5006: Universal XSS in Blink.
- CVE-2017-5008: Universal XSS in Blink.
- CVE-2017-5010: Universal XSS in Blink.
- CVE-2017-5011: Unauthorised file access in Devtools.
- CVE-2017-5009: Out of bounds memory access in WebRTC.
- CVE-2017-5012: Heap overflow in V8.
- CVE-2017-5013: Address spoofing in Omnibox.
- CVE-2017-5014: Heap overflow in Skia.
- CVE-2017-5015: Address spoofing in Omnibox.
- CVE-2017-5019: Use after free in Renderer.
- CVE-2017-5016: UI spoofing in Blink.
- CVE-2017-5017: Uninitialised memory access in webm video.
- CVE-2017-5018: Universal XSS in chrome://apps.
- CVE-2017-5020: Universal XSS in chrome://downloads.
- CVE-2017-5021: Use after free in Extensions.
- CVE-2017-5022: Bypass of Content Security Policy in Blink.
- CVE-2017-5023: Type confusion in metrics.
- CVE-2017-5024: Heap overflow in FFmpeg.
- CVE-2017-5025: Heap overflow in FFmpeg.
- CVE-2017-5026: UI spoofing.
* debian/patches/screen_capturer: allow compilation on gcc4
* debian/patches/arm64-support: reenable arm64
* debian/patches/memory-free-assertion-failure: discover memory management
assertion failures.
* debian/rules: Avoid field trial experiments to get stable code.
(closes: LP#1667125)
* debian/patches/enable-chromecast-by-default: (LP: #1621753)
* debian/rules: no longer use gconf. (LP: #1669100)
* debian/rules: Build extra codecs as part of main chromium program,
and libre/crippled/h.264less on its own. Seems to make h.264 work
again. Weird.
* debian/chromium-browser.links: Make link to ./ instead of / to fix
path problems that codec-using other apps might see.
* Upstream release of 55.0.2883.87:
- Change Flash running default to important content only.
* debian/chromium-browser.sh.in: Insert the Flash version if empty and
detectable.
* debian/rules, debian/control: Use gcc/g++ 4.8 to build.
* Upstream release of 55.0.2883.75:
- CVE-2016-9651: Private property access in V8.
- CVE-2016-5208: Universal XSS in Blink.
- CVE-2016-5207: Universal XSS in Blink.
- CVE-2016-5206: Same-origin bypass in PDFium.
- CVE-2016-5205: Universal XSS in Blink.
- CVE-2016-5204: Universal XSS in Blink.
- CVE-2016-5209: Out of bounds write in Blink.
- CVE-2016-5203: Use after free in PDFium.
- CVE-2016-5210: Out of bounds write in PDFium.
- CVE-2016-5212: Local file disclosure in DevTools.
- CVE-2016-5211: Use after free in PDFium.
- CVE-2016-5213: Use after free in V8.
- CVE-2016-5214: File download protection bypass.
- CVE-2016-5216: Use after free in PDFium.
- CVE-2016-5215: Use after free in Webaudio.
- CVE-2016-5217: Use of unvalidated data in PDFium.
- CVE-2016-5218: Address spoofing in Omnibox.
- CVE-2016-5219: Use after free in V8.
- CVE-2016-5221: Integer overflow in ANGLE.
- CVE-2016-5220: Local file access in PDFium.
- CVE-2016-5222: Address spoofing in Omnibox.
- CVE-2016-9650: CSP Referrer disclosure.
- CVE-2016-5223: Integer overflow in PDFium.
- CVE-2016-5226: Limited XSS in Blink.
- CVE-2016-5225: CSP bypass in Blink.
- CVE-2016-5224: Same-origin bypass in SVG
- CVE-2016-9652: Various fixes from internal audits, fuzzing and other
initiatives
* Upstream release of 54.0.2840.100:
- CVE-2016-5199: Heap corruption in FFmpeg.
- CVE-2016-5200: Out of bounds memory access in V8.
- CVE-2016-5201: Info leak in extensions.
- CVE-2016-5202: Various fixes from internal audits, fuzzing and other
initiatives
* Move to using GN to build chromium.
- debian/known_gn_gen_args
- debian/rules
patches
* debian/rules, lintians, installs, script: Move component libs out of
libs/, to /usr/lib/chromium-browser/ only.
* debian/patches/do-not-use-bundled-clang: Use clang from path.
* debian/control: Express that binary packages could be on "any"
architecture.
* debian/control: additionally build-dep on libgtk-3-dev
* debian/patches/arm64-support: Fail nicer if aarch64/arm64 mismatch.
* Upstrem release of 54.0.2840.59:
- CVE-2016-5181: Universal XSS in Blink.
- CVE-2016-5182: Heap overflow in Blink.
- CVE-2016-5183: Use after free in PDFium.
- CVE-2016-5184: Use after free in PDFium.
- CVE-2016-5185: Use after free in Blink.
- CVE-2016-5187: URL spoofing.
- CVE-2016-5188: UI spoofing.
- CVE-2016-5192: Cross-origin bypass in Blink.
- CVE-2016-5189: URL spoofing.
- CVE-2016-5186: Out of bounds read in DevTools.
- CVE-2016-5191: Universal XSS in Bookmarks.
- CVE-2016-5190: Use after free in Internals.
- CVE-2016-5193: Scheme bypass.
- CVE-2016-5194: Various fixes from internal audits, fuzzing and other
initiatives
* debian/patches/allow-component-build: Hard-code, override
release -> no component logic.
* debian/known_gyp_flags: Remove old GYP known-flags list.
* debian/default-allocator: Insist on not using tcmalloc allocator.
* debian/rules: Set LDFLAGS to limit memory usage.
* debian/control: Remove extraneous dependencies.
Date: 2017-04-24 10:12:23.491570+00:00
Changed-By: Olivier Tilloy <olivier.tilloy at canonical.com>
Signed-By: Chris Coulson <chrisccoulson at ubuntu.com>
https://launchpad.net/ubuntu/+source/chromium-browser/58.0.3029.81-0ubuntu0.14.04.1172
-------------- next part --------------
Sorry, changesfile not available.
More information about the Trusty-changes
mailing list