[USN-2652-1] Oxide vulnerabilities
chris.coulson at canonical.com
Tue Jun 30 11:30:44 UTC 2015
Ubuntu Security Notice USN-2652-1
June 30, 2015
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 15.04
- Ubuntu 14.10
- Ubuntu 14.04 LTS
Several security issues were fixed in Oxide.
- oxide-qt: Web browser engine library for Qt (QML plugin)
It was discovered that Chromium did not properly consider the scheme when
determining whether a URL is associated with a WebUI SiteInstance. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to bypass security restrictions.
It was discovered that Blink did not properly restrict the creation
context during creation of a DOM wrapper. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to bypass same-origin restrictions. (CVE-2015-1267, CVE-2015-1268)
It was discovered that Chromium did not properly canonicalize DNS hostnames
before comparing to HSTS or HPKP preload entries. An attacker could
potentially exploit this to bypass intended access restrictions.
The problem can be corrected by updating your system to the following
Ubuntu 14.04 LTS:
In general, a standard system update will make all the necessary changes.
CVE-2015-1266, CVE-2015-1267, CVE-2015-1268, CVE-2015-1269
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the ubuntu-security-announce