[Bug 1855594] Re: Sync chromium 78.0.3904.108-1 (universe) from Debian unstable (main)

Julian Andres Klode julian.klode at canonical.com
Thu Mar 5 09:15:10 UTC 2020 

I don't think a chromium-browser in universe - without security support
- is a sensible thing to provide. There's a reason chromium moved to a
snap: It takes too much effort to maintain across all stable releases.

I'm not confident that the community can keep up with supporting
chromium in universe across stable releases and provide the level of
security necessary for something as critical as a web browser.

The security impact if the community cannot keep up with Chromium is too
high to warrant the risk. And we don't want that to fallback to the
security team like now, because a point of migrating to a snap was to
reduce the burden there.

Hence I'll be setting the status to Won't Fix.

** Changed in: chromium (Ubuntu)
       Status: Confirmed => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1855594

Title:
  Sync chromium 78.0.3904.108-1 (universe) from Debian unstable (main)

Status in chromium package in Ubuntu:
  Won't Fix

Bug description:
  Please sync chromium 78.0.3904.108-1 (universe) from Debian unstable
  (main)

  Now that the other chromium-browser source package in Ubuntu is just a transitional dummy package to the chromium snap, I guess we can now sync the Debian chromium package.
  This gives the community a chance to maintain a deb chromium package in Ubuntu independent from the snap one.

  All changelog entries:

  chromium (78.0.3904.108-1) unstable; urgency=medium

    * New upstream security release.
      - CVE-2019-13723: Use-after-free in Bluetooth. Reported by Yuxiang Li
      - CVE-2019-13724: Out-of-bounds in Bluetooth. Reported by Yuxiang Li
    * Disable vaapi on armhf (closes: #944627).

   -- Michael Gilbert <mgilbert at debian.org>  Wed, 20 Nov 2019 23:46:06
  +0000

  chromium (78.0.3904.97-1) unstable; urgency=medium

    * New upstream security release.
    * Enable vaapi (closes: #940074).
    * Fix crash during profile manager shutdown.
    * Drop libglewmx-dev build dependency (closes: #941050).

   -- Michael Gilbert <mgilbert at debian.org>  Sat, 09 Nov 2019 03:33:52
  +0000

  chromium (78.0.3904.87-1) unstable; urgency=medium

    * New upstream stable release.
      - CVE-2019-5869: Use-after-free in Blink. Reported by Zhe Jin
      - CVE-2019-5870: Use-after-free in media. Reported by Guang Gong
      - CVE-2019-5871: Heap overflow in Skia. Reported by Anonymous
      - CVE-2019-5872: Use-after-free in Mojo. Reported by Zhe Jin
      - CVE-2019-5874: External URIs may trigger other browsers. Reported by
        James Lee
      - CVE-2019-5875: URL bar spoof. Reported by Khalil
        Zhani
      - CVE-2019-5876: Use-after-free in media. Reported by Man Yue Mo
      - CVE-2019-5877: Out-of-bounds access in V8. Reported by Guang Gong
      - CVE-2019-5878: Use-after-free in V8. Reported by Guang Gong
      - CVE-2019-5879: Extensions can read some local files. Reported by Jinseo
        Kim
      - CVE-2019-5880: SameSite cookie bypass. Reported by Jun Kokatsu
      - CVE-2019-13659: URL spoof. Reported by Lnyas Zhang
      - CVE-2019-13660: Full screen notification overlap. Reported by Wenxu Wu
      - CVE-2019-13661: Full screen notification spoof. Reported by Wenxu Wu
      - CVE-2019-13662: CSP bypass. Reported by David Erceg
      - CVE-2019-13663: IDN spoof. Reported by Lnyas Zhang
      - CVE-2019-13664: CSRF bypass. Reported by thomas "zemnmez" shadwell
      - CVE-2019-13665: Multiple file download protection bypass. Reported by
        Jun Kokatsu
      - CVE-2019-13666: Side channel using storage size estimate. Reported by
        Tom Van Goethem
      - CVE-2019-13667: URI bar spoof when using external app URIs. Reported by
        Khalil Zhani
      - CVE-2019-13668: Global window leak via console. Reported by David Erceg
      - CVE-2019-13669: HTTP authentication spoof. Reported by Khalil Zhani
      - CVE-2019-13670: V8 memory corruption in regex. Reported by Guang Gong
      - CVE-2019-13671: Dialog box fails to show origin. Reported by xisigr
      - CVE-2019-13673: Cross-origin information leak using devtools. Reported
        by David Erceg
      - CVE-2019-13674: IDN spoofing. Reported by Khalil Zhani
      - CVE-2019-13675: Extensions can be disabled by trailing slash. Reported
        by Jun Kokatsu
      - CVE-2019-13676: Google URI shown for certificate warning. Reported by
        Wenxu Wu
      - CVE-2019-13677: Chrome web store origin needs to be isolated. Reported
        by Jun Kokatsu
      - CVE-2019-13678: Download dialog spoofing. Reported by Ronni Skansing
      - CVE-2019-13679: User gesture needed for printing. Reported by Conrad
        Irwin
      - CVE-2019-13680: IP address spoofing to servers. Reported by Thijs
        Alkemade
      - CVE-2019-13681: Bypass on download restrictions. Reported by David Erceg
      - CVE-2019-13682: Site isolation bypass. Reported by Jun Kokatsu
      - CVE-2019-13683: Exceptions leaked by devtools. Reported by David Erceg
      - CVE-2019-13685: Use-after-free in UI. Reported by Khalil Zhani
      - CVE-2019-13686: Use-after-free in offline pages. Reported by Brendon
      - CVE-2019-13687: Use-after-free in media. Reported by Man Yue Mo
      - CVE-2019-13688: Use-after-free in media. Reported by Man Yue Mo
        Tiszka
      - CVE-2019-13691: Omnibox spoof. Reported by David Erceg
      - CVE-2019-13692: SOP bypass. Reported by Jun Kokatsu
      - CVE-2019-13693: Use-after-free in IndexedDB. Reported by Guang Gong
      - CVE-2019-13694: Use-after-free in WebRTC. Reported by banananapenguin
      - CVE-2019-13695: Use-after-free in audio. Reported by Man Yue Mo
      - CVE-2019-13696: Use-after-free in V8. Reported by Guang Gong
      - CVE-2019-13697: Cross-origin size leak. Reported by Luan Herrera
      - CVE-2019-13699: Use-after-free in media. Reported by Man Yue Mo
      - CVE-2019-13700: Buffer overrun in Blink. Reported by Man Yue Mo
      - CVE-2019-13701: URL spoof in navigation. Reported by David Erceg
      - CVE-2019-13702: Privilege elevation in Installer. Reported by Phillip
        Langlois and Edward Torkington
      - CVE-2019-13703: URL bar spoofing. Reported by Khalil Zhani
      - CVE-2019-13704: CSP bypass. Reported by Jun Kokatsu
      - CVE-2019-13705: Extension permission bypass. Reported by Luan Herrera
      - CVE-2019-13706: Out-of-bounds read in PDFium. Reported by pdknsk
      - CVE-2019-13707: File storage disclosure. Reported by Andrea Palazzo
      - CVE-2019-13708: HTTP authentication spoof. Reported by Khalil Zhani
      - CVE-2019-13709: File download protection bypass. Reported by Zhong
        Zhaochen
      - CVE-2019-13710: File download protection bypass. Reported by
        bernardo.mrod
      - CVE-2019-13711: Cross-context information leak. Reported by David Erceg
      - CVE-2019-13713: Cross-origin data leak. Reported by David Erceg
      - CVE-2019-13714: CSS injection. Reported by Jun Kokatsu
      - CVE-2019-13715: Address bar spoofing. Reported by xisigr
      - CVE-2019-13716: Service worker state error. Reported by Barron Hagerman
      - CVE-2019-13717: Notification obscured. Reported by xisigr
      - CVE-2019-13718: IDN spoof. Reported by Khalil Zhani
      - CVE-2019-13719: Notification obscured. Reported by Khalil Zhani
      - CVE-2019-13720: Use-after-free in audio. Reported by Anton Ivanov and
        Alexey Kulaev
      - CVE-2019-13721: Use-after-free in PDFium. Reported by banananapenguin
    * Drop support for building with gcc 6 and gtk 2.

   -- Michael Gilbert <mgilbert at debian.org>  Sat, 02 Nov 2019 22:30:42
  +0000

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/chromium/+bug/1855594/+subscriptions

More information about the Ubuntu-sponsors mailing list