[ubuntu/xenial-security] chromium-browser 53.0.2785.143-0ubuntu0.16.04.1.1254 (Accepted)

Chris Coulson chrisccoulson at ubuntu.com
Fri Oct 7 10:38:44 UTC 2016 

chromium-browser (53.0.2785.143-0ubuntu0.16.04.1.1254) xenial-security; urgency=medium

  * Upstream release 53.0.2785.143:
    - CVE-2016-5177: Use after free in V8.
    - CVE-2016-5178: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 53.0.2785.113:
    - CVE-2016-5170: Use after free in Blink.
    - CVE-2016-5171: Use after free in Blink.
    - CVE-2016-5172: Arbitrary Memory Read in v8.
    - CVE-2016-5173: Extension resource access.
    - CVE-2016-5174: Popup not correctly suppressed.
    - CVE-2016-5175: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules: Use gold ld to link.
  * debian/rules: Kill delete-null-pointer-checks. In the javascript engine,
    we can not assume a memory access to address zero always results in a
    trap.
  * debian/patches/gsettings-display-scaling,
    debian/patches/display-scaling-default-value, reenable DPI scaling taken
    from dconf.
  * debian/rules: explicitly set target arch for arm64.
  * debian/control, debian/rules: re-add -dbg transitional packages.
  * Upstream release 53.0.2785.89:
    - CVE-2016-5147: Universal XSS in Blink.
    - CVE-2016-5148: Universal XSS in Blink.
    - CVE-2016-5149: Script injection in extensions.
    - CVE-2016-5150: Use after free in Blink.
    - CVE-2016-5151: Use after free in PDFium.
    - CVE-2016-5152: Heap overflow in PDFium.
    - CVE-2016-5153: Use after destruction in Blink.
    - CVE-2016-5154: Heap overflow in PDFium.
    - CVE-2016-5155: Address bar spoofing.
    - CVE-2016-5156: Use after free in event bindings.
    - CVE-2016-5157: Heap overflow in PDFium.
    - CVE-2016-5158: Heap overflow in PDFium.
    - CVE-2016-5159: Heap overflow in PDFium.
    - CVE-2016-5161: Type confusion in Blink.
    - CVE-2016-5162: Extensions web accessible resources bypass.
    - CVE-2016-5163: Address bar spoofing.
    - CVE-2016-5164: Universal XSS using DevTools.
    - CVE-2016-5165: Script injection in DevTools.
    - CVE-2016-5166: SMB Relay Attack via Save Page As.
    - CVE-2016-5160: Extensions web accessible resources bypass.
    - CVE-2016-5167: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/cups-include-deprecated-ppd, debian/rules: include cups
    functions.
  * debian/rules, debian/control: Force using gcc-5 compiler.
  * Use system libraries for expat, speex, zlib, opus, png, jpeg.
  * Also build for arm64 architecture.
  * Don't compile in cups support by default on all architectures.
  * debian/control: remvove build-dep on clang.
  * debian/patches/linux45-madvfree: If MADV_FREE is not defined, do not allow
    it in sandbox filter. Also, undefine it so we don't use MADV_FREE and
    thereby depend on it at runtime.
  * debian/rules: Use gold ld to link.
  * debian/rules: Kill delete-null-pointer-checks. In the javascript engine,
    we can not assume a memory access to address zero always results in a
    trap.
  * debian/patches/series, debian/rules: Re-enable widevine component.

Date: 2016-09-30 10:54:38.864608+00:00
Changed-By: Chad Miller <chad.miller at canonical.com>
Signed-By: Chris Coulson <chrisccoulson at ubuntu.com>
https://launchpad.net/ubuntu/+source/chromium-browser/53.0.2785.143-0ubuntu0.16.04.1.1254
-------------- next part --------------
Sorry, changesfile not available.

More information about the Xenial-changes mailing list