-
chromium-browser (90.0.4430.72-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 90.0.4430.72
- CVE-2021-21201: Use after free in permissions.
- CVE-2021-21202: Use after free in extensions.
- CVE-2021-21203: Use after free in Blink.
- CVE-2021-21204: Use after free in Blink.
- CVE-2021-21205: Insufficient policy enforcement in navigation.
- CVE-2021-21221: Insufficient validation of untrusted input in Mojo.
- CVE-2021-21207: Use after free in IndexedDB.
- CVE-2021-21208: Insufficient data validation in QR scanner.
- CVE-2021-21209: Inappropriate implementation in storage.
- CVE-2021-21210: Inappropriate implementation in Network.
- CVE-2021-21211: Inappropriate implementation in Navigation.
- CVE-2021-21212: Incorrect security UI in Network Config UI.
- CVE-2021-21213: Use after free in WebMIDI.
- CVE-2021-21214: Use after free in Network API.
- CVE-2021-21215: Inappropriate implementation in Autofill.
- CVE-2021-21216: Inappropriate implementation in Autofill.
- CVE-2021-21217: Uninitialized Use in PDFium.
- CVE-2021-21218: Uninitialized Use in PDFium.
- CVE-2021-21219: Uninitialized Use in PDFium.
* debian/patches/blink-animation-old-clang-compatibility.patch: added
* debian/patches/configuration-directory.patch: refreshed
* debian/patches/define__libc_malloc.patch: refreshed
* debian/patches/disable-sse2: removed, no longer needed
* debian/patches/evdev-undefined-switch.patch: added
* debian/patches/fix-c++17ism.patch: refreshed
* debian/patches/gtk-symbols-conditional.patch: refreshed
* debian/patches/import-missing-fcntl-defines.patch: updated
* debian/patches/libaom-armhf-build-cpudetect.patch: added
* debian/patches/revert-getrandom.patch: refreshed
* debian/patches/revert-sequence-checker-capability-name.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/use-clang-versioned.patch: refreshed
* debian/patches/wayland-scanner-add-missing-include.patch: refreshed
* debian/patches/widevine-enable-version-string.patch: refreshed
* debian/patches/widevine-other-locations: refreshed
-- Olivier Tilloy <email address hidden> Thu, 15 Apr 2021 12:08:22 +0200
-
chromium-browser (89.0.4389.90-0ubuntu0.16.04.2) xenial; urgency=medium
* debian/control: add an explicit runtime dependency on libx11-xcb1
(LP: #1919146)
-- Olivier Tilloy <email address hidden> Thu, 18 Mar 2021 15:10:59 +0100
-
chromium-browser (89.0.4389.82-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 89.0.4389.82
-- Olivier Tilloy <email address hidden> Sun, 07 Mar 2021 06:35:41 +0100
-
chromium-browser (87.0.4280.66-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 87.0.4280.66
- CVE-2020-16018: Use after free in payments.
- CVE-2020-16019: Inappropriate implementation in filesystem.
- CVE-2020-16020: Inappropriate implementation in cryptohome.
- CVE-2020-16021: Race in ImageBurner.
- CVE-2020-16022: Insufficient policy enforcement in networking.
- CVE-2020-16015: Insufficient data validation in WASM.
- CVE-2020-16014: Use after free in PPAPI.
- CVE-2020-16023: Use after free in WebCodecs.
- CVE-2020-16024: Heap buffer overflow in UI.
- CVE-2020-16025: Heap buffer overflow in clipboard.
- CVE-2020-16026: Use after free in WebRTC.
- CVE-2020-16027: Insufficient policy enforcement in developer tools.
- CVE-2020-16028: Heap buffer overflow in WebRTC.
- CVE-2020-16029: Inappropriate implementation in PDFium.
- CVE-2020-16030: Insufficient data validation in Blink.
- CVE-2019-8075: Insufficient data validation in Flash.
- CVE-2020-16031: Incorrect security UI in tab preview.
- CVE-2020-16032: Incorrect security UI in sharing.
- CVE-2020-16033: Incorrect security UI in WebUSB.
- CVE-2020-16034: Inappropriate implementation in WebRTC.
- CVE-2020-16035: Insufficient data validation in cros-disks.
- CVE-2020-16012: Side-channel information leakage in graphics.
- CVE-2020-16036: Inappropriate implementation in cookies.
* debian/rules: set chrome_pgo_phase build flag to 0 to disable PGO, because
the upstream profile data is not compatible with the version of clang used
to build chromium
* debian/patches/default-allocator: refreshed
* debian/patches/fix-different-language-linkage-error.patch: removed, no
longer needed
* debian/patches/fix-ptrace-header-include.patch: refreshed
* debian/patches/gtk-symbols-conditional.patch: updated
* debian/patches/revert-getrandom.patch: added
* debian/patches/revert-newer-xcb-requirement.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/stl-util-old-clang-compatibility.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/use-clang-versioned.patch: refreshed
-- Olivier Tilloy <email address hidden> Tue, 17 Nov 2020 23:09:47 +0100
-
chromium-browser (86.0.4240.198-0ubuntu0.16.04.1) xenial; urgency=medium
* Stable channel update: 86.0.4240.198
- CVE-2020-16013: Inappropriate implementation in V8.
- CVE-2020-16017: Use after free in site isolation.
-- Olivier Tilloy <email address hidden> Thu, 12 Nov 2020 07:13:56 +0100
-
chromium-browser (86.0.4240.75-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 86.0.4240.75
- CVE-2020-15967: Use after free in payments.
- CVE-2020-15968: Use after free in Blink.
- CVE-2020-15969: Use after free in WebRTC.
- CVE-2020-15970: Use after free in NFC.
- CVE-2020-15971: Use after free in printing.
- CVE-2020-15972: Use after free in audio.
- CVE-2020-15990: Use after free in autofill.
- CVE-2020-15991: Use after free in password manager.
- CVE-2020-15973: Insufficient policy enforcement in extensions.
- CVE-2020-15974: Integer overflow in Blink.
- CVE-2020-15975: Integer overflow in SwiftShader.
- CVE-2020-15976: Use after free in WebXR.
- CVE-2020-6557: Inappropriate implementation in networking.
- CVE-2020-15977: Insufficient data validation in dialogs.
- CVE-2020-15978: Insufficient data validation in navigation.
- CVE-2020-15979: Inappropriate implementation in V8.
- CVE-2020-15980: Insufficient policy enforcement in Intents.
- CVE-2020-15981: Out of bounds read in audio.
- CVE-2020-15982: Side-channel information leakage in cache.
- CVE-2020-15983: Insufficient data validation in webUI.
- CVE-2020-15984: Insufficient policy enforcement in Omnibox.
- CVE-2020-15985: Inappropriate implementation in Blink.
- CVE-2020-15986: Integer overflow in media.
- CVE-2020-15987: Use after free in WebRTC.
- CVE-2020-15992: Insufficient policy enforcement in networking.
- CVE-2020-15988: Insufficient policy enforcement in downloads.
- CVE-2020-15989: Uninitialized Use in PDFium.
* debian/patches/configuration-directory.patch: refreshed
* debian/patches/default-allocator: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-c++17ism.patch: added
* debian/patches/fix-different-language-linkage-error.patch: added
* debian/patches/gtk-symbols-conditional.patch: refreshed
* debian/patches/import-missing-fcntl-defines.patch: added
* debian/patches/node-use-system-wide.patch: refreshed
* debian/patches/revert-newer-xcb-requirement.patch: added
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/stl-util-old-clang-compatibility.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/touch-v35: updated
* debian/patches/upstream-fix-crash-in-MediaSerializer-base-Location.patch:
removed, no longer needed
* debian/patches/widevine-enable-version-string.patch: refreshed
* debian/patches/widevine-other-locations: refreshed
-- Olivier Tilloy <email address hidden> Wed, 07 Oct 2020 22:00:46 +0200
-
chromium-browser (85.0.4183.121-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 85.0.4183.121
- CVE-2020-15960: Heap buffer overflow in storage.
- CVE-2020-15961: Insufficient policy enforcement in extensions.
- CVE-2020-15962: Insufficient policy enforcement in serial.
- CVE-2020-15963: Insufficient policy enforcement in extensions.
- CVE-2020-15965: Type Confusion in V8.
- CVE-2020-15966: Insufficient policy enforcement in extensions.
- CVE-2020-15964: Insufficient data validation in media.
-- Olivier Tilloy <email address hidden> Mon, 21 Sep 2020 22:05:10 +0200
-
chromium-browser (85.0.4183.83-0ubuntu0.16.04.2) xenial; urgency=medium
* debian/rules: install libEGL.so and libGLESv2.so, needed for
hardware-accelerated rendering
-- Olivier Tilloy <email address hidden> Mon, 31 Aug 2020 14:57:48 +0200
-
chromium-browser (84.0.4147.105-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 84.0.4147.105
- CVE-2020-6537: Type Confusion in V8.
- CVE-2020-6538: Inappropriate implementation in WebView.
- CVE-2020-6532: Use after free in SCTP.
- CVE-2020-6539: Use after free in CSS.
- CVE-2020-6540: Heap buffer overflow in Skia.
- CVE-2020-6541: Use after free in WebUSB.
-- Olivier Tilloy <email address hidden> Tue, 28 Jul 2020 11:21:33 +0200
-
chromium-browser (81.0.4044.138-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 81.0.4044.138
- CVE-2020-6831: Stack buffer overflow in SCTP.
- CVE-2020-6464: Type Confusion in Blink.
-- Olivier Tilloy <email address hidden> Wed, 06 May 2020 08:52:03 +0200
-
chromium-browser (81.0.4044.122-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 81.0.4044.122
- CVE-2020-6459: Use after free in payments.
- CVE-2020-6460: Insufficient data validation in URL formatting.
- CVE-2020-6458: Out of bounds read and write in PDFium.
-- Olivier Tilloy <email address hidden> Wed, 22 Apr 2020 19:21:20 +0200
-
chromium-browser (80.0.3987.163-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 80.0.3987.163
-- Olivier Tilloy <email address hidden> Sat, 04 Apr 2020 16:27:05 +0200
-
chromium-browser (80.0.3987.149-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 80.0.3987.149
- CVE-2019-20503: Out of bounds read in usersctplib.
- CVE-2020-6383: Type confusion in V8.
- CVE-2020-6384: Use after free in WebAudio.
- CVE-2020-6386: Use after free in speech.
- CVE-2020-6407: Out of bounds memory access in streams.
- CVE-2020-6418: Type confusion in V8.
- CVE-2020-6420: Insufficient policy enforcement in media.
- CVE-2020-6422: Use after free in WebGL.
- CVE-2020-6424: Use after free in media.
- CVE-2020-6425: Insufficient policy enforcement in extensions.
- CVE-2020-6426: Inappropriate implementation in V8.
- CVE-2020-6427: Use after free in audio.
- CVE-2020-6428: Use after free in audio.
- CVE-2020-6429: Use after free in audio.
- CVE-2020-6449: Use after free in audio.
-- Olivier Tilloy <email address hidden> Wed, 18 Mar 2020 21:52:22 +0100
-
chromium-browser (80.0.3987.87-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 80.0.3987.87
- CVE-2020-6381: Integer overflow in JavaScript.
- CVE-2020-6382: Type Confusion in JavaScript.
- CVE-2019-18197: Multiple vulnerabilities in XML.
- CVE-2019-19926: Inappropriate implementation in SQLite.
- CVE-2020-6385: Insufficient policy enforcement in storage.
- CVE-2019-19880, CVE-2019-19925: Multiple vulnerabilities in SQLite.
- CVE-2020-6387: Out of bounds write in WebRTC.
- CVE-2020-6388: Out of bounds memory access in WebAudio.
- CVE-2020-6389: Out of bounds write in WebRTC.
- CVE-2020-6390: Out of bounds memory access in streams.
- CVE-2020-6391: Insufficient validation of untrusted input in Blink.
- CVE-2020-6392: Insufficient policy enforcement in extensions.
- CVE-2020-6393: Insufficient policy enforcement in Blink.
- CVE-2020-6394: Insufficient policy enforcement in Blink.
- CVE-2020-6395: Out of bounds read in JavaScript.
- CVE-2020-6396: Inappropriate implementation in Skia.
- CVE-2020-6397: Incorrect security UI in sharing.
- CVE-2020-6398: Uninitialized use in PDFium.
- CVE-2020-6399: Insufficient policy enforcement in AppCache.
- CVE-2020-6400: Inappropriate implementation in CORS.
- CVE-2020-6401: Insufficient validation of untrusted input in Omnibox.
- CVE-2020-6402: Insufficient policy enforcement in downloads.
- CVE-2020-6403: Incorrect security UI in Omnibox.
- CVE-2020-6404: Inappropriate implementation in Blink.
- CVE-2020-6405: Out of bounds read in SQLite.
- CVE-2020-6406: Use after free in audio.
- CVE-2019-19923: Out of bounds memory access in SQLite.
- CVE-2020-6408: Insufficient policy enforcement in CORS.
- CVE-2020-6409: Inappropriate implementation in Omnibox.
- CVE-2020-6410: Insufficient policy enforcement in navigation.
- CVE-2020-6411: Insufficient validation of untrusted input in Omnibox.
- CVE-2020-6412: Insufficient validation of untrusted input in Omnibox.
- CVE-2020-6413: Inappropriate implementation in Blink.
- CVE-2020-6414: Insufficient policy enforcement in Safe Browsing.
- CVE-2020-6415: Inappropriate implementation in JavaScript.
- CVE-2020-6416: Insufficient data validation in streams.
- CVE-2020-6417: Inappropriate implementation in installer.
* debian/control: add nodejs-mozilla as a build dependency
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-extra-arflags.patch: refreshed
* debian/patches/node-use-system-wide.patch: added
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
* debian/patches/widevine-enable-version-string.patch: refreshed
* debian/tests/html5test: update test expectations for the removal
of the Web Components V0 APIs
(see https://www.chromestatus.com/feature/5144752345317376)
-- Olivier Tilloy <email address hidden> Wed, 05 Feb 2020 10:50:42 +0100
-
chromium-browser (79.0.3945.130-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 79.0.3945.130
- CVE-2020-6378: Use-after-free in speech recognizer.
- CVE-2020-6379: Use-after-free in speech recognizer.
- CVE-2020-6380: Extension message verification error.
* debian/control: remove libgnome-keyring-dev build dependency (LP: #1828192)
* debian/rules: build with use_gnome_keyring=false
* debian/known_gn_gen_args-*: change use_gnome_keyring build flag to false
-- Olivier Tilloy <email address hidden> Mon, 27 Jan 2020 17:44:47 +0100
-
chromium-browser (79.0.3945.79-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 79.0.3945.79
- CVE-2019-13725: Use after free in Bluetooth.
- CVE-2019-13726: Heap buffer overflow in password manager.
- CVE-2019-13727: Insufficient policy enforcement in WebSockets.
- CVE-2019-13728: Out of bounds write in V8.
- CVE-2019-13729: Use after free in WebSockets.
- CVE-2019-13730: Type Confusion in V8.
- CVE-2019-13732: Use after free in WebAudio.
- CVE-2019-13734: Out of bounds write in SQLite.
- CVE-2019-13735: Out of bounds write in V8.
- CVE-2019-13764: Type Confusion in V8.
- CVE-2019-13736: Integer overflow in PDFium.
- CVE-2019-13737: Insufficient policy enforcement in autocomplete.
- CVE-2019-13738: Insufficient policy enforcement in navigation.
- CVE-2019-13739: Incorrect security UI in Omnibox.
- CVE-2019-13740: Incorrect security UI in sharing.
- CVE-2019-13741: Insufficient validation of untrusted input in Blink.
- CVE-2019-13742: Incorrect security UI in Omnibox.
- CVE-2019-13743: Incorrect security UI in external protocol handling.
- CVE-2019-13744: Insufficient policy enforcement in cookies.
- CVE-2019-13745: Insufficient policy enforcement in audio.
- CVE-2019-13746: Insufficient policy enforcement in Omnibox.
- CVE-2019-13747: Uninitialized Use in rendering.
- CVE-2019-13748: Insufficient policy enforcement in developer tools.
- CVE-2019-13749: Incorrect security UI in Omnibox.
- CVE-2019-13750: Insufficient data validation in SQLite.
- CVE-2019-13751: Uninitialized Use in SQLite.
- CVE-2019-13752: Out of bounds read in SQLite.
- CVE-2019-13753: Out of bounds read in SQLite.
- CVE-2019-13754: Insufficient policy enforcement in extensions.
- CVE-2019-13755: Insufficient policy enforcement in extensions.
- CVE-2019-13756: Incorrect security UI in printing.
- CVE-2019-13757: Incorrect security UI in Omnibox.
- CVE-2019-13758: Insufficient policy enforcement in navigation.
- CVE-2019-13759: Incorrect security UI in interstitials.
- CVE-2019-13761: Incorrect security UI in Omnibox.
- CVE-2019-13762: Insufficient policy enforcement in downloads.
- CVE-2019-13763: Insufficient policy enforcement in payments.
* debian/patches/chromium_useragent.patch: refreshed
* debian/patches/configuration-directory.patch: refreshed
* debian/patches/default-allocator: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-extra-arflags.patch: refreshed
* debian/patches/gn-experimental-string_view.patch: added
* debian/patches/relax-ninja-version-requirement.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/touch-v35: refreshed
* debian/patches/widevine-enable-version-string.patch: updated
* debian/patches/widevine-other-locations: updated
-- Olivier Tilloy <email address hidden> Wed, 11 Dec 2019 07:37:22 +0100
-
chromium-browser (78.0.3904.108-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 78.0.3904.108 (LP: #1853149)
- CVE-2019-13723: Use-after-free in Bluetooth.
- CVE-2019-13724: Out-of-bounds access in Bluetooth.
* debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
-- Olivier Tilloy <email address hidden> Tue, 19 Nov 2019 16:05:09 +0100
-
chromium-browser (78.0.3904.97-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 78.0.3904.97
-- Olivier Tilloy <email address hidden> Thu, 07 Nov 2019 06:21:49 +0100
-
chromium-browser (78.0.3904.70-0ubuntu0.16.04.2) xenial; urgency=medium
* debian/patches/widevine-other-locations: updated
-- Olivier Tilloy <email address hidden> Thu, 31 Oct 2019 11:46:51 +0100
-
chromium-browser (77.0.3865.90-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 77.0.3865.90
- CVE-2019-13685: Use-after-free in UI.
- CVE-2019-13688: Use-after-free in media.
- CVE-2019-13687: Use-after-free in media.
- CVE-2019-13686: Use-after-free in offline pages.
-- Olivier Tilloy <email address hidden> Fri, 20 Sep 2019 11:33:49 +0200
-
chromium-browser (76.0.3809.100-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 76.0.3809.100
- CVE-2019-5868: Use-after-free in PDFium ExecuteFieldAction.
- CVE-2019-5867: Out-of-bounds read in V8.
-- Olivier Tilloy <email address hidden> Sat, 10 Aug 2019 15:49:36 +0200
-
chromium-browser (76.0.3809.87-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 76.0.3809.87
- CVE-2019-5850: Use-after-free in offline page fetcher.
- CVE-2019-5860: Use-after-free in PDFium.
- CVE-2019-5853: Memory corruption in regexp length check.
- CVE-2019-5851: Use-after-poison in offline audio context.
- CVE-2019-5859: res: URIs can load alternative browsers.
- CVE-2019-5856: Insufficient checks on filesystem: URI permissions.
- CVE-2019-5863: Use-after-free in WebUSB on Windows.
- CVE-2019-5855: Integer overflow in PDFium.
- CVE-2019-5865: Site isolation bypass from compromised renderer.
- CVE-2019-5858: Insufficient filtering of Open URL service parameters.
- CVE-2019-5864: Insufficient port filtering in CORS for extensions.
- CVE-2019-5862: AppCache not robust to compromised renderers.
- CVE-2019-5861: Click location incorrectly checked.
- CVE-2019-5857: Comparison of -0 and null yields crash.
- CVE-2019-5854: Integer overflow in PDFium text rendering.
- CVE-2019-5852: Object leak of utility functions.
* debian/patches/chromium_useragent.patch: refreshed
* debian/patches/closure-compiler-java-no-client-vm.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-extra-arflags.patch: refreshed
* debian/patches/fix-ffmpeg-ia32-build.patch: removed, no longer needed
* debian/patches/pffft-no-neon.patch: removed, no longer needed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/skia-undef-HWCAP_CRC32.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/upstream-fix-blink-build-iterators.patch: added
-- Olivier Tilloy <email address hidden> Tue, 30 Jul 2019 21:04:42 +0200
-
chromium-browser (74.0.3729.169-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 74.0.3729.169
* debian/patches/revert-gn-4960.patch: added
* debian/patches/revert-gn-4980.patch: added
* debian/tests/data/HTML5test/index.html: mock whichbrowser.net to remove
external test dependency
-- Olivier Tilloy <email address hidden> Wed, 22 May 2019 12:35:00 +0200
-
chromium-browser (73.0.3683.86-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 73.0.3683.86
-- Olivier Tilloy <email address hidden> Thu, 21 Mar 2019 09:32:01 +0100
-
chromium-browser (73.0.3683.75-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 73.0.3683.75
- CVE-2019-5787: Use after free in Canvas.
- CVE-2019-5788: Use after free in FileAPI.
- CVE-2019-5789: Use after free in WebMIDI.
- CVE-2019-5790: Heap buffer overflow in V8.
- CVE-2019-5791: Type confusion in V8.
- CVE-2019-5792: Integer overflow in PDFium.
- CVE-2019-5793: Excessive permissions for private API in Extensions.
- CVE-2019-5794: Security UI spoofing.
- CVE-2019-5795: Integer overflow in PDFium.
- CVE-2019-5796: Race condition in Extensions.
- CVE-2019-5797: Race condition in DOMStorage.
- CVE-2019-5798: Out of bounds read in Skia.
- CVE-2019-5799: CSP bypass with blob URL.
- CVE-2019-5800: CSP bypass with blob URL.
- CVE-2019-5801: Incorrect Omnibox display on iOS.
- CVE-2019-5802: Security UI spoofing.
- CVE-2019-5803: CSP bypass with Javascript URLs'.
- CVE-2019-5804: Command line command injection on Windows.
* debian/patches/additional-search-engines.patch: removed, no longer needed
* debian/patches/closure-compiler-java-no-client-vm.patch: refreshed
* debian/patches/configuration-directory.patch: refreshed
* debian/patches/constexpr-errors-with-old-clang.patch: added
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-extra-arflags.patch: refreshed
* debian/patches/fix-ffmpeg-ia32-build.patch: refreshed
* debian/patches/fix-ptrace-header-include.patch: added
* debian/patches/gn-no-last-commit-position.patch: refreshed
* debian/patches/no-new-ninja-flag.patch: refreshed
* debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: refreshed
* debian/patches/search-credit.patch: updated
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/use-clang-versioned.patch: refreshed
* debian/patches/widevine-enable-version-string.patch: refreshed
-- Olivier Tilloy <email address hidden> Tue, 12 Mar 2019 22:11:59 +0100
-
chromium-browser (72.0.3626.121-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 72.0.3626.121
- CVE-2019-5786: Use-after-free in FileReader
* debian/patches/gn-fix-link-pthread.patch: removed, no longer needed
-- Olivier Tilloy <email address hidden> Tue, 05 Mar 2019 16:34:54 +0100
-
chromium-browser (72.0.3626.119-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 72.0.3626.119
* debian/patches/gn-fix-link-pthread.patch: added
-- Olivier Tilloy <email address hidden> Mon, 25 Feb 2019 17:05:46 +0100
-
chromium-browser (71.0.3578.98-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 71.0.3578.98
- CVE-2018-17481: Use after free in PDFium.
-- Olivier Tilloy <email address hidden> Thu, 13 Dec 2018 12:56:41 +0100
-
chromium-browser (71.0.3578.80-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 71.0.3578.80
- CVE-2018-17480: Out of bounds write in V8.
- CVE-2018-17481: Use after frees in PDFium.
- CVE-2018-18335: Heap buffer overflow in Skia.
- CVE-2018-18336: Use after free in PDFium.
- CVE-2018-18337: Use after free in Blink.
- CVE-2018-18338: Heap buffer overflow in Canvas.
- CVE-2018-18339: Use after free in WebAudio.
- CVE-2018-18340: Use after free in MediaRecorder.
- CVE-2018-18341: Heap buffer overflow in Blink.
- CVE-2018-18342: Out of bounds write in V8.
- CVE-2018-18343: Use after free in Skia.
- CVE-2018-18344: Inappropriate implementation in Extensions.
- CVE-2018-18345: Inappropriate implementation in Site Isolation.
- CVE-2018-18346: Incorrect security UI in Blink.
- CVE-2018-18347: Inappropriate implementation in Navigation.
- CVE-2018-18348: Inappropriate implementation in Omnibox.
- CVE-2018-18349: Insufficient policy enforcement in Blink.
- CVE-2018-18350: Insufficient policy enforcement in Blink.
- CVE-2018-18351: Insufficient policy enforcement in Navigation.
- CVE-2018-18352: Inappropriate implementation in Media.
- CVE-2018-18353: Inappropriate implementation in Network Authentication.
- CVE-2018-18354: Insufficient data validation in Shell Integration.
- CVE-2018-18355: Insufficient policy enforcement in URL Formatter.
- CVE-2018-18356: Use after free in Skia.
- CVE-2018-18357: Insufficient policy enforcement in URL Formatter.
- CVE-2018-18358: Insufficient policy enforcement in Proxy.
- CVE-2018-18359: Out of bounds read in V8.
* debian/patches/chromium_useragent.patch: refreshed
* debian/patches/configuration-directory.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-extra-arflags.patch: refreshed
* debian/patches/gn-bootstrap-remove-sysroot-options.patch: refreshed
* debian/patches/gn-no-last-commit-position.patch: refreshed
* debian/patches/no-new-ninja-flag.patch: refreshed
* debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/touch-v35: refreshed
* debian/patches/use-clang-versioned.patch: refreshed
* debian/patches/widevine-allow-enable.patch: removed, no longer needed
* debian/patches/widevine-other-locations: refreshed
* debian/patches/widevine-revision.patch: renamed to
debian/patches/widevine-enable-version-string.patch and updated
* debian/tests/html5test: update test expectations
-- Olivier Tilloy <email address hidden> Tue, 04 Dec 2018 23:08:03 +0100
-
chromium-browser (70.0.3538.110-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 70.0.3538.110
- CVE-2018-17479: Use-after-free in GPU.
* debian/patches/relax-ninja-version-requirement.patch: refreshed
-- Olivier Tilloy <email address hidden> Tue, 20 Nov 2018 12:13:30 +0100
-
chromium-browser (70.0.3538.77-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 70.0.3538.77
-- Olivier Tilloy <email address hidden> Thu, 25 Oct 2018 07:33:53 +0200
-
chromium-browser (70.0.3538.67-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 70.0.3538.67
- CVE-2018-17462: Sandbox escape in AppCache.
- CVE-2018-17463: Remote code execution in V8.
- CVE to be assigned: Heap buffer overflow in Little CMS in PDFium.
- CVE-2018-17464: URL spoof in Omnibox.
- CVE-2018-17465: Use after free in V8.
- CVE-2018-17466: Memory corruption in Angle.
- CVE-2018-17467: URL spoof in Omnibox.
- CVE-2018-17468: Cross-origin URL disclosure in Blink.
- CVE-2018-17469: Heap buffer overflow in PDFium.
- CVE-2018-17470: Memory corruption in GPU Internals.
- CVE-2018-17471: Security UI occlusion in full screen mode.
- CVE-2018-17472: iframe sandbox escape on iOS.
- CVE-2018-17473: URL spoof in Omnibox.
- CVE-2018-17474: Use after free in Blink.
- CVE-2018-17475: URL spoof in Omnibox.
- CVE-2018-17476: Security UI occlusion in full screen mode.
- CVE-2018-5179: Lack of limits on update() in ServiceWorker.
- CVE-2018-17477: UI spoof in Extensions.
* debian/rules:
- remove enable_google_now build flag
- remove use_gtk3 build flag
* debian/patches/arm-neon.patch: refreshed
* debian/patches/chromium_useragent.patch: refreshed
* debian/patches/configuration-directory.patch: refreshed
* debian/patches/define__libc_malloc.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-extra-arflags.patch: refreshed
* debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: refreshed
* debian/patches/use-clang-versioned.patch: refreshed
* debian/patches/widevine-other-locations: refreshed
* debian/known_gn_gen_args-*:
- remove enable_google_now build flag
- remove use_gtk3 build flag
-- Olivier Tilloy <email address hidden> Tue, 16 Oct 2018 22:54:27 +0200
-
chromium-browser (69.0.3497.81-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 69.0.3497.81
- CVE-2018-16065: Out of bounds write in V8.
- CVE-2018-16066: Out of bounds read in Blink.
- CVE-2018-16067: Out of bounds read in WebAudio.
- CVE-2018-16068: Out of bounds write in Mojo.
- CVE-2018-16069: Out of bounds read in SwiftShader.
- CVE-2018-16070: Integer overflow in Skia.
- CVE-2018-16071: Use after free in WebRTC.
- CVE-2018-16072: Cross origin pixel leak in Chrome's interaction with
Android's MediaPlayer.
- CVE-2018-16073: Site Isolation bypass after tab restore.
- CVE-2018-16074: Site Isolation bypass using Blob URLS.
- CVE-2018-16075: Local file access in Blink.
- CVE-2018-16076: Out of bounds read in PDFium.
- CVE-2018-16077: Content security policy bypass in Blink.
- CVE-2018-16078: Credit card information leak in Autofill.
- CVE-2018-16079: URL spoof in permission dialogs.
- CVE-2018-16080: URL spoof in full screen mode.
- CVE-2018-16081: Local file access in DevTools.
- CVE-2018-16082: Stack buffer overflow in SwiftShader.
- CVE-2018-16083: Out of bounds read in WebRTC.
- CVE-2018-16084: User confirmation bypass in external protocol handling.
- CVE-2018-16085: Use after free in Memory Instrumentation.
* debian/control: add uuid-dev as a build dependency (needed by fontconfig)
* debian/rules: specify AR=llvm-ar-6.0 to build gn
* debian/patches/additional-search-engines.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-extra-arflags.patch: refreshed
* debian/patches/gn-add-missing-arm-impl-files.patch: added
* debian/patches/last-commit-position: replaced by
debian/patches/gn-no-last-commit-position.patch
* debian/patches/no-new-ninja-flag.patch: updated
* debian/patches/relax-ninja-version-requirement.patch: updated
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/skia-undef-HWCAP_CRC32.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/title-bar-default-system.patch-v35: refreshed
-- Olivier Tilloy <email address hidden> Wed, 05 Sep 2018 13:47:36 +0200
-
chromium-browser (68.0.3440.106-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 68.0.3440.106
-- Olivier Tilloy <email address hidden> Thu, 09 Aug 2018 00:10:42 +0200
-
chromium-browser (68.0.3440.75-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 68.0.3440.75
- CVE-2018-6153: Stack buffer overflow in Skia.
- CVE-2018-6154: Heap buffer overflow in WebGL.
- CVE-2018-6155: Use after free in WebRTC.
- CVE-2018-6156: Heap buffer overflow in WebRTC.
- CVE-2018-6157: Type confusion in WebRTC.
- CVE-2018-6158: Use after free in Blink.
- CVE-2018-6159: Same origin policy bypass in ServiceWorker.
- CVE-2018-6160: URL spoof in Chrome on iOS.
- CVE-2018-6161: Same origin policy bypass in WebAudio.
- CVE-2018-6162: Heap buffer overflow in WebGL.
- CVE-2018-6163: URL spoof in Omnibox.
- CVE-2018-6164: Same origin policy bypass in ServiceWorker.
- CVE-2018-6165: URL spoof in Omnibox.
- CVE-2018-6166: URL spoof in Omnibox.
- CVE-2018-6167: URL spoof in Omnibox.
- CVE-2018-6168: CORS bypass in Blink.
- CVE-2018-6169: Permissions bypass in extension installation.
- CVE-2018-6170: Type confusion in PDFium.
- CVE-2018-6171: Use after free in WebBluetooth.
- CVE-2018-6172: URL spoof in Omnibox.
- CVE-2018-6173: URL spoof in Omnibox.
- CVE-2018-6174: Integer overflow in SwiftShader.
- CVE-2018-6175: URL spoof in Omnibox.
- CVE-2018-6176: Local user privilege escalation in Extensions.
- CVE-2018-6177: Cross origin information leak in Blink.
- CVE-2018-6178: UI spoof in Extensions.
- CVE-2018-6179: Local file information leak in Extensions.
- CVE-2018-6044: Request privilege escalation in Extensions.
- CVE-2018-4117: Cross origin information leak in Blink.
* debian/rules:
- remove enable_webrtc build flag
- make ninja less verbose to reduce build log size
* debian/chromium-browser.sh.in: parse flashplugin manifest with Python 3
(LP: #1772448)
* debian/patches/add-missing-base-namespace.patch: added
* debian/patches/chromium_useragent.patch: refreshed
* debian/patches/configuration-directory.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default.patch: refreshed
* debian/patches/fix-crashpad-linux-compat.patch: removed, no longer needed
* debian/patches/fix-extra-arflags.patch: updated
* debian/patches/fix-ffmpeg-ia32-build.patch: updated
* debian/patches/last-commit-position: refreshed
* debian/patches/no-new-ninja-flag.patch: refreshed
* debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: updated
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/touch-v35: refreshed
* debian/patches/use-clang-versioned.patch: refreshed
* debian/known_gn_gen_args-*: remove enable_webrtc build flag
-- Olivier Tilloy <email address hidden> Wed, 25 Jul 2018 10:51:24 +0200
-
chromium-browser (67.0.3396.99-0ubuntu0.16.04.2) xenial; urgency=medium
* debian/patches/libcxxabi-arm-ehabi-fix.patch: removed, no longer needed
-- Olivier Tilloy <email address hidden> Wed, 11 Jul 2018 10:22:52 +0200
-
chromium-browser (66.0.3359.181-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 66.0.3359.181
-- Olivier Tilloy <email address hidden> Tue, 15 May 2018 22:36:44 +0200
-
chromium-browser (66.0.3359.139-0ubuntu0.16.04.3) xenial; urgency=medium
* debian/control: build-depend on clang-5.0 and llvm-5.0, which are now in
xenial-updates
* debian/rules: build gn with clang 5.0
* debian/patches/restore-clang-no-integrated-as.patch: removed, no longer
needed
* debian/patches/skia-undef-HWCAP_CRC32.patch: added
* debian/patches/use-clang-versioned.patch: updated
-- Olivier Tilloy <email address hidden> Fri, 04 May 2018 16:28:21 +0200
-
chromium-browser (65.0.3325.181-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 65.0.3325.181
-- Olivier Tilloy <email address hidden> Wed, 21 Mar 2018 13:51:29 +0100
-
chromium-browser (64.0.3282.167-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 64.0.3282.167
- CVE-2018-6056: Incorrect derived class instantiation in V8.
-- Olivier Tilloy <email address hidden> Wed, 14 Feb 2018 11:54:37 +0100
-
chromium-browser (64.0.3282.140-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 64.0.3282.140
-- Olivier Tilloy <email address hidden> Fri, 02 Feb 2018 15:30:32 +0100
-
chromium-browser (64.0.3282.119-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 64.0.3282.119
- CVE-2018-6031: Use after free in PDFium.
- CVE-2018-6032: Same origin bypass in Shared Worker.
- CVE-2018-6033: Race when opening downloaded files.
- CVE-2018-6034: Integer overflow in Blink.
- CVE-2018-6035: Insufficient isolation of devtools from extensions.
- CVE-2018-6036: Integer underflow in WebAssembly.
- CVE-2018-6037: Insufficient user gesture requirements in autofill.
- CVE-2018-6038: Heap buffer overflow in WebGL.
- CVE-2018-6039: XSS in DevTools.
- CVE-2018-6040: Content security policy bypass.
- CVE-2018-6041: URL spoof in Navigation.
- CVE-2018-6042: URL spoof in OmniBox.
- CVE-2018-6043: Insufficient escaping with external URL handlers.
- CVE-2018-6045: Insufficient isolation of devtools from extensions.
- CVE-2018-6046: Insufficient isolation of devtools from extensions.
- CVE-2018-6047: Cross origin URL leak in WebGL.
- CVE-2018-6048: Referrer policy bypass in Blink.
- CVE-2017-15420: URL spoofing in Omnibox.
- CVE-2018-6049: UI spoof in Permissions.
- CVE-2018-6050: URL spoof in OmniBox.
- CVE-2018-6051: Referrer leak in XSS Auditor.
- CVE-2018-6052: Incomplete no-referrer policy implementation.
- CVE-2018-6053: Leak of page thumbnails in New Tab Page.
- CVE-2018-6054: Use after free in WebUI.
* debian/control: update reference URL for chromedriver
* debian/rules:
- remove enable_hotwording build flag
- exclude build artifacts from the binary package (LP: #1742653)
* debian/patches/add-missing-cstddef-include.patch: added
* debian/patches/configuration-directory.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default.patch: refreshed
* debian/patches/fix-ffmpeg-ia32-build.patch: added
* debian/patches/last-commit-position: refreshed
* debian/patches/no-new-ninja-flag.patch: refreshed
* debian/patches/relax-ninja-version-requirement.patch: refreshed
* debian/patches/restore-clang-no-integrated-as.patch: added
* debian/patches/revert-clang-nostdlib++.patch: updated
* debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/touch-v35: refreshed
* debian/patches/widevine-other-locations: updated (LP: #1738149)
* debian/known_gn_gen_args-*: remove enable_hotwording build flag
-- Olivier Tilloy <email address hidden> Wed, 24 Jan 2018 23:32:17 +0100
-
chromium-browser (63.0.3239.132-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 63.0.3239.132
* debian/rules: do not install files used for building only (LP: #1742653)
-- Olivier Tilloy <email address hidden> Sun, 14 Jan 2018 21:29:46 +0100
-
chromium-browser (63.0.3239.84-0ubuntu0.16.04.1) xenial; urgency=medium
* Upstream release: 63.0.3239.84
- CVE-2017-15407: Out of bounds write in QUIC.
- CVE-2017-15408: Heap buffer overflow in PDFium.
- CVE-2017-15409: Out of bounds write in Skia.
- CVE-2017-15410: Use after free in PDFium.
- CVE-2017-15411: Use after free in PDFium.
- CVE-2017-15412: Use after free in libXML.
- CVE-2017-15413: Type confusion in WebAssembly.
- CVE-2017-15415: Pointer information disclosure in IPC call.
- CVE-2017-15416: Out of bounds read in Blink.
- CVE-2017-15417: Cross origin information disclosure in Skia.
- CVE-2017-15418: Use of uninitialized value in Skia.
- CVE-2017-15419: Cross origin leak of redirect URL in Blink.
- CVE-2017-15420: URL spoofing in Omnibox.
- CVE-2017-15422: Integer overflow in ICU.
- CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
- CVE-2017-15424: URL Spoof in Omnibox.
- CVE-2017-15425: URL Spoof in Omnibox.
- CVE-2017-15426: URL Spoof in Omnibox.
- CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox.
* debian/rules:
- replace allow_posix_link_time_opt=false by use_lld=false, is_cfi=false
and use_thin_lto=false
- rename use_vulcanize GN flag to optimize_webui
- generate the man page as it's not being built with chromium any
longer (since commit 64b961499bebc54fe48478f5e37477252c7887fa)
- build gn with clang
* debian/patches/arm-neon.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-gn-bootstrap.patch: removed, no longer needed
* debian/patches/fix_building_widevinecdm_with_chromium.patch: replaced by
debian/patches/widevine-revision.patch
* debian/patches/no-new-ninja-flag.patch: refreshed
* debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: added
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: updated
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/touch-v35: refreshed
* debian/patches/use-clang-versioned.patch: refreshed
* debian/patches/widevine-other-locations: updated (LP: #1652110)
* debian/patches/widevine-revision.patch: added (LP: #1652110)
-- Olivier Tilloy <email address hidden> Thu, 07 Dec 2017 13:43:39 +0100
-
chromium-browser (62.0.3202.94-0ubuntu0.16.04.1317) xenial; urgency=medium
* Upstream release: 62.0.3202.94
-- Olivier Tilloy <email address hidden> Mon, 13 Nov 2017 23:17:10 +0100
-
chromium-browser (62.0.3202.89-0ubuntu0.16.04.1315) xenial; urgency=medium
* Upstream release: 62.0.3202.89
- CVE-2017-15398: Stack buffer overflow in QUIC.
- CVE-2017-15399: Use after free in V8.
-- Olivier Tilloy <email address hidden> Mon, 06 Nov 2017 22:59:12 +0100
-
chromium-browser (62.0.3202.75-0ubuntu0.16.04.1313) xenial; urgency=medium
* Upstream release: 62.0.3202.75
- CVE-2017-15396: Stack overflow in V8.
* debian/control: bump Standards-Version to 4.1.1
* debian/patches/set-rpath-on-chromium-executables.patch: updated
* debian/tests/*:
- removed stale autopkgtests
- added new autopkgtests based on chromium's new headless mode
* debian/source/include-binaries: updated to reflect new binary data in tests
-- Olivier Tilloy <email address hidden> Fri, 27 Oct 2017 19:48:18 +0200
-
chromium-browser (62.0.3202.62-0ubuntu0.16.04.1308) xenial; urgency=medium
* Upstream release: 62.0.3202.62
- CVE-2017-5124: UXSS with MHTML.
- CVE-2017-5125: Heap overflow in Skia.
- CVE-2017-5126: Use after free in PDFium.
- CVE-2017-5127: Use after free in PDFium.
- CVE-2017-5128: Heap overflow in WebGL.
- CVE-2017-5129: Use after free in WebAudio.
- CVE-2017-5132: Incorrect stack manipulation in WebAssembly.
- CVE-2017-5130: Heap overflow in libxml2.
- CVE-2017-5131: Out of bounds write in Skia.
- CVE-2017-5133: Out of bounds write in Skia.
- CVE-2017-15386: UI spoofing in Blink.
- CVE-2017-15387: Content security bypass.
- CVE-2017-15388: Out of bounds read in Skia.
- CVE-2017-15389: URL spoofing in OmniBox.
- CVE-2017-15390: URL spoofing in OmniBox.
- CVE-2017-15391: Extension limitation bypass in Extensions.
- CVE-2017-15392: Incorrect registry key handling in PlatformIntegration.
- CVE-2017-15393: Referrer leak in Devtools.
- CVE-2017-15394: URL spoofing in extensions UI.
- CVE-2017-15395: Null pointer dereference in ImageCapture.
* debian/control: bump Standards-Version to 4.1.0
* debian/patches/additional-search-engines.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default.patch: refreshed
* debian/patches/fix-compilation-for-atk.patch: removed, no longer needed
* debian/patches/fix-gn-bootstrap.patch: updated
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/make-base-numerics-build-with-gcc.patch: removed, no longer
needed
* debian/patches/no-new-ninja-flag.patch: added
* debian/patches/revert-clang-nostdlib++.patch: added
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: added
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/use-clang-versioned.patch: refreshed
* debian/patches/widevine-other-locations: refreshed
-- Olivier Tilloy <email address hidden> Wed, 18 Oct 2017 22:47:27 +0200
-
chromium-browser (61.0.3163.100-0ubuntu0.16.04.1306) xenial; urgency=medium
* debian/patches/set-rpath-on-chromium-executables.patch: added
(LP: #1718885)
* debian/chromium-browser.sh.in: remove LD_LIBRARY_PATH manipulation,
made unnecessary by patch above
-- Olivier Tilloy <email address hidden> Tue, 26 Sep 2017 09:53:03 -0400
-
chromium-browser (61.0.3163.79-0ubuntu0.16.04.1300) xenial; urgency=medium
* Upstream release: 61.0.3163.79
- CVE-2017-5111: Use after free in PDFium.
- CVE-2017-5112: Heap buffer overflow in WebGL.
- CVE-2017-5113: Heap buffer overflow in Skia.
- CVE-2017-5114: Memory lifecycle issue in PDFium.
- CVE-2017-5115: Type confusion in V8.
- CVE-2017-5116: Type confusion in V8.
- CVE-2017-5117: Use of uninitialized value in Skia.
- CVE-2017-5118: Bypass of Content Security Policy in Blink.
- CVE-2017-5119: Use of uninitialized value in Skia.
- CVE-2017-5120: Potential HTTPS downgrade during redirect navigation.
* debian/control:
- bump Standards-Version to 4.0.0
- add build dependency on llvm-4.0
* debian/rules: build with is_component_build=false, is_official_build=true,
allow_posix_link_time_opt=false and fatal_linker_warnings=false
* debian/patches/additional-search-engines.patch: refreshed
* debian/patches/define__libc_malloc.patch: added
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default.patch: refreshed
* debian/patches/fix-compilation-for-atk.patch: added
* debian/patches/fix-gn-bootstrap.patch: updated
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/make-base-numerics-build-with-gcc.patch: added
* debian/patches/relax-ninja-version-requirement.patch: added
* debian/patches/revert-llvm-ar.patch: removed, no longer needed
* debian/patches/search-credit.patch: refreshed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/use-clang-versioned.patch: updated
-- Olivier Tilloy <email address hidden> Mon, 11 Sep 2017 22:53:22 +0200
-
chromium-browser (60.0.3112.113-0ubuntu0.16.04.1298) xenial; urgency=medium
* Upstream release: 60.0.3112.113
-- Olivier Tilloy <email address hidden> Fri, 25 Aug 2017 08:12:34 +0200
-
chromium-browser (60.0.3112.78-0ubuntu0.16.04.1293) xenial; urgency=medium
* Upstream release: 60.0.3112.78
- CVE-2017-5091: Use after free in IndexedDB.
- CVE-2017-5092: Use after free in PPAPI.
- CVE-2017-5093: UI spoofing in Blink.
- CVE-2017-5094: Type confusion in extensions.
- CVE-2017-5095: Out-of-bounds write in PDFium.
- CVE-2017-5096: User information leak via Android intents.
- CVE-2017-5097: Out-of-bounds read in Skia.
- CVE-2017-5098: Use after free in V8.
- CVE-2017-5099: Out-of-bounds write in PPAPI.
- CVE-2017-5100: Use after free in Chrome Apps.
- CVE-2017-5101: URL spoofing in OmniBox.
- CVE-2017-5102: Uninitialized use in Skia.
- CVE-2017-5103: Uninitialized use in Skia.
- CVE-2017-5104: UI spoofing in browser.
- CVE-2017-5105: URL spoofing in OmniBox.
- CVE-2017-5106: URL spoofing in OmniBox.
- CVE-2017-5107: User information leak via SVG.
- CVE-2017-5108: Type confusion in PDFium.
- CVE-2017-5109: UI spoofing in browser.
- CVE-2017-5110: UI spoofing in payments dialog.
- CVE-2017-7000: Pointer disclosure in SQLite.
* debian/control, debian/rules: build with clang 4.0
* debian/patches/additional-search-engines.patch: refreshed
* debian/patches/allow-component-build: removed, unused
* debian/patches/arm64-vpx-alignment: removed, no longer needed
* debian/patches/defang-ct-timebomb: removed, unused
* debian/patches/default-allocator: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/fix-gn-bootstrap.patch: added
* debian/patches/last-commit-position: refreshed
* debian/patches/linux-dma-buf.patch: removed, no longer needed
* debian/patches/memory-free-assertion-failure: removed, no longer needed
* debian/patches/no-fPIC.patch: removed, no longer needed
* debian/patches/protobuf-fullness: removed, unused
* debian/patches/revert-llvm-ar.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/snapshot-library-link: removed, no longer needed
* debian/patches/stdatomic: removed, no longer needed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/use-clang-versioned.patch: added
* debian/patches/use-gcc-versioned: removed, no longer needed
* debian/known_gyp_flags: removed, unused
* debian/known_gn_gen_args-[i386,amd64,armhf]: added
-- Olivier Tilloy <email address hidden> Mon, 31 Jul 2017 17:25:16 +0200
-
chromium-browser (59.0.3071.109-0ubuntu0.16.04.1291) xenial; urgency=medium
* debian/patches/fix-argument-evaluation-order.patch: added (LP: #1702407)
-- Olivier Tilloy <email address hidden> Fri, 07 Jul 2017 10:53:25 +0200
-
chromium-browser (59.0.3071.109-0ubuntu0.16.04.1289) xenial; urgency=medium
* Upstream release: 59.0.3071.109
-- Olivier Tilloy <email address hidden> Wed, 21 Jun 2017 06:47:10 +0200
-
chromium-browser (58.0.3029.110-0ubuntu0.16.04.1281) xenial; urgency=medium
* Upstream release: 58.0.3029.110
* debian/control: bump Standards-Version to 3.9.8
-- Olivier Tilloy <email address hidden> Wed, 10 May 2017 07:23:02 +0200
-
chromium-browser (58.0.3029.96-0ubuntu0.16.04.1279) xenial; urgency=medium
* Upstream release: 58.0.3029.96
- CVE-2017-5068: Race condition in WebRTC.
-- Olivier Tilloy <email address hidden> Wed, 03 May 2017 06:49:16 +0200
-
chromium-browser (58.0.3029.81-0ubuntu0.16.04.1277) xenial; urgency=medium
* Upstream release: 58.0.3029.81
- CVE-2017-5057: Type confusion in PDFium.
- CVE-2017-5058: Heap use after free in Print Preview.
- CVE-2017-5059: Type confusion in Blink.
- CVE-2017-5060: URL spoofing in Omnibox.
- CVE-2017-5061: URL spoofing in Omnibox.
- CVE-2017-5062: Use after free in Chrome Apps.
- CVE-2017-5063: Heap overflow in Skia.
- CVE-2017-5064: Use after free in Blink.
- CVE-2017-5065: Incorrect UI in Blink.
- CVE-2017-5066: Incorrect signature handing in Networking.
- CVE-2017-5067: URL spoofing in Omnibox.
- CVE-2017-5069: Cross-origin bypass in Blink.
* debian/patches/arm.patch: removed, no longer needed
* debian/patches/gtk-ui-stdmove: removed, no longer needed (upstreamed)
* debian/patches/screen_capturer: removed, no longer needed (upstreamed)
* debian/patches/default-allocator: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default: refreshed
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/snapshot-library-link: refreshed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/fix-gn-bootstrap.patch: added
* debian/rules: disable the use of Vulcanize, the required node.js modules
are not readily available
-- Olivier Tilloy <email address hidden> Mon, 24 Apr 2017 11:40:21 +0200
-
chromium-browser (57.0.2987.98-0ubuntu0.16.04.1276) xenial-security; urgency=medium
* Upstream release: 57.0.2987.98.
- CVE-2017-5030: Memory corruption in V8.
- CVE-2017-5031: Use after free in ANGLE.
- CVE-2017-5032: Out of bounds write in PDFium.
- CVE-2017-5029: Integer overflow in libxslt.
- CVE-2017-5034: Use after free in PDFium.
- CVE-2017-5035: Incorrect security UI in Omnibox.
- CVE-2017-5036: Use after free in PDFium.
- CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer.
- CVE-2017-5039: Use after free in PDFium.
- CVE-2017-5040: Information disclosure in V8.
- CVE-2017-5041: Address spoofing in Omnibox.
- CVE-2017-5033: Bypass of Content Security Policy in Blink.
- CVE-2017-5042: Incorrect handling of cookies in Cast.
- CVE-2017-5038: Use after free in GuestView.
- CVE-2017-5043: Use after free in GuestView.
- CVE-2017-5044: Heap overflow in Skia.
- CVE-2017-5045: Information disclosure in XSS Auditor.
- CVE-2017-5046: Information disclosure in Blink.
* debian/patches/arm64-support no longer needed
* debian/patches/stdatomic: Support gcc48.
* debian/patches/snapshot-library-link: Add missing libsnapshot link
* debian/patches/gtk-ui-stdmove: fix && pointer return with std::move
* debian/control: Drop binary arch "any" and explicitly list four.
* debian/patches/arm64-vpx-alignment: Avoid ARM64 alignment bug on some
compilers.
* debian/rules: Fix armhf float ABI and remove unnecessary envvars.
(LP: #1673276)
-- Chad MILLER <email address hidden> Wed, 15 Mar 2017 21:12:35 -0400
-
chromium-browser (56.0.2924.76-0ubuntu0.16.04.1268) xenial-security; urgency=medium
* Upstream release: 56.0.2924.76
- CVE-2017-5007: Universal XSS in Blink.
- CVE-2017-5006: Universal XSS in Blink.
- CVE-2017-5008: Universal XSS in Blink.
- CVE-2017-5010: Universal XSS in Blink.
- CVE-2017-5011: Unauthorised file access in Devtools.
- CVE-2017-5009: Out of bounds memory access in WebRTC.
- CVE-2017-5012: Heap overflow in V8.
- CVE-2017-5013: Address spoofing in Omnibox.
- CVE-2017-5014: Heap overflow in Skia.
- CVE-2017-5015: Address spoofing in Omnibox.
- CVE-2017-5019: Use after free in Renderer.
- CVE-2017-5016: UI spoofing in Blink.
- CVE-2017-5017: Uninitialised memory access in webm video.
- CVE-2017-5018: Universal XSS in chrome://apps.
- CVE-2017-5020: Universal XSS in chrome://downloads.
- CVE-2017-5021: Use after free in Extensions.
- CVE-2017-5022: Bypass of Content Security Policy in Blink.
- CVE-2017-5023: Type confusion in metrics.
- CVE-2017-5024: Heap overflow in FFmpeg.
- CVE-2017-5025: Heap overflow in FFmpeg.
- CVE-2017-5026: UI spoofing.
* debian/patches/screen_capturer: allow compilation on gcc4
* debian/patches/arm64-support: reenable arm64
* debian/patches/memory-free-assertion-failure: discover memory management
assertion failures.
* debian/rules: Avoid field trial experiments to get stable code.
(closes: LP#1667125)
* debian/patches/enable-chromecast-by-default: (closes: LP#1621753)
-- Chad MILLER <email address hidden> Wed, 22 Feb 2017 17:20:28 -0500
-
chromium-browser (55.0.2883.87-0ubuntu0.16.04.1263) xenial-security; urgency=medium
* debian/rules: Build extra codecs as part of main chromium program,
and libre/crippled/h.264less on its own. Seems to make h.264 work
again. Weird.
* debian/chromium-browser.links: Make link to ./ instead of / to fix
path problems that codec-using other apps might see.
* Upstream release of 55.0.2883.87:
- Change Flash running default to important content only.
* debian/chromium-browser.sh.in: Insert the Flash version if empty and
detectable.
* debian/rules, debian/control: Use gcc/g++ 4.8 to build.
* Upstream release of 55.0.2883.75:
- CVE-2016-9651: Private property access in V8.
- CVE-2016-5208: Universal XSS in Blink.
- CVE-2016-5207: Universal XSS in Blink.
- CVE-2016-5206: Same-origin bypass in PDFium.
- CVE-2016-5205: Universal XSS in Blink.
- CVE-2016-5204: Universal XSS in Blink.
- CVE-2016-5209: Out of bounds write in Blink.
- CVE-2016-5203: Use after free in PDFium.
- CVE-2016-5210: Out of bounds write in PDFium.
- CVE-2016-5212: Local file disclosure in DevTools.
- CVE-2016-5211: Use after free in PDFium.
- CVE-2016-5213: Use after free in V8.
- CVE-2016-5214: File download protection bypass.
- CVE-2016-5216: Use after free in PDFium.
- CVE-2016-5215: Use after free in Webaudio.
- CVE-2016-5217: Use of unvalidated data in PDFium.
- CVE-2016-5218: Address spoofing in Omnibox.
- CVE-2016-5219: Use after free in V8.
- CVE-2016-5221: Integer overflow in ANGLE.
- CVE-2016-5220: Local file access in PDFium.
- CVE-2016-5222: Address spoofing in Omnibox.
- CVE-2016-9650: CSP Referrer disclosure.
- CVE-2016-5223: Integer overflow in PDFium.
- CVE-2016-5226: Limited XSS in Blink.
- CVE-2016-5225: CSP bypass in Blink.
- CVE-2016-5224: Same-origin bypass in SVG
- CVE-2016-9652: Various fixes from internal audits, fuzzing and other
initiatives
* Upstream release of 54.0.2840.100:
- CVE-2016-5199: Heap corruption in FFmpeg.
- CVE-2016-5200: Out of bounds memory access in V8.
- CVE-2016-5201: Info leak in extensions.
- CVE-2016-5202: Various fixes from internal audits, fuzzing and other
initiatives
* Move to using GN to build chromium.
- debian/known_gn_gen_args
- debian/rules
patches
* debian/rules, lintians, installs, script: Move component libs out of
libs/, to /usr/lib/chromium-browser/ only.
* debian/patches/do-not-use-bundled-clang: Use clang from path.
* debian/control: Express that binary packages could be on "any"
architecture.
* debian/control: additionally build-dep on libgtk-3-dev
* debian/patches/arm64-support: Fail nicer if aarch64/arm64 mismatch.
* Upstrem release of 54.0.2840.59:
- CVE-2016-5181: Universal XSS in Blink.
- CVE-2016-5182: Heap overflow in Blink.
- CVE-2016-5183: Use after free in PDFium.
- CVE-2016-5184: Use after free in PDFium.
- CVE-2016-5185: Use after free in Blink.
- CVE-2016-5187: URL spoofing.
- CVE-2016-5188: UI spoofing.
- CVE-2016-5192: Cross-origin bypass in Blink.
- CVE-2016-5189: URL spoofing.
- CVE-2016-5186: Out of bounds read in DevTools.
- CVE-2016-5191: Universal XSS in Bookmarks.
- CVE-2016-5190: Use after free in Internals.
- CVE-2016-5193: Scheme bypass.
- CVE-2016-5194: Various fixes from internal audits, fuzzing and other
initiatives
* debian/patches/allow-component-build: Hard-code, override
release -> no component logic.
* debian/known_gyp_flags: Remove old GYP known-flags list.
* debian/default-allocator: Insist on not using tcmalloc allocator.
* debian/rules: Set LDFLAGS to limit memory usage.
* debian/control: Remove extraneous dependencies.
-- Chad MILLER <email address hidden> Sat, 17 Dec 2016 12:05:53 -0500
-
chromium-browser (53.0.2785.143-0ubuntu0.16.04.1.1257) xenial-security; urgency=medium
* debian/patches/defang-ct-timebomb: backport TLS cert invalidity based
on build-time. (LP: #1641380)
-- Chad MILLER <email address hidden> Mon, 14 Nov 2016 10:06:44 -0500
-
chromium-browser (53.0.2785.143-0ubuntu0.16.04.1.1254) xenial-security; urgency=medium
* Upstream release 53.0.2785.143:
- CVE-2016-5177: Use after free in V8.
- CVE-2016-5178: Various fixes from internal audits, fuzzing and other
initiatives.
* Upstream release 53.0.2785.113:
- CVE-2016-5170: Use after free in Blink.
- CVE-2016-5171: Use after free in Blink.
- CVE-2016-5172: Arbitrary Memory Read in v8.
- CVE-2016-5173: Extension resource access.
- CVE-2016-5174: Popup not correctly suppressed.
- CVE-2016-5175: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/rules: Use gold ld to link.
* debian/rules: Kill delete-null-pointer-checks. In the javascript engine,
we can not assume a memory access to address zero always results in a
trap.
* debian/patches/gsettings-display-scaling,
debian/patches/display-scaling-default-value, reenable DPI scaling taken
from dconf.
* debian/rules: explicitly set target arch for arm64.
* debian/control, debian/rules: re-add -dbg transitional packages.
* Upstream release 53.0.2785.89:
- CVE-2016-5147: Universal XSS in Blink.
- CVE-2016-5148: Universal XSS in Blink.
- CVE-2016-5149: Script injection in extensions.
- CVE-2016-5150: Use after free in Blink.
- CVE-2016-5151: Use after free in PDFium.
- CVE-2016-5152: Heap overflow in PDFium.
- CVE-2016-5153: Use after destruction in Blink.
- CVE-2016-5154: Heap overflow in PDFium.
- CVE-2016-5155: Address bar spoofing.
- CVE-2016-5156: Use after free in event bindings.
- CVE-2016-5157: Heap overflow in PDFium.
- CVE-2016-5158: Heap overflow in PDFium.
- CVE-2016-5159: Heap overflow in PDFium.
- CVE-2016-5161: Type confusion in Blink.
- CVE-2016-5162: Extensions web accessible resources bypass.
- CVE-2016-5163: Address bar spoofing.
- CVE-2016-5164: Universal XSS using DevTools.
- CVE-2016-5165: Script injection in DevTools.
- CVE-2016-5166: SMB Relay Attack via Save Page As.
- CVE-2016-5160: Extensions web accessible resources bypass.
- CVE-2016-5167: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/patches/cups-include-deprecated-ppd, debian/rules: include cups
functions.
* debian/rules, debian/control: Force using gcc-5 compiler.
* Use system libraries for expat, speex, zlib, opus, png, jpeg.
* Also build for arm64 architecture.
* Don't compile in cups support by default on all architectures.
* debian/control: remvove build-dep on clang.
* debian/patches/linux45-madvfree: If MADV_FREE is not defined, do not allow
it in sandbox filter. Also, undefine it so we don't use MADV_FREE and
thereby depend on it at runtime.
* debian/rules: Use gold ld to link.
* debian/rules: Kill delete-null-pointer-checks. In the javascript engine,
we can not assume a memory access to address zero always results in a
trap.
* debian/patches/series, debian/rules: Re-enable widevine component.
-- Chad MILLER <email address hidden> Fri, 16 Sep 2016 12:56:44 -0400
-
chromium-browser (52.0.2743.116-0ubuntu0.16.04.1.1250) xenial-security; urgency=medium
* Upstream release 52.0.2743.116:
- CVE-2016-5141 Address bar spoofing.
- CVE-2016-5142 Use-after-free in Blink.
- CVE-2016-5139 Heap overflow in pdfium.
- CVE-2016-5140 Heap overflow in pdfium.
- CVE-2016-5145 Same origin bypass for images in Blink.
- CVE-2016-5143 Parameter sanitization failure in DevTools.
- CVE-2016-5144 Parameter sanitization failure in DevTools.
- CVE-2016-5146: Various fixes from internal audits, fuzzing and other
initiatives.
* Exclude harfbuzz from system-library use.
* Upstream release 52.0.2743.82:
- CVE-2016-1706: Sandbox escape in PPAPI.
- CVE-2016-1707: URL spoofing on iOS.
- CVE-2016-1708: Use-after-free in Extensions.
- CVE-2016-1709: Heap-buffer-overflow in sfntly.
- CVE-2016-1710: Same-origin bypass in Blink.
- CVE-2016-1711: Same-origin bypass in Blink.
- CVE-2016-5127: Use-after-free in Blink.
- CVE-2016-5128: Same-origin bypass in V8.
- CVE-2016-5129: Memory corruption in V8.
- CVE-2016-5130: URL spoofing.
- CVE-2016-5131: Use-after-free in libxml.
- CVE-2016-5132: Limited same-origin bypass in Service Workers.
- CVE-2016-5133: Origin confusion in proxy authentication.
- CVE-2016-5134: URL leakage via PAC script.
- CVE-2016-5135: Content-Security-Policy bypass.
- CVE-2016-5136: Use after free in extensions.
- CVE-2016-5137: History sniffing with HSTS and CSP.
- CVE-2016-1705: Various fixes from internal audits, fuzzing and other
initiatives
* Upstream release 51.0.2704.106
* Upstream release 51.0.2704.103:
- CVE-2016-1704: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/control: remvove build-dep on clang.
* Sync many things from debian:
- No longer build remoting, or install its locale files.
- Use many system libraries, adding build-dep on
- libre2-dev,
- yasm,
- libopus-dev,
- zlib1g-dev,
- libspeex-dev,
- libspeechd-dev,
- libexpat1-dev,
- libpng-dev,
- libxml2-dev,
- libjpeg-dev,
- libwebp-dev,
- libxslt-dev,
- libsrtp-dev,
- libjsoncpp-dev,
- libevent-dev,
- Clean up many parts of debian/rules, wrt variable names
- Set hardening on.
- Use gold linker.
- Disable Google Now. Creepy. Might mean downloads of opaque programs too.
- Disable Wallet service.
* debian/compat: Use dh version 9.
* debian/rules: Improve "cd;foo" logic.
* debian/rules: Remove files in tar-copy pipelines, to conserve space. Fixes
build failures in servers.
* debian/rules: Move check steps into install steps. No need to be separate,
and simplifies target names.
* debian/rules: Make en-us locale files less magical, and simplify install.
* debian/rules: Work around change to tar command param order with
--exclude.
* debian/rules: Don't use tcmalloc on armhf.
* debian/rules: Remove precise-specific conditions. More simple.
* debian/rules: In install-validation, don't use mktemp. Hard-code
destination.
* debian/patches/gsettings-display-scaling: Disable because code moved and
needs refactoring.
* debian/patches/display-scaling-default-value: Disable because probbly not
needed any more.
* debian/rules: widevine cdm is not really available in this source. No
longer lie about that.
* Set new GOOG keys to bisect service overuse problem.
-- Chad MILLER <email address hidden> Wed, 24 Aug 2016 13:30:26 -0400
-
chromium-browser (51.0.2704.79-0ubuntu0.16.04.1.1242) xenial-security; urgency=medium
* Upstream release 51.0.2704.79:
- CVE-2016-1696: Cross-origin bypass in Extension bindings.
- CVE-2016-1697: Cross-origin bypass in Blink.
- CVE-2016-1698: Information leak in Extension bindings.
- CVE-2016-1699: Parameter sanitization failure in DevTools.
- CVE-2016-1700: Use-after-free in Extensions.
- CVE-2016-1701: Use-after-free in Autofill.
- CVE-2016-1702: Out-of-bounds read in Skia.
- CVE-2016-1703: Various fixes from internal audits, fuzzing and other
initiatives.
* Upstream release 51.0.2704.63:
- CVE-2016-1672: Cross-origin bypass in extension bindings.
- CVE-2016-1673: Cross-origin bypass in Blink.
- CVE-2016-1674: Cross-origin bypass in extensions.
- CVE-2016-1675: Cross-origin bypass in Blink.
- CVE-2016-1676: Cross-origin bypass in extension bindings.
- CVE-2016-1677: Type confusion in V8.
- CVE-2016-1678: Heap overflow in V8.
- CVE-2016-1679: Heap use-after-free in V8 bindings.
- CVE-2016-1680: Heap use-after-free in Skia.
- CVE-2016-1681: Heap overflow in PDFium.
- CVE-2016-1682: CSP bypass for ServiceWorker.
- CVE-2016-1683: Out-of-bounds access in libxslt.
- CVE-2016-1684: Integer overflow in libxslt.
- CVE-2016-1685: Out-of-bounds read in PDFium.
- CVE-2016-1686: Out-of-bounds read in PDFium.
- CVE-2016-1687: Information leak in extensions.
- CVE-2016-1688: Out-of-bounds read in V8.
- CVE-2016-1689: Heap buffer overflow in media.
- CVE-2016-1690: Heap use-after-free in Autofill.
- CVE-2016-1691: Heap buffer-overflow in Skia.
- CVE-2016-1692: Limited cross-origin bypass in ServiceWorker.
- CVE-2016-1693: HTTP Download of Software Removal Tool.
- CVE-2016-1694: HPKP pins removed on cache clearance.
- CVE-2016-1695: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/patches/blink-platform-export-class: remove patch. Unnecessary.
-- Chad MILLER <email address hidden> Thu, 26 May 2016 10:54:29 -0400
-
chromium-browser (50.0.2661.102-0ubuntu0.16.04.1.1237) xenial-security; urgency=medium
* Upstream release 50.0.2661.102:
- CVE-2016-1667: Same origin bypass in DOM.
- CVE-2016-1668: Same origin bypass in Blink V8 bindings.
- CVE-2016-1669: Buffer overflow in V8.
- CVE-2016-1670: Race condition in loader.
- CVE-2016-1671: Directory traversal using the file scheme on Android.
* Upstream release 50.0.2661.94:
- CVE-2016-1660: Out-of-bounds write in Blink.
- CVE-2016-1661: Memory corruption in cross-process frames.
- CVE-2016-1662: Use-after-free in extensions.
- CVE-2016-1663: Use-after-free in Blink’s V8 bindings.
- CVE-2016-1664: Address bar spoofing.
- CVE-2016-1665: Information leak in V8.
- CVE-2016-1666: Various fixes from internal audits, fuzzing and other
initiatives.
* Upstream release 50.0.2661.75:
- CVE-2016-1652: Universal XSS in extension bindings.
- CVE-2016-1653: Out-of-bounds write in V8.
- CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding.
- CVE-2016-1654: Uninitialized memory read in media.
- CVE-2016-1655: Use-after-free related to extensions.
- CVE-2016-1656: Android downloaded file path restriction bypass.
- CVE-2016-1657: Address bar spoofing.
- CVE-2016-1658: Potential leak of sensitive information to malicious
extensions.
- CVE-2015-1659: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/patches/seccomp-allow-set-robust-list: pass through syscall
set_robust_list. glibc nptl thread creation uses it.
* debian/rules: use new libsecret way of contacting keyring.
* debian/patches/blink-platform-export-class: avoid Trusty bug where
WebKit Platform class vtable not found at link time.
* debian/apport/chromium-browser.py: Handle case when crash and no
chromium directory exists. Still report errors in apport.
-- Chad MILLER <email address hidden> Fri, 13 May 2016 10:52:23 -0400
-
chromium-browser (49.0.2623.108-0ubuntu1.1233) xenial; urgency=medium
* Upstream release 49.0.2623.108:
- CVE-2016-1646: Out-of-bounds read in V8.
- CVE-2016-1647: Use-after-free in Navigation.
- CVE-2016-1648: Use-after-free in Extensions.
- CVE-2016-1649: Buffer overflow in libANGLE.
- CVE-2016-1650: Various fixes from internal audits, fuzzing and other
initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
(currently 4.9.385.33).
-- Chad MILLER <email address hidden> Thu, 24 Mar 2016 16:52:52 -0400
-
chromium-browser (49.0.2623.87-0ubuntu1.1232) xenial; urgency=medium
* debian/patches/system-xdg-settings: Insist on using system xdg utilities.
* Upstream release 49.0.2623.87:
- CVE-2016-1643: Type confusion in Blink.
- CVE-2016-1644: Use-after-free in Blink.
- CVE-2016-1645: Out-of-bounds write in PDFium.
* Upstream release 49.0.2623.75:
- CVE-2016-1630: Same-origin bypass in Blink.
- CVE-2016-1631: Same-origin bypass in Pepper Plugin.
- CVE-2016-1632: Bad cast in Extensions.
- CVE-2016-1633: Use-after-free in Blink.
- CVE-2016-1634: Use-after-free in Blink.
- CVE-2016-1635: Use-after-free in Blink.
- CVE-2016-1636: SRI Validation Bypass.
- CVE-2015-8126: Out-of-bounds access in libpng.
- CVE-2016-1637: Information Leak in Skia.
- CVE-2016-1638: WebAPI Bypass.
- CVE-2016-1639: Use-after-free in WebRTC.
- CVE-2016-1640: Origin confusion in Extensions UI.
- CVE-2016-1641: Use-after-free in Favicon.
- CVE-2016-1642: Various fixes from internal audits, fuzzing and other
initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
(currently 4.9.385.26).
* debian/rules: No longer fabricate snap package as side effect.
* debian/control: build-dep on libffi-dev, mesa-common-dev.
* debian/patches/format-flag: Remove patch.
-- Chad MILLER <email address hidden> Tue, 15 Mar 2016 09:42:48 -0400
-
chromium-browser (48.0.2564.116-0ubuntu1.1229) xenial; urgency=medium
* Upstream release 48.0.2564.109:
- CVE-2016-1622: Same-origin bypass in Extensions.
- CVE-2016-1623: Same-origin bypass in DOM.
- CVE-2016-1624: Buffer overflow in Brotli.
- CVE-2016-1625: Navigation bypass in Chrome Instant.
- CVE-2016-1626: Out-of-bounds read in PDFium.
- CVE-2016-1627: Various fixes from internal audits, fuzzing and other
initiatives.
* Upstream release 48.0.2564.116:
- CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome.
-- Chad MILLER <email address hidden> Thu, 18 Feb 2016 17:55:30 -0500
-
chromium-browser (48.0.2564.82-0ubuntu1.1222) xenial; urgency=medium
* Upstream release 48.0.2564.82:
- CVE-2016-1612: Bad cast in V8.
- CVE-2016-1613: Use-after-free in PDFium.
- CVE-2016-1614: Information leak in Blink.
- CVE-2016-1615: Origin confusion in Omnibox.
- CVE-2016-1616: URL Spoofing.
- CVE-2016-1617: History sniffing with HSTS and CSP.
- CVE-2016-1618: Weak random number generator in Blink.
- CVE-2016-1619: Out-of-bounds read in PDFium.
- CVE-2016-1620: Various fixes from internal audits, fuzzing and other
initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch
(currently 4.8.271.17).
-- Chad MILLER <email address hidden> Thu, 21 Jan 2016 08:39:10 -0500
-
chromium-browser (47.0.2526.106-0ubuntu1.1221) xenial; urgency=medium
* Upstream release 47.0.2526.106:
- CVE-2015-6792: Fixes from internal audits and fuzzing.
* Upstream release 47.0.2526.80:
- CVE-2015-6788: Type confusion in extensions.
- CVE-2015-6789: Use-after-free in Blink.
- CVE-2015-6790: Escaping issue in saved pages.
- CVE-2015-6791: Various fixes from internal audits, fuzzing and other
initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
(currently 4.7.80.23).
* debian/rules: Don't use bundled binutils. Remove execute bits on programs
so we can be sure they aren't run.
-- Chad MILLER <email address hidden> Tue, 15 Dec 2015 19:33:00 -0500
-
chromium-browser (47.0.2526.73-0ubuntu1.1218) xenial; urgency=medium
* Upstream release 47.0.2526.73:
- CVE-2015-6765: Use-after-free in AppCache.
- CVE-2015-6766: Use-after-free in AppCache.
- CVE-2015-6767: Use-after-free in AppCache.
- CVE-2015-6768: Cross-origin bypass in DOM.
- CVE-2015-6769: Cross-origin bypass in core.
- CVE-2015-6770: Cross-origin bypass in DOM.
- CVE-2015-6771: Out of bounds access in v8.
- CVE-2015-6772: Cross-origin bypass in DOM.
- CVE-2015-6764: Out of bounds access in v8.
- CVE-2015-6773: Out of bounds access in Skia.
- CVE-2015-6774: Use-after-free in Extensions.
- CVE-2015-6775: Type confusion in PDFium.
- CVE-2015-6776: Out of bounds access in PDFium.
- CVE-2015-6777: Use-after-free in DOM.
- CVE-2015-6778: Out of bounds access in PDFium.
- CVE-2015-6779: Scheme bypass in PDFium.
- CVE-2015-6780: Use-after-free in Infobars.
- CVE-2015-6781: Integer overflow in Sfntly.
- CVE-2015-6782: Content spoofing in Omnibox.
- CVE-2015-6783: Signature validation issue in Android Crazy Linker.
- CVE-2015-6784: Escaping issue in saved pages.
- CVE-2015-6785: Wildcard matching issue in CSP.
- CVE-2015-6786: Scheme bypass in CSP.
- CVE-2015-6787: Various fixes from internal audits, fuzzing and other
initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
(currently 4.7.80.23).
* Upstream release 46.0.2490.86:
- CVE-2015-1302: Information leak in PDF viewer.
* Upstream release 46.0.2490.71:
- CVE-2015-6755: Cross-origin bypass in Blink.
- CVE-2015-6756: Use-after-free in PDFium.
- CVE-2015-6757: Use-after-free in ServiceWorker.
- CVE-2015-6758: Bad-cast in PDFium.
- CVE-2015-6759: Information leakage in LocalStorage.
- CVE-2015-6760: Improper error handling in libANGLE.
- CVE-2015-6761: Memory corruption in FFMpeg.
- CVE-2015-6762: CORS bypass via CSS fonts.
- CVE-2015-6763: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/patches/gpu-hangs: remove. Not useful.
* Switch to Clang to compile.
* debian/rules: Explicitly create remoting resources.
* debian/patches/cr46-missing-test-files:
* debian/rules: support screen sharing in Hangouts.
* debian/patches/xdg-settings-multiexec-desktopfiles.patch: Always prefer
local xdg-settings.
* debian/chromium-browser.desktop: Don't override WM class matching.
-- Chad MILLER <email address hidden> Tue, 01 Dec 2015 15:37:11 -0500
-
chromium-browser (45.0.2454.101-0ubuntu1.1201) wily; urgency=medium
* Upstream release 45.0.2454.101:
- CVE-2015-1303: Cross-origin bypass in DOM.
- CVE-2015-1304: Cross-origin bypass in V8.
* debian/tests/testdata/xx-test-tool-is-functional-if-this-prints-functional.sikuli
Only use GUI test tool to test IF it works on its own. If it is broken,
don't use that to test chromium.
* debian/rules: Include our own "xdg-settings" file until a bug is fixed.
* debian/patches/xdg-settings-multiexec-desktopfiles.patch : Locally fix
aforementioned bug. More than one Exec line in a destop file (like ours)
triggers a bug in badly-written shell code in portland xdg-utils-common.in
-- Chad MILLER <email address hidden> Tue, 29 Sep 2015 08:06:37 -0400
