Debian Security Advisory

DSA-4103-1 chromium-browser -- security update

Date Reported:
31 Jan 2018
Affected Packages:
chromium-browser
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2017-15420, CVE-2017-15429, CVE-2018-6031, CVE-2018-6032, CVE-2018-6033, CVE-2018-6034, CVE-2018-6035, CVE-2018-6036, CVE-2018-6037, CVE-2018-6038, CVE-2018-6039, CVE-2018-6040, CVE-2018-6041, CVE-2018-6042, CVE-2018-6043, CVE-2018-6045, CVE-2018-6046, CVE-2018-6047, CVE-2018-6048, CVE-2018-6049, CVE-2018-6050, CVE-2018-6051, CVE-2018-6052, CVE-2018-6053, CVE-2018-6054.
More information:

Several vulnerabilities have been discovered in the chromium web browser.

  • CVE-2017-15420

    Drew Springall discovered a URL spoofing issue.

  • CVE-2017-15429

    A cross-site scripting issue was discovered in the v8 javascript library.

  • CVE-2018-6031

    A use-after-free issue was discovered in the pdfium library.

  • CVE-2018-6032

    Jun Kokatsu discovered a way to bypass the same origin policy.

  • CVE-2018-6033

    Juho Nurminen discovered a race condition when opening downloaded files.

  • CVE-2018-6034

    Tobias Klein discovered an integer overflow issue.

  • CVE-2018-6035

    Rob Wu discovered a way for extensions to access devtools.

  • CVE-2018-6036

    UK's National Cyber Security Centre discovered an integer overflow issue.

  • CVE-2018-6037

    Paul Stone discovered an issue in the autofill feature.

  • CVE-2018-6038

    cloudfuzzer discovered a buffer overflow issue.

  • CVE-2018-6039

    Juho Nurminen discovered a cross-site scripting issue in the developer tools.

  • CVE-2018-6040

    WenXu Wu discovered a way to bypass the content security policy.

  • CVE-2018-6041

    Luan Herrera discovered a URL spoofing issue.

  • CVE-2018-6042

    Khalil Zhani discovered a URL spoofing issue.

  • CVE-2018-6043

    A character escaping issue was discovered.

  • CVE-2018-6045

    Rob Wu discovered a way for extensions to access devtools.

  • CVE-2018-6046

    Rob Wu discovered a way for extensions to access devtools.

  • CVE-2018-6047

    Masato Kinugawa discovered an information leak issue.

  • CVE-2018-6048

    Jun Kokatsu discovered a way to bypass the referrer policy.

  • CVE-2018-6049

    WenXu Wu discovered a user interface spoofing issue.

  • CVE-2018-6050

    Jonathan Kew discovered a URL spoofing issue.

  • CVE-2018-6051

    Antonio Sanso discovered an information leak issue.

  • CVE-2018-6052

    Tanner Emek discovered that the referrer policy implementation was incomplete.

  • CVE-2018-6053

    Asset Kabdenov discovered an information leak issue.

  • CVE-2018-6054

    Rob Wu discovered a use-after-free issue.

For the oldstable distribution (jessie), security support for chromium has been discontinued.

For the stable distribution (stretch), these problems have been fixed in version 64.0.3282.119-1~deb9u1.

We recommend that you upgrade your chromium-browser packages.

For the detailed security status of chromium-browser please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium-browser