Debian Security Advisory

DSA-4562-1 chromium -- security update

Date Reported:
10 Nov 2019
Affected Packages:
chromium
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2019-5869, CVE-2019-5870, CVE-2019-5871, CVE-2019-5872, CVE-2019-5874, CVE-2019-5875, CVE-2019-5876, CVE-2019-5877, CVE-2019-5878, CVE-2019-5879, CVE-2019-5880, CVE-2019-13659, CVE-2019-13660, CVE-2019-13661, CVE-2019-13662, CVE-2019-13663, CVE-2019-13664, CVE-2019-13665, CVE-2019-13666, CVE-2019-13667, CVE-2019-13668, CVE-2019-13669, CVE-2019-13670, CVE-2019-13671, CVE-2019-13673, CVE-2019-13674, CVE-2019-13675, CVE-2019-13676, CVE-2019-13677, CVE-2019-13678, CVE-2019-13679, CVE-2019-13680, CVE-2019-13681, CVE-2019-13682, CVE-2019-13683, CVE-2019-13685, CVE-2019-13686, CVE-2019-13687, CVE-2019-13688, CVE-2019-13691, CVE-2019-13692, CVE-2019-13693, CVE-2019-13694, CVE-2019-13695, CVE-2019-13696, CVE-2019-13697, CVE-2019-13699, CVE-2019-13700, CVE-2019-13701, CVE-2019-13702, CVE-2019-13703, CVE-2019-13704, CVE-2019-13705, CVE-2019-13706, CVE-2019-13707, CVE-2019-13708, CVE-2019-13709, CVE-2019-13710, CVE-2019-13711, CVE-2019-13713, CVE-2019-13714, CVE-2019-13715, CVE-2019-13716, CVE-2019-13717, CVE-2019-13718, CVE-2019-13719, CVE-2019-13720, CVE-2019-13721.
More information:

Several vulnerabilities have been discovered in the chromium web browser.

  • CVE-2019-5869

    Zhe Jin discovered a use-after-free issue.

  • CVE-2019-5870

    Guang Gong discovered a use-after-free issue.

  • CVE-2019-5871

    A buffer overflow issue was discovered in the skia library.

  • CVE-2019-5872

    Zhe Jin discovered a use-after-free issue.

  • CVE-2019-5874

    James Lee discovered an issue with external Uniform Resource Identifiers.

  • CVE-2019-5875

    Khalil Zhani discovered a URL spoofing issue.

  • CVE-2019-5876

    Man Yue Mo discovered a use-after-free issue.

  • CVE-2019-5877

    Guang Gong discovered an out-of-bounds read issue.

  • CVE-2019-5878

    Guang Gong discovered an use-after-free issue in the v8 javascript library.

  • CVE-2019-5879

    Jinseo Kim discover that extensions could read files on the local system.

  • CVE-2019-5880

    Jun Kokatsu discovered a way to bypass the SameSite cookie feature.

  • CVE-2019-13659

    Lnyas Zhang discovered a URL spoofing issue.

  • CVE-2019-13660

    Wenxu Wu discovered a user interface error in full screen mode.

  • CVE-2019-13661

    Wenxu Wu discovered a user interface spoofing issue in full screen mode.

  • CVE-2019-13662

    David Erceg discovered a way to bypass the Content Security Policy.

  • CVE-2019-13663

    Lnyas Zhang discovered a way to spoof Internationalized Domain Names.

  • CVE-2019-13664

    Thomas Shadwell discovered a way to bypass the SameSite cookie feature.

  • CVE-2019-13665

    Jun Kokatsu discovered a way to bypass the multiple file download protection feature.

  • CVE-2019-13666

    Tom Van Goethem discovered an information leak.

  • CVE-2019-13667

    Khalil Zhani discovered a URL spoofing issue.

  • CVE-2019-13668

    David Erceg discovered an information leak.

  • CVE-2019-13669

    Khalil Zhani discovered an authentication spoofing issue.

  • CVE-2019-13670

    Guang Gong discovered a memory corruption issue in the v8 javascript library.

  • CVE-2019-13671

    xisigr discovered a user interface error.

  • CVE-2019-13673

    David Erceg discovered an information leak.

  • CVE-2019-13674

    Khalil Zhani discovered a way to spoof Internationalized Domain Names.

  • CVE-2019-13675

    Jun Kokatsu discovered a way to disable extensions.

  • CVE-2019-13676

    Wenxu Wu discovered an error in a certificate warning.

  • CVE-2019-13677

    Jun Kokatsu discovered an error in the chrome web store.

  • CVE-2019-13678

    Ronni Skansing discovered a spoofing issue in the download dialog window.

  • CVE-2019-13679

    Conrad Irwin discovered that user activation was not required for printing.

  • CVE-2019-13680

    Thijs Alkamade discovered an IP address spoofing issue.

  • CVE-2019-13681

    David Erceg discovered a way to bypass download restrictions.

  • CVE-2019-13682

    Jun Kokatsu discovered a way to bypass the site isolation feature.

  • CVE-2019-13683

    David Erceg discovered an information leak.

  • CVE-2019-13685

    Khalil Zhani discovered a use-after-free issue.

  • CVE-2019-13686

    Brendon discovered a use-after-free issue.

  • CVE-2019-13687

    Man Yue Mo discovered a use-after-free issue.

  • CVE-2019-13688

    Man Yue Mo discovered a use-after-free issue.

  • CVE-2019-13691

    David Erceg discovered a user interface spoofing issue.

  • CVE-2019-13692

    Jun Kokatsu discovered a way to bypass the Same Origin Policy.

  • CVE-2019-13693

    Guang Gong discovered a use-after-free issue.

  • CVE-2019-13694

    banananapenguin discovered a use-after-free issue.

  • CVE-2019-13695

    Man Yue Mo discovered a use-after-free issue.

  • CVE-2019-13696

    Guang Gong discovered a use-after-free issue in the v8 javascript library.

  • CVE-2019-13697

    Luan Herrera discovered an information leak.

  • CVE-2019-13699

    Man Yue Mo discovered a use-after-free issue.

  • CVE-2019-13700

    Man Yue Mo discovered a buffer overflow issue.

  • CVE-2019-13701

    David Erceg discovered a URL spoofing issue.

  • CVE-2019-13702

    Phillip Langlois and Edward Torkington discovered a privilege escalation issue in the installer.

  • CVE-2019-13703

    Khalil Zhani discovered a URL spoofing issue.

  • CVE-2019-13704

    Jun Kokatsu discovered a way to bypass the Content Security Policy.

  • CVE-2019-13705

    Luan Herrera discovered a way to bypass extension permissions.

  • CVE-2019-13706

    pdknsk discovered an out-of-bounds read issue in the pdfium library.

  • CVE-2019-13707

    Andrea Palazzo discovered an information leak.

  • CVE-2019-13708

    Khalil Zhani discovered an authentication spoofing issue.

  • CVE-2019-13709

    Zhong Zhaochen discovered a way to bypass download restrictions.

  • CVE-2019-13710

    bernardo.mrod discovered a way to bypass download restrictions.

  • CVE-2019-13711

    David Erceg discovered an information leak.

  • CVE-2019-13713

    David Erceg discovered an information leak.

  • CVE-2019-13714

    Jun Kokatsu discovered an issue with Cascading Style Sheets.

  • CVE-2019-13715

    xisigr discovered a URL spoofing issue.

  • CVE-2019-13716

    Barron Hagerman discovered an error in the service worker implementation.

  • CVE-2019-13717

    xisigr discovered a user interface spoofing issue.

  • CVE-2019-13718

    Khalil Zhani discovered a way to spoof Internationalized Domain Names.

  • CVE-2019-13719

    Khalil Zhani discovered a user interface spoofing issue.

  • CVE-2019-13720

    Anton Ivanov and Alexey Kulaev discovered a use-after-free issue.

  • CVE-2019-13721

    banananapenguin discovered a use-after-free issue in the pdfium library.

For the oldstable distribution (stretch), support for chromium has been discontinued. Please upgrade to the stable release (buster) to continue receiving chromium updates or switch to firefox, which continues to be supported in the oldstable release.

For the stable distribution (buster), these problems have been fixed in version 78.0.3904.97-1~deb10u1.

We recommend that you upgrade your chromium packages.

For the detailed security status of chromium please refer to its security tracker page at: https://security-tracker.debian.org/tracker/chromium