Change log : chromium-browser package : Debian

70.0.3538.110-1~deb9u1

Published in stretch-release on 2019-02-16

chromium-browser (70.0.3538.110-1~deb9u1) stretch-security; urgency=medium

  * New upstream security release.
    - CVE-2018-17479: Use-after-free in GPU.

 -- Michael Gilbert <email address hidden>  Wed, 21 Nov 2018 02:17:45 +0000

70.0.3538.110-1

Deleted in sid-release (Reason: None provided.)

chromium-browser (70.0.3538.110-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2018-17479: Use-after-free in GPU.

 -- Michael Gilbert <email address hidden>  Tue, 20 Nov 2018 00:45:46 +0000

70.0.3538.102-1

Superseded in sid-release on 2018-11-21

chromium-browser (70.0.3538.102-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2018-17478: Out of bounds memory access in V8.  Reported by
      cloudfuzzer
  * Fix new lintian warnings.
  * Drop libjs-excanvas build dependency.
  * Add support for building with harfbuzz 2.1.1.
  * Document how to run chromium as root (closes: #838534).
  * Output debian specific instructions when no working sandbox is available.
  * Do not rely on transitive recommendation for the sandbox (closes: #913116).

 -- Michael Gilbert <email address hidden>  Fri, 16 Nov 2018 03:12:53 +0000

69.0.3497.92-1~deb9u1

Superseded in stretch-release on 2019-02-16

chromium-browser (69.0.3497.92-1~deb9u1) stretch-security; urgency=medium

  * New upstream security release.
    - Function signature mismatch in WebAssembly. Reported by Kevin Cheung
    - URL Spoofing in Omnibox. Reported by evi1m0

 -- Michael Gilbert <email address hidden>  Fri, 14 Sep 2018 00:48:39 +0000

70.0.3538.67-3

Superseded in sid-release on 2018-11-16

chromium-browser (70.0.3538.67-3) unstable; urgency=medium

  * Fix a compiler warning.
  * Move the setuid sandbox into a separate package (closes: #839277).

 -- Michael Gilbert <email address hidden>  Sat, 03 Nov 2018 17:30:16 +0000

70.0.3538.67-2

Deleted in buster-release (Reason: None provided.)

Superseded in sid-release on 2018-11-07

chromium-browser (70.0.3538.67-2) unstable; urgency=medium

  * Restore support for building with gtk2.

 -- Michael Gilbert <email address hidden>  Tue, 23 Oct 2018 01:11:35 +0000

70.0.3538.67-1

Superseded in buster-release on 2018-11-03

Superseded in sid-release on 2018-10-29

chromium-browser (70.0.3538.67-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2018-17462: Sandbox escape in AppCache. Reported by Ned Williamson
      and Niklas Baumstark
    - CVE-2018-17463: Remote code execution in V8. Reported by Ned Williamson
      and Niklas Baumstark
    - Heap buffer overflow in Little CMS in PDFium. Reported by Quang Nguyễn
    - CVE-2018-17464: URL spoof in Omnibox. Reported by xisigr
    - CVE-2018-17465: Use after free in V8. Reported by Lin Zuojian
    - CVE-2018-17466: Memory corruption in Angle. Reported by Omair
    - CVE-2018-17467: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-17468: Cross-origin URL disclosure in Blink. Reported by James
      Lee
    - CVE-2018-17469: Heap buffer overflow in PDFium. Reported by Zhen Zhou
    - CVE-2018-17470: Memory corruption in GPU Internals. Reported by Zhe Jin
    - CVE-2018-17471: Security UI occlusion in full screen mode. Reported by
      Lnyas Zhang
    - CVE-2018-17473: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-17474: Use after free in Blink. Reported by Zhe Jin
    - CVE-2018-17475: URL spoof in Omnibox. Reported by Vladimir Metnew
    - CVE-2018-17476: Security UI occlusion in full screen mode. Reported by
      Khalil Zhani
    - CVE-2018-5179: Lack of limits on update() in ServiceWorker. Reported by
      Yannic Bonenberger
    - CVE-2018-17477: UI spoof in Extensions. Reported by Aaron Muir Hamilton
  * Fix build failure on i386.
  * Fix installation path of the master preferences file (closes: #911056).

 -- Michael Gilbert <email address hidden>  Tue, 16 Oct 2018 12:36:22 +0000

70.0.3538.54-2

Superseded in sid-release on 2018-10-17

chromium-browser (70.0.3538.54-2) unstable; urgency=medium

  * Build with gcc 8 (closes: #901368).
  * Move the master preferences file to /etc/chromium (closes: #891232).

 -- Michael Gilbert <email address hidden>  Sun, 14 Oct 2018 00:49:46 +0000

70.0.3538.54-1

Superseded in sid-release on 2018-10-17

chromium-browser (70.0.3538.54-1) unstable; urgency=medium

  * New upstream beta release.

 -- Michael Gilbert <email address hidden>  Sat, 13 Oct 2018 04:18:08 +0000

69.0.3497.100-1

Superseded in sid-release on 2018-10-15

chromium-browser (69.0.3497.100-1) unstable; urgency=medium

  * New upstream stable release.
  * Update standards version to 4.2.1.
  * Clarify debugging section in README.debian (closes: #910842).
  * Remove ConvertUTF from the upstream tarball (closes: #900596).
  * Load all extensions installed to /usr/share/chromium/extensions.
    - Thanks to Michael Meskes (closes: #890392).
  * Remove audio_capture_enable setting from the default preferences
    (closes: #884887).

 -- Michael Gilbert <email address hidden>  Sat, 13 Oct 2018 02:35:46 +0000

69.0.3497.92-1

Superseded in buster-release on 2018-10-22

Superseded in sid-release on 2018-10-13

chromium-browser (69.0.3497.92-1) unstable; urgency=medium

  * New upstream security release.
    - Function signature mismatch in WebAssembly. Reported by Kevin Cheung
    - URL Spoofing in Omnibox. Reported by evi1m0

 -- Michael Gilbert <email address hidden>  Thu, 13 Sep 2018 03:12:53 +0000

69.0.3497.81-3

Superseded in buster-release on 2018-09-18

Superseded in sid-release on 2018-09-14

chromium-browser (69.0.3497.81-3) unstable; urgency=medium

  * Move another file needed for the armhf build to where it is expected.

 -- Michael Gilbert <email address hidden>  Fri, 07 Sep 2018 00:06:13 +0000

69.0.3497.81-2

Superseded in sid-release on 2018-09-07

chromium-browser (69.0.3497.81-2) unstable; urgency=medium

  * Disable swiftshader.
  * Move file needed for the armhf build to where it is expected.
  * Document disabled built-in extensions in README.debian (closes: #886358).

 -- Michael Gilbert <email address hidden>  Thu, 06 Sep 2018 01:45:12 +0000

69.0.3497.81-1

Superseded in sid-release on 2018-09-06

chromium-browser (69.0.3497.81-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2018-16065: Out of bounds write in V8. Reported by Brendon Tiszka
    - CVE-2018-16066: Out of bounds read in Blink. Reported by cloudfuzzer
    - CVE-2018-16067: Out of bounds read in WebAudio. Reported by Zhe Jin
    - CVE-2018-16068: Out of bounds write in Mojo. Reported by Mark Brand
    - CVE-2018-16069: Out of bounds read in SwiftShader. Reported by Mark Brand
    - CVE-2018-16070: Integer overflow in Skia. Reported by Ivan Fratric
    - CVE-2018-16071: Use after free in WebRTC. Reported by Natalie Silvanovich
    - CVE-2018-16073: Site Isolation bypass after tab restore. Reported by Jun
      Kokatsu
    - CVE-2018-16074: Site Isolation bypass using Blob URLS. Reported by Jun
      Kokatsu
    - CVE-2018-16075: Local file access in Blink. Reported by Pepe Vila
    - CVE-2018-16076: Out of bounds read in PDFium. Reported by Aleksandar
      Nikolic
    - CVE-2018-16077: Content security policy bypass in Blink. Reported by
      Manuel Caballero
    - CVE-2018-16078: Credit card information leak in Autofill. Reported by
      Cailan Sacks
    - CVE-2018-16079: URL spoof in permission dialogs. Reported by Markus
      Vervier and Michele Orrù
    - CVE-2018-16080: URL spoof in full screen mode. Reported by Khalil Zhani
    - CVE-2018-16081: Local file access in DevTools. Reported by Jann Horn
    - CVE-2018-16082: Stack buffer overflow in SwiftShader. Reported by Omair
    - CVE-2018-16083: Out of bounds read in WebRTC. Reported by Natalie
      Silvanovich
    - CVE-2018-16084: User confirmation bypass in external protocol handling.
      Reported by Jun Kokatsu
    - CVE-2018-16085: Use after free in Memory Instrumentation. Reported by
      Roman Kuksin

 -- Michael Gilbert <email address hidden>  Wed, 05 Sep 2018 00:01:50 +0000

69.0.3497.12-1

Deleted in experimental-release (Reason: None provided.)

chromium-browser (69.0.3497.12-1) experimental; urgency=medium

  * New upstream development release.
    - Fixes an error that can occur on pages containing xml (closes: #865592).
  * Install swiftshader libraries to /usr/lib/chromium (closes: #901831).

 -- Michael Gilbert <email address hidden>  Sun, 29 Jul 2018 09:30:34 +0000

68.0.3440.75-2

Superseded in buster-release on 2018-09-12

Superseded in sid-release on 2018-09-07

chromium-browser (68.0.3440.75-2) unstable; urgency=medium

  * Restore a mistakenly omitted call to InitializeFFmpeg (closes: #902909).

 -- Michael Gilbert <email address hidden>  Thu, 26 Jul 2018 00:37:11 +0000

68.0.3440.75-1

Superseded in sid-release on 2018-07-27

chromium-browser (68.0.3440.75-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2018-4117: Cross origin information leak in Blink. Reported by
      AhsanEjaz
    - CVE-2018-6044: Request privilege escalation in Extensions . Reported by
      Rob Wu
    - CVE-2018-6150: Cross origin information disclosure in Service Workers.
      Reported by Rob Wu
    - CVE-2018-6151: Bad cast in DevTools. Reported by Rob Wu
    - CVE-2018-6152: Local file write in DevTools. Reported by Rob Wu
    - CVE-2018-6153: Stack buffer overflow in Skia. Reported by Zhen Zhou
    - CVE-2018-6154: Heap buffer overflow in WebGL. Reported by Omair
    - CVE-2018-6155: Use after free in WebRTC. Reported by Natalie Silvanovich
    - CVE-2018-6156: Heap buffer overflow in WebRTC. Reported by Natalie
      Silvanovich
    - CVE-2018-6157: Type confusion in WebRTC. Reported by Natalie Silvanovich
    - CVE-2018-6158: Use after free in Blink. Reported by Zhe Jin
    - CVE-2018-6159: Same origin policy bypass in ServiceWorker. Reported by
      Jun Kokatsu
    - CVE-2018-6161: Same origin policy bypass in WebAudio. Reported by Jun
      Kokatsu
    - CVE-2018-6162: Heap buffer overflow in WebGL. Reported by Omair
    - CVE-2018-6163: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6164: Same origin policy bypass in ServiceWorker. Reported by
      Jun Kokatsu
    - CVE-2018-6165: URL spoof in Omnibox. Reported by evi1m0
    - CVE-2018-6166: URL spoof in Omnibox. Reported by Lnyas Zhang
    - CVE-2018-6167: URL spoof in Omnibox. Reported by Lnyas Zhang
    - CVE-2018-6168: CORS bypass in Blink. Reported by Gunes Acar and Danny Y.
      Huang
    - CVE-2018-6169: Permissions bypass in extension installation . Reported by
      Sam P
    - CVE-2018-6170: Type confusion in PDFium. Reported by Anonymous
    - CVE-2018-6171: Use after free in WebBluetooth.
    - CVE-2018-6172: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6173: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6174: Integer overflow in SwiftShader. Reported by Mark Brand
    - CVE-2018-6175: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6176: Local user privilege escalation in Extensions. Reported by
      Jann Horn
    - CVE-2018-6177: Cross origin information leak in Blink. Reported by Ron
      Masas
    - CVE-2018-6178: UI spoof in Extensions. Reported by Khalil Zhani
    - CVE-2018-6179: Local file information leak in Extensions.

 -- Michael Gilbert <email address hidden>  Wed, 25 Jul 2018 00:28:20 +0000

68.0.3440.42-1

Deleted in experimental-release (Reason: None provided.)

chromium-browser (68.0.3440.42-1) experimental; urgency=medium

  * New upstream beta release.

 -- Michael Gilbert <email address hidden>  Sat, 30 Jun 2018 17:46:03 +0000

63.0.3239.84-1~deb9u1

Superseded in stretch-release on 2018-11-10

chromium-browser (63.0.3239.84-1~deb9u1) stretch-security; urgency=medium

  * New upstream stable release.
    - CVE-2017-15407: Out of bounds write in QUIC. Reported by Ned Williamson
    - CVE-2017-15408: Heap buffer overflow in PDFium. Reported by Ke Liu
    - CVE-2017-15409: Out of bounds write in Skia. Reported by Anonymous
    - CVE-2017-15410: Use after free in PDFium. Reported by Luật Nguyễn
    - CVE-2017-15411: Use after free in PDFium. Reported by Luật Nguyễn
    - CVE-2017-15413: Type confusion in WebAssembly. Reported by Gaurav Dewan
    - CVE-2017-15415: Pointer information disclosure in IPC call. Reported by
      Viktor Brange
    - CVE-2017-15416: Out of bounds read in Blink. Reported by Ned Williamson
    - CVE-2017-15417: Cross origin information disclosure in Skia . Reported by
      Max May
    - CVE-2017-15418: Use of uninitialized value in Skia. Reported by Kushal
      Arvind Shah
    - CVE-2017-15419: Cross origin leak of redirect URL in Blink. Reported by
      Jun Kokatsu
    - CVE-2017-15420: URL spoofing in Omnibox. Reported by WenXu Wu
    - CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. Reported by
      Greg Hudson
    - CVE-2017-15424: URL Spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2017-15425: URL Spoof in Omnibox. Reported by xisigr
    - CVE-2017-15426: URL Spoof in Omnibox. Reported by WenXu Wu
    - CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. Reported
      by Junaid Farhan

 -- Michael Gilbert <email address hidden>  Sun, 03 Dec 2017 15:26:02 +0000

68.0.3440.33-1

Superseded in experimental-release on 2018-07-17

chromium-browser (68.0.3440.33-1) experimental; urgency=medium

  * New upstream beta release.
  * Build using upstream's "lite" tarball.
  * Restore decoder initialization from chromium 66 to maintain compatibility
    with ffmpeg 3.4 (closes: #900533).

 -- Michael Gilbert <email address hidden>  Fri, 29 Jun 2018 20:48:51 +0000

68.0.3440.25-1

Superseded in experimental-release on 2018-07-01

chromium-browser (68.0.3440.25-1) experimental; urgency=medium

  * New upstream beta release.

 -- Michael Gilbert <email address hidden>  Sun, 24 Jun 2018 16:32:18 +0000

68.0.3440.17-1

Superseded in experimental-release on 2018-06-26

chromium-browser (68.0.3440.17-1) experimental; urgency=medium

  * New upstream beta release.
  * Recommend upower and notification-daemon.

 -- Michael Gilbert <email address hidden>  Mon, 11 Jun 2018 04:40:58 +0000

67.0.3396.87-1

Superseded in buster-release on 2018-07-31

Superseded in sid-release on 2018-07-26

chromium-browser (67.0.3396.87-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2018-6149: Out of bounds write in V8. Reported by Yu Zhou and
      Jundong Xie

 -- Michael Gilbert <email address hidden>  Tue, 19 Jun 2018 12:13:46 +0000

67.0.3396.79-2

Superseded in buster-release on 2018-06-29

Superseded in sid-release on 2018-06-24

chromium-browser (67.0.3396.79-2) unstable; urgency=medium

  * Use embedded ffmpeg code copy (closes: #900533).

 -- Michael Gilbert <email address hidden>  Mon, 11 Jun 2018 00:33:39 +0000

68.0.3440.7-1

Superseded in experimental-release on 2018-06-24

chromium-browser (68.0.3440.7-1) experimental; urgency=medium

  * New upstream development release.

 -- Michael Gilbert <email address hidden>  Sun, 10 Jun 2018 23:44:14 +0000

67.0.3396.79-1

Superseded in sid-release on 2018-06-11

chromium-browser (67.0.3396.79-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2018-6148: Incorrect handling of CSP header. Reported by Michał
      Bentkowski

 -- Michael Gilbert <email address hidden>  Sun, 10 Jun 2018 21:48:45 +0000

67.0.3396.62-2

Superseded in sid-release on 2018-06-12

chromium-browser (67.0.3396.62-2) unstable; urgency=medium

  * Fix build on arm64/armhf

 -- Riku Voipio <email address hidden>  Fri, 08 Jun 2018 15:37:05 +0300

67.0.3396.62-1

Superseded in sid-release on 2018-06-09

chromium-browser (67.0.3396.62-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2018-6123: Use after free in Blink. Reported by Looben Yang
    - CVE-2018-6124: Type confusion in Blink. Reported by Guang Gong
    - CVE-2018-6125: Overly permissive policy in WebUSB. Reported by Yubico
    - CVE-2018-6126: Heap buffer overflow in Skia. Reported by Ivan Fratric
    - CVE-2018-6127: Use after free in indexedDB. Reported by Looben Yang
    - CVE-2018-6128: uXSS in Chrome on iOS. Reported by Tomasz Bojarski
    - CVE-2018-6129: Out of bounds memory access in WebRTC. Reported by Natalie
      Silvanovich
    - CVE-2018-6130: Out of bounds memory access in WebRTC. Reported by Natalie
      Silvanovich
    - CVE-2018-6131: Incorrect mutability protection in WebAssembly. Reported
      by Natalie Silvanovich
    - CVE-2018-6132: Use of uninitialized memory in WebRTC. Reported by Ronald
      E. Crane
    - CVE-2018-6133: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6134: Referrer Policy bypass in Blink. Reported by Jun Kokatsu
    - CVE-2018-6135: UI spoofing in Blink. Reported by Jasper Rebane
    - CVE-2018-6136: Out of bounds memory access in V8. Reported by Peter Wong
    - CVE-2018-6137: Leak of visited status of page in Blink. Reported by
      Michael Smith
    - CVE-2018-6138: Overly permissive policy in Extensions. Reported by
      François Lajeunesse-Robert
    - CVE-2018-6139: Restrictions bypass in the debugger extension API.
      Reported by Rob Wu
    - CVE-2018-6140: Restrictions bypass in the debugger extension API.
      Reported by Rob Wu
    - CVE-2018-6141: Heap buffer overflow in Skia. Reported by Yangkang
    - CVE-2018-6142: Out of bounds memory access in V8. Reported by Choongwoo
      Han
    - CVE-2018-6143: Out of bounds memory access in V8. Reported by Guang Gong
    - CVE-2018-6144: Out of bounds memory access in PDFium. Reported by pdknsk
    - CVE-2018-6145: Incorrect escaping of MathML in Blink. Reported by Masato
      Kinugawa
    - CVE-2018-6147: Password fields not taking advantage of OS protections in
      Views. Reported by Michail Pishchagin

 -- Michael Gilbert <email address hidden>  Wed, 30 May 2018 13:03:02 +0000

67.0.3396.57-1

Deleted in experimental-release (Reason: None provided.)

chromium-browser (67.0.3396.57-1) experimental; urgency=medium

  * New upstream beta release.
  * Ignore more compiler warnings.

 -- Michael Gilbert <email address hidden>  Tue, 29 May 2018 13:06:17 +0000

67.0.3396.56-1

Superseded in experimental-release on 2018-05-30

chromium-browser (67.0.3396.56-1) experimental; urgency=medium

  * New upstream beta release.

 -- Michael Gilbert <email address hidden>  Sun, 27 May 2018 04:27:00 +0000

67.0.3396.48-1

Superseded in experimental-release on 2018-05-28

chromium-browser (67.0.3396.48-1) experimental; urgency=medium

  * New upstream beta release.
  * Indicate that binary rules do not require root.
  * Change maintainer address to <email address hidden>.
  * Drop widevine adapter package, no longer supported upstream (chromium
    should automatically detect and use libwidevinecdm.so without the extra
    adapter library now).

 -- Michael Gilbert <email address hidden>  Sat, 19 May 2018 03:30:20 +0000

66.0.3359.181-1

Superseded in sid-release on 2018-06-09

chromium-browser (66.0.3359.181-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2018-6120: Heap buffer overflow in PDFium. Reported by Zhou Aiting
    - CVE-2018-6121: Privilege Escalation in extensions.
    - CVE-2018-6122: Type confusion in V8.

 -- Michael Gilbert <email address hidden>  Fri, 18 May 2018 21:08:59 +0000

66.0.3359.139-1

Superseded in sid-release on 2018-05-19

chromium-browser (66.0.3359.139-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2018-6118: Use after free in Media Cache. Reported by Ned Williamson
  * Enable jumbo build.
  * Recommend libgl1-mesa-dri.

 -- Michael Gilbert <email address hidden>  Sat, 28 Apr 2018 02:44:15 +0000

66.0.3359.117-1

Superseded in sid-release on 2018-04-29

chromium-browser (66.0.3359.117-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2018-6085: Use after free in Disk Cache. Reported by Ned Williamson
    - CVE-2018-6086: Use after free in Disk Cache. Reported by Ned Williamson
    - CVE-2018-6087: Use after free in WebAssembly. Reported by Anonymous
    - CVE-2018-6088: Use after free in PDFium. Reported by Anonymous
    - CVE-2018-6089: Same origin policy bypass in Service Worker. Reported by
      Rob Wu
    - CVE-2018-6090: Heap buffer overflow in Skia. Reported by ZhanJia Song
    - CVE-2018-6091: Incorrect handling of plug-ins by Service Worker.
      Reported by Jun Kokatsu
    - CVE-2018-6092: Integer overflow in WebAssembly. Reported by Natalie
      Silvanovich
    - CVE-2018-6093: Same origin bypass in Service Worker. Reported by Jun
      Kokatsu
    - CVE-2018-6094: Exploit hardening regression in Oilpan. Reported by Chris
      Rohlf
    - CVE-2018-6095: Lack of meaningful user interaction requirement before
      file upload. Reported by Abdulrahman Alqabandi
    - CVE-2018-6096: Fullscreen UI spoof. Reported by WenXu Wu
    - CVE-2018-6097: Fullscreen UI spoof. Reported by xisigr
    - CVE-2018-6098: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6099: CORS bypass in ServiceWorker. Reported by Jun Kokatsu
    - CVE-2018-6100: URL spoof in Omnibox. Reported by Lnyas Zhang
    - CVE-2018-6101: Insufficient protection of remote debugging prototol in
      DevTools . Reported by Rob Wu
    - CVE-2018-6102: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6103: UI spoof in Permissions. Reported by Khalil Zhani
    - CVE-2018-6104: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6105: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6106: Incorrect handling of promises in V8. Reported by
      lokihardt
    - CVE-2018-6107: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6108: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6109: Incorrect handling of files by FileAPI. Reported by
      Dominik Weber
    - CVE-2018-6110: Incorrect handling of plaintext files via file:// .
      Reported by Wenxiang Qian
    - CVE-2018-6111: Heap-use-after-free in DevTools. Reported by Khalil Zhani
    - CVE-2018-6112: Incorrect URL handling in DevTools. Reported by Rob Wu
    - CVE-2018-6113: URL spoof in Navigation. Reported by Khalil Zhani
    - CVE-2018-6114: CSP bypass. Reported by Lnyas Zhang
    - CVE-2018-6115: SmartScreen bypass in downloads. Reported by James Feher
    - CVE-2018-6116: Incorrect low memory handling in WebAssembly. Reported by
      Chengdu Security Response Center
    - CVE-2018-6117: Confusing autofill settings. Reported by Spencer Dailey
    - Fixes proxy time out error (closes: #892994).
    - Removes not implemented messages (closes: #893799).
  * Remove third_party/chromite from the upstream tarball (closes: #895076).

 -- Michael Gilbert <email address hidden>  Thu, 26 Apr 2018 01:27:39 +0000

66.0.3359.26-2

Superseded in sid-release on 2018-04-27

chromium-browser (66.0.3359.26-2) unstable; urgency=medium

  [ Michael Gilbert ]
  * Build using gcc6.
  * Move version control to salsa.debian.org.
  * Change maintainer address to <email address hidden>.

  [ Riku Voipio ]
  * [arm64/armhf] Fix neon autodetection with patch from upstream
  * [armhf] drop debug symbols

 -- Michael Gilbert <email address hidden>  Sun, 08 Apr 2018 03:11:08 +0000

66.0.3359.26-1

Deleted in experimental-release (Reason: None provided.)

chromium-browser (66.0.3359.26-1) experimental; urgency=medium

  * New upstream release.
  * Use threaded compression while repacking the upstream tarball.

 -- Michael Gilbert <email address hidden>  Mon, 26 Mar 2018 00:53:25 +0000

66.0.3359.22-3

Superseded in experimental-release on 2018-04-02

chromium-browser (66.0.3359.22-3) experimental; urgency=medium

  * Build pdfium using the system openjpeg library.

 -- Michael Gilbert <email address hidden>  Sat, 24 Mar 2018 22:53:20 +0000

66.0.3359.22-2

Superseded in experimental-release on 2018-03-26

chromium-browser (66.0.3359.22-2) experimental; urgency=medium

  * Fix typo in vpx patch.

 -- Michael Gilbert <email address hidden>  Sat, 24 Mar 2018 21:39:20 +0000

66.0.3359.22-1

Superseded in experimental-release on 2018-03-25

chromium-browser (66.0.3359.22-1) experimental; urgency=medium

  * New upstream release.
    - Fixes swiftshader library loading error (closes: #864606).

 -- Michael Gilbert <email address hidden>  Mon, 19 Mar 2018 01:04:11 +0000

65.0.3325.146-4

Superseded in sid-release on 2018-04-08

chromium-browser (65.0.3325.146-4) unstable; urgency=medium

  * Fix another incomplete type build error (closes: #892891).

 -- Michael Gilbert <email address hidden>  Thu, 15 Mar 2018 01:22:51 +0000

65.0.3325.146-3

Superseded in sid-release on 2018-03-15

chromium-browser (65.0.3325.146-3) unstable; urgency=medium

  * Fix incomplete type build error.

 -- Michael Gilbert <email address hidden>  Sun, 11 Mar 2018 00:33:12 +0000

65.0.3325.146-2

Superseded in sid-release on 2018-03-11

chromium-browser (65.0.3325.146-2) unstable; urgency=medium

  * Fix a few gcc build warnings.
  * Apply upstream's fix for a bug in gcc7's handling of non-copyable types
    (closes: #890954).

 -- Michael Gilbert <email address hidden>  Sat, 10 Mar 2018 00:36:33 +0000

65.0.3325.146-1

Superseded in sid-release on 2018-03-16

chromium-browser (65.0.3325.146-1) unstable; urgency=medium

  * New upstream stable release release.
    - CVE-2018-6056: Incorrect derived class instantiation in V8. Reported by
      lokihardt
    - CVE-2018-6060: Use after free in Blink. Reported by Omair
    - CVE-2018-6061: Race condition in V8. Reported by Guang Gong
    - CVE-2018-6062: Heap buffer overflow in Skia. Reported by Anonymous
    - CVE-2018-6057: Incorrect permissions on shared memory. Reported by Gal
      Beniamini
    - CVE-2018-6063: Incorrect permissions on shared memory. Reported by Gal
      Beniamini
    - CVE-2018-6064: Type confusion in V8. Reported by lokihardt
    - CVE-2018-6065: Integer overflow in V8. Reported by Mark Brand
    - CVE-2018-6066: Same Origin Bypass via canvas. Reported by Masato Kinugawa
    - CVE-2018-6067: Buffer overflow in Skia. Reported by Ned Williamson
    - CVE-2018-6068: Object lifecycle issues in Chrome Custom Tab. Reported by
      Luan Herrera
    - CVE-2018-6069: Stack buffer overflow in Skia. Reported by Wanglu &
      Yangkang
    - CVE-2018-6070: CSP bypass through extensions. Reported by Rob Wu
    - CVE-2018-6071: Heap bufffer overflow in Skia. Reported by Anonymous
    - CVE-2018-6072: Integer overflow in PDFium. Reported by Atte Kettunen
    - CVE-2018-6073: Heap bufffer overflow in WebGL. Reported by Omair
    - CVE-2018-6074: Mark-of-the-Web bypass. Reported by Abdulrahman Alqabandi
    - CVE-2018-6075: Overly permissive cross origin downloads. Reported by Inti
      De Ceukelaire
    - CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink.
      Reported by Mateusz Krzeszowiec
    - CVE-2018-6077: Timing attack using SVG filters. Reported by Khalil Zhani
    - CVE-2018-6078: URL Spoof in OmniBox. Reported by Khalil Zhani
    - CVE-2018-6079: Information disclosure via texture data in WebGL. Reported
      by Ivars Atteka
    - CVE-2018-6080: Information disclosure in IPC call. Reported by Gal
      Beniamini
    - CVE-2018-6081: XSS in interstitials. Reported by Rob Wu
    - CVE-2018-6082: Circumvention of port blocking. Reported by WenXu Wu
    - CVE-2018-6083: Incorrect processing of AppManifests. Reported by Jun
      Kokatsu
  * Enable support for vp9 (closes: #891831).

 -- Michael Gilbert <email address hidden>  Mon, 05 Mar 2018 01:26:31 +0000

65.0.3325.74-1

Deleted in experimental-release (Reason: None provided.)

chromium-browser (65.0.3325.74-1) experimental; urgency=medium

  [ Michael Gilbert ]
  * New upstream release.
  * Update to debhelper 11.
  * Update standards version.
  * Remove third_party/llvm from the upstream tarball.
  * Drop -fno-delete-null-pointer from debian/rules, applied upstream now.

  [ Riku Voipio ]
  * Fix skia build on arm64, (closes: #891062)
  * Set some armhf specific gn args to help linking

 -- Michael Gilbert <email address hidden>  Sat, 24 Feb 2018 02:36:40 +0000

65.0.3325.73-1

Superseded in experimental-release on 2018-02-24

chromium-browser (65.0.3325.73-1) experimental; urgency=medium

  * New upstream beta release.
  * Recommend libu2f-udev (closes: #890239).
  * Add support ffmpeg 3.5 (closes: #888387).
  * Remove icc_profiles from the upstream tarball.

 -- Michael Gilbert <email address hidden>  Sun, 18 Feb 2018 02:22:56 +0000

64.0.3282.119-2

Superseded in sid-release on 2018-03-10

chromium-browser (64.0.3282.119-2) unstable; urgency=medium

  * Drop chromecast patch (closes: #884173).

 -- Michael Gilbert <email address hidden>  Sun, 11 Feb 2018 03:00:09 +0000

64.0.3282.119-1

Superseded in sid-release on 2018-02-12

chromium-browser (64.0.3282.119-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall
    - CVE-2017-15429: UXSS in V8. Reported by Anonymous
    - CVE-2018-6031: Use after free in PDFium. Reported by Anonymous
    - CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun
      Kokatsu
    - CVE-2018-6033: Race when opening downloaded files. Reported by Juho
      Nurminen
    - CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein
    - CVE-2018-6035: Insufficient isolation of devtools from extensions.
      Reported by Rob Wu
    - CVE-2018-6036: Integer underflow in WebAssembly. Reported by The UK's
      National Cyber Security Centre
    - CVE-2018-6037: Insufficient user gesture requirements in autofill.
      Reported by Paul Stone
    - CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer
    - CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen
    - CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu
    - CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera
    - CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani
    - CVE-2018-6043: Insufficient escaping with external URL handlers. Reported
      by 0x09AL
    - CVE-2018-6045: Insufficient isolation of devtools from extensions.
      Reported by Rob Wu
    - CVE-2018-6046: Insufficient isolation of devtools from extensions.
      Reported by Rob Wu
    - CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato
      Kinugawa
    - CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu
    - CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu
    - CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew
    - CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso
    - CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by
      Tanner Emek
    - CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset
      Kabdenov
    - CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu

 -- Michael Gilbert <email address hidden>  Sun, 28 Jan 2018 01:00:12 +0000

63.0.3239.84-1

Superseded in sid-release on 2018-06-09

chromium-browser (63.0.3239.84-1) unstable; urgency=medium

  * New upstream stable release.
  * Update standards version to 4.1.2.
  * Stricter default master preferences.
  * Avoid showing the welcome page (closes: #857767).
  * Switch from gtk2 to gtk3 again (closes: #883364).

 -- Michael Gilbert <email address hidden>  Sun, 03 Dec 2017 16:05:00 +0000

62.0.3202.89-1~deb9u1

Superseded in stretch-release on 2018-07-14

chromium-browser (62.0.3202.89-1~deb9u1) stretch-security; urgency=medium

  * New upstream security release.
    - CVE-2017-15398: Stack buffer overflow in QUIC. Reported by Ned
      Williamson
    - CVE-2017-15399: Use after free in V8. Reported by Zhao Qixun

 -- Michael Gilbert <email address hidden>  Wed, 08 Nov 2017 01:29:57 +0000

63.0.3239.40-1

Deleted in experimental-release (Reason: None provided.)

chromium-browser (63.0.3239.40-1) experimental; urgency=medium

  * New upstream beta release.
  * Disable chromium signin feature.
  * Fix error in icon installation script.
  * Update to the latest standards version.
  * Indicate that the package can be built without root.

 -- Michael Gilbert <email address hidden>  Sun, 12 Nov 2017 05:36:26 +0000

63.0.3239.30-1

Superseded in experimental-release on 2017-12-09

chromium-browser (63.0.3239.30-1) experimental; urgency=medium

  * New upstream beta release.
  * Install 16 and 32 pixel png icon files (closes: #857071).
  * Improve description for --temp-profile (closes: #881040).
  * Document Debian bug reports in the manpage (closes: #880965).
  * Stricter breaks/replaces to support security uploads (closes: #877970).

 -- Michael Gilbert <email address hidden>  Wed, 08 Nov 2017 01:54:47 +0000

62.0.3202.89-1

Superseded in buster-release on 2018-06-20

Superseded in sid-release on 2017-12-11

chromium-browser (62.0.3202.89-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2017-15398: Stack buffer overflow in QUIC. Reported by Ned
      Williamson
    - CVE-2017-15399: Use after free in V8. Reported by Zhao Qixun
  * Revert new dependency on gconf.
  * Link against system lcms2 library (closes: #879153).
  * Disable device notifications by default (closes: #856571).
  * Remove icon extension from the desktop file (closes: #860256).

 -- Michael Gilbert <email address hidden>  Tue, 07 Nov 2017 02:22:17 +0000

62.0.3202.75-1

Superseded in sid-release on 2017-11-08

chromium-browser (62.0.3202.75-1) unstable; urgency=medium

  * New upstream stable release (closes: #879451).
    - CVE-2017-5124: UXSS with MHTML. Reported by Anonymous
    - CVE-2017-5125: Heap overflow in Skia. Reported by Anonymous
    - CVE-2017-5126: Use after free in PDFium. Reported by Luat Nguyen
    - CVE-2017-5127: Use after free in PDFium. Reported by Luat Nguyen
    - CVE-2017-5128: Heap overflow in WebGL. Reported by Omair
    - CVE-2017-5129: Use after free in WebAudio. Reported by Omair
    - CVE-2017-5131: Out of bounds write in Skia. Reported by Anonymous
    - CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by
      Gaurav Dewan
    - CVE-2017-5133: Out of bounds write in Skia. Reported by Aleksandar
      Nikolic
    - CVE-2017-15386: UI spoofing in Blink. Reported by WenXu Wu
    - CVE-2017-15387: Content security bypass. Reported by Jun Kokatsu
    - CVE-2017-15388: Out of bounds read in Skia. Reported by Kushal Arvind
      Shah
    - CVE-2017-15389: URL spoofing in OmniBox. Reported by xisigr
    - CVE-2017-15390: URL spoofing in OmniBox. Reported by Haosheng Wang
    - CVE-2017-15391: Extension limitation bypass in Extensions. Reported by
      João Lucas Melo Brasio
    - CVE-2017-15392: Incorrect registry key handling in PlatformIntegration.
      Reported by Xiaoyin Liu
    - CVE-2017-15393: Referrer leak in Devtools. Reported by Svyat Mitin
    - CVE-2017-15394: URL spoofing in extensions UI. Reported by Sam
    - CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by
      Johannes Bergman
    - CVE-2017-15396: Stack overflow in V8. Reported by Yuan Deng
  * Enable chromecast feature switch (closes: #878244).

 -- Michael Gilbert <email address hidden>  Sat, 04 Nov 2017 19:01:28 +0000

61.0.3163.100-1~deb9u1

Superseded in stretch-release on 2017-12-09

chromium-browser (61.0.3163.100-1~deb9u1) stretch-security; urgency=medium

  * New upstream stable release
    - CVE-2017-5111: Use after free in PDFium. Reported by Luật Nguyễn
    - CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Klein
    - CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous
    - CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by Ke Liu
    - CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini
    - CVE-2017-5116: Type confusion in V8. Reported by Anonymous
    - CVE-2017-5117: Use of uninitialized value in Skia. Reported by Tobias
      Klein
    - CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by
      WenXu Wu
    - CVE-2017-5119: Use of uninitialized value in Skia. Reported by Anonymous
    - CVE-2017-5120: Potential HTTPS downgrade during redirect navigation.
      Reported by Xiaoyin Liu
    - CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet
    - CVE-2017-5122: Out-of-bounds access in V8. Reported by Choongwoo Han

 -- Michael Gilbert <email address hidden>  Wed, 27 Sep 2017 02:03:41 +0000

61.0.3163.100-2

Superseded in buster-release on 2017-11-12

Superseded in sid-release on 2017-11-06

chromium-browser (61.0.3163.100-2) unstable; urgency=medium

  * Add liblcms2-dev as a build dependency (closes: #876804).

 -- Michael Gilbert <email address hidden>  Tue, 26 Sep 2017 12:54:35 +0000

61.0.3163.100-1

Superseded in sid-release on 2017-09-26

chromium-browser (61.0.3163.100-1) unstable; urgency=medium

  * New upstream stable release (closes: #876030).
    - CVE-2017-5111: Use after free in PDFium. Reported by Luật Nguyễn
    - CVE-2017-5112: Heap buffer overflow in WebGL. Reported by Tobias Kleini
    - CVE-2017-5113: Heap buffer overflow in Skia. Reported by Anonymous
    - CVE-2017-5114: Memory lifecycle issue in PDFium. Reported by Ke Liu
    - CVE-2017-5115: Type confusion in V8. Reported by Marco Giovannini
    - CVE-2017-5116: Type confusion in V8. Reported by Anonymous
    - CVE-2017-5117: Use of uninitialized value in Skia. Reported by Tobias
      Klein
    - CVE-2017-5118: Bypass of Content Security Policy in Blink. Reported by
      WenXu Wu
    - CVE-2017-5119: Use of uninitialized value in Skia. Reported by Anonymous
    - CVE-2017-5120: Potential HTTPS downgrade during redirect navigation.
      Reported by Xiaoyin Liu
    - CVE-2017-5121: Out-of-bounds access in V8. Reported by Jordan Rabet
    - CVE-2017-5122: Out-of-bounds access in V8. Reported by Choongwoo Han
    - Adds support for gcc7 (closes: #853347).
  * Update standards version.
  * Use system libstdc++ instead of chromium's bundled custom libc++.
  * Improve error message when network is unreachable (closes: #864539).
  * Fix a mistake that lead to unstripped binary files (closes: #870531).

 -- Michael Gilbert <email address hidden>  Sun, 24 Sep 2017 20:26:02 +0000

60.0.3112.78-1

Superseded in buster-release on 2017-10-01

Superseded in sid-release on 2017-09-27

chromium-browser (60.0.3112.78-1) unstable; urgency=medium

  * New upstream stable release:
    - CVE-2017-5091: Use after free in IndexedDB. Reported by Ned Williamson
    - CVE-2017-5092: Use after free in PPAPI. Reported by Yu Zhou, Yuan Deng
    - CVE-2017-5093: UI spoofing in Blink. Reported by Luan Herrera
    - CVE-2017-5094: Type confusion in extensions. Reported by Anonymous
    - CVE-2017-5095: Out-of-bounds write in PDFium. Reported by Anonymous
    - CVE-2017-5096: User information leak via Android intents. Reported by
      Takeshi Terada
    - CVE-2017-5097: Out-of-bounds read in Skia. Reported by Anonymous
    - CVE-2017-5098: Use after free in V8. Reported by Jihoon Kim
    - CVE-2017-5099: Out-of-bounds write in PPAPI. Reported by Yuan Deng, Yu
      Zhou
    - CVE-2017-5100: Use after free in Chrome Apps. Reported by Anonymous
    - CVE-2017-5101: URL spoofing in OmniBox. Reported by Luan Herrera
    - CVE-2017-5102: Uninitialized use in Skia. Reported by Anonymous
    - CVE-2017-5103: Uninitialized use in Skia. Reported by Anonymous
    - CVE-2017-5104: UI spoofing in browser. Reported by Khalil Zhani
    - CVE-2017-7000: Pointer disclosure in SQLite. Reported by Chaitin Security
      Research Lab
    - CVE-2017-5105: URL spoofing in OmniBox. Reported by Rayyan Bijoora
    - CVE-2017-5106: URL spoofing in OmniBox. Reported by Jack Zac
    - CVE-2017-5107: User information leak via SVG. Reported by David
      Kohlbrenner
    - CVE-2017-5108: Type confusion in PDFium. Reported by Guang Gong
    - CVE-2017-5109: UI spoofing in browser. Reported by José María Acuña
      Morgado
    - CVE-2017-5110: UI spoofing in payments dialog. Reported by xisigr

 -- Michael Gilbert <email address hidden>  Thu, 27 Jul 2017 03:22:03 +0000

59.0.3071.104-1

Superseded in buster-release on 2017-08-07

Superseded in sid-release on 2017-08-03

chromium-browser (59.0.3071.104-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2017-5087: Sandbox Escape in IndexedDB. Reported by Ned Williamson
    - CVE-2017-5088: Out of bounds read in V8. Reported by Xiling Gong
    - CVE-2017-5089: Domain spoofing in Omnibox. Reported by Michał Bentkowski
  * Update get-orig-source to support really long arguments to tar --delete.

 -- Michael Gilbert <email address hidden>  Sat, 17 Jun 2017 20:03:49 +0000

59.0.3071.86-1

Superseded in stretch-release on 2017-10-07

Superseded in sid-release on 2017-06-20

chromium-browser (59.0.3071.86-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun
    - CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han
    - CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora
    - CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani
    - CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous
    - CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel
      Gil Peyrot
    - CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb
    - CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip
    - CVE-2017-5078: Possible command injection in mailto handling. Reported
      by Jose Carlos Exposito Bueno
    - CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani
    - CVE-2017-5080: Use after free in credit card autofill. Reported by
      Khalil Zhani
    - CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev
    - CVE-2017-5082: Insufficient hardening in credit card editor. Reported by
      Nightwatch Cybersecurity Research
    - CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani
    - CVE-2017-5085: Inappropriate javascript execution on WebUI pages.
      Reported by Zhiyang Zeng
    - CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora

 -- Michael Gilbert <email address hidden>  Mon, 05 Jun 2017 23:09:28 +0000

59.0.3071.71-1

Deleted in experimental-release (Reason: None provided.)

chromium-browser (59.0.3071.71-1) experimental; urgency=medium

  * New upstream beta release.

 -- Michael Gilbert <email address hidden>  Sat, 27 May 2017 03:30:14 +0000

59.0.3071.61-1

Superseded in experimental-release on 2017-05-29

chromium-browser (59.0.3071.61-1) experimental; urgency=medium

  * New upstream beta release.

 -- Michael Gilbert <email address hidden>  Sun, 21 May 2017 19:34:39 +0000

59.0.3071.47-1

Superseded in experimental-release on 2017-05-23

chromium-browser (59.0.3071.47-1) experimental; urgency=medium

  * New upstream beta release.
  * Simplify approach for disabling vp9.
  * Fix incomplete new interfaces to system ICU library.
  * Remove XML_PARSE_NOXXE flag since system libxml2 does not yet support it.

 -- Michael Gilbert <email address hidden>  Sat, 13 May 2017 16:09:05 +0000

58.0.3029.96-1

Superseded in stretch-release on 2017-06-08

Superseded in sid-release on 2017-06-07

chromium-browser (58.0.3029.96-1) unstable; urgency=medium

  * New upstream security release.
    - CVE-2017-5068: Race condition in WebRTC. Credit to Philipp Hancke

 -- Michael Gilbert <email address hidden>  Sun, 07 May 2017 00:36:22 +0000

57.0.2987.98-1~deb8u1

Published in jessie-release on 2017-05-07

chromium-browser (57.0.2987.98-1~deb8u1) jessie-security; urgency=medium

  * New upstream stable release.
    - CVE-2017-5030: Memory corruption in V8. Credit to Brendon Tiszka
    - CVE-2017-5031: Use after free in ANGLE. Credit to Looben Yang
    - CVE-2017-5032: Out of bounds write in PDFium. Credit to Ashfaq Ansari
    - CVE-2017-5029: Integer overflow in libxslt. Credit to Holger Fuhrmannek
    - CVE-2017-5034: Use after free in PDFium. Credit to Ke Liu
    - CVE-2017-5035: Incorrect security UI in Omnibox. Credit to Enzo Aguado
    - CVE-2017-5036: Use after free in PDFium. Credit to Anonymous
    - CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer. Credit to
      Yongke Wang
    - CVE-2017-5039: Use after free in PDFium. Credit to jinmo123
    - CVE-2017-5040: Information disclosure in V8. Credit to Choongwoo Han
    - CVE-2017-5041: Address spoofing in Omnibox. Credit to Jordi Chancel
    - CVE-2017-5033: Bypass of Content Security Policy in Blink. Credit to
      Nicolai Grødum
    - CVE-2017-5042: Incorrect handling of cookies in Cast. Credit to Mike
      Ruddy
    - CVE-2017-5038: Use after free in GuestView. Credit to Anonymous
    - CVE-2017-5043: Use after free in GuestView. Credit to Anonymous
    - CVE-2017-5044: Heap overflow in Skia. Credit to Kushal Arvind Shah
    - CVE-2017-5045: Information disclosure in XSS Auditor. Credit to Dhaval
      Kapil
    - CVE-2017-5046: Information disclosure in Blink. Credit to Masato Kinugawa
  * Configure with fieldtrial_testing_like_official_build=true to avoid
    building with experimental features enabled (closes: #855434).

 -- Michael Gilbert <email address hidden>  Sun, 26 Feb 2017 03:18:38 +0000

58.0.3029.81-1

Superseded in stretch-release on 2017-06-05

Superseded in sid-release on 2017-05-08

chromium-browser (58.0.3029.81-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2017-5057: Type confusion in PDFium. Credit to Guang Gong.
    - CVE-2017-5058: Heap use after free in Print Preview. Credit to Khalil
      Zhani
    - CVE-2017-5059: Type confusion in Blink. Credit to SkyLined
    - CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng
    - CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang
    - CVE-2017-5062: Use after free in Chrome Apps. Credit to anonymous
    - CVE-2017-5063: Heap overflow in Skia. Credit to Sweetchip
    - CVE-2017-5064: Use after free in Blink. Credit to Wadih Matar
    - CVE-2017-5065: Incorrect UI in Blink. Credit to Khalil Zhani
    - CVE-2017-5066: Incorrect signature handing in Networking. Credit to
      chenchu
    - CVE-2017-5067: URL spoofing in Omnibox. Credit to Khalil Zhani
    - CVE-2017-5069: Cross-origin bypass in Blink. Credit to Michael Reizelman

 -- Michael Gilbert <email address hidden>  Wed, 19 Apr 2017 23:20:29 +0000

58.0.3029.68-1

Deleted in experimental-release (Reason: None provided.)

chromium-browser (58.0.3029.68-1) experimental; urgency=medium

  * New upstream beta release.
    - Drop arm patch, now applied upstream.
    - Add missing file needed to be able to build gn.
    - Update vpx.patch to continue using the system library.
    - Set use_vulcanize=false to avoid bringing in the entire nodejs ecosystem.
  * Enable remote extensions by default (closes: #856183).

 -- Michael Gilbert <email address hidden>  Fri, 07 Apr 2017 04:51:22 +0000

57.0.2987.133-1

Superseded in stretch-release on 2017-04-29

Superseded in sid-release on 2017-04-25

chromium-browser (57.0.2987.133-1) unstable; urgency=medium

  * New upstream security update.
    - CVE-2017-5055: Use after free in printing. Credit to Wadih Matar
    - CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar
    - CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin
    - CVE-2017-5056: Use after free in Blink. Credit to anonymous
    - CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper

 -- Michael Gilbert <email address hidden>  Fri, 07 Apr 2017 01:07:17 +0000

57.0.2987.98-1

Superseded in stretch-release on 2017-04-23

Superseded in sid-release on 2017-04-08

chromium-browser (57.0.2987.98-1) unstable; urgency=medium

  * New upstream stable release.
    - CVE-2017-5030: Memory corruption in V8. Credit to Brendon Tiszka
    - CVE-2017-5031: Use after free in ANGLE. Credit to Looben Yang
    - CVE-2017-5032: Out of bounds write in PDFium. Credit to Ashfaq Ansari
    - CVE-2017-5029: Integer overflow in libxslt. Credit to Holger Fuhrmannek
    - CVE-2017-5034: Use after free in PDFium. Credit to Ke Liu
    - CVE-2017-5035: Incorrect security UI in Omnibox. Credit to Enzo Aguado
    - CVE-2017-5036: Use after free in PDFium. Credit to Anonymous
    - CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer. Credit to
      Yongke Wang
    - CVE-2017-5039: Use after free in PDFium. Credit to jinmo123
    - CVE-2017-5040: Information disclosure in V8. Credit to Choongwoo Han
    - CVE-2017-5041: Address spoofing in Omnibox. Credit to Jordi Chancel
    - CVE-2017-5033: Bypass of Content Security Policy in Blink. Credit to
      Nicolai Grødum
    - CVE-2017-5042: Incorrect handling of cookies in Cast. Credit to Mike
      Ruddy
    - CVE-2017-5038: Use after free in GuestView. Credit to Anonymous
    - CVE-2017-5043: Use after free in GuestView. Credit to Anonymous
    - CVE-2017-5044: Heap overflow in Skia. Credit to Kushal Arvind Shah
    - CVE-2017-5045: Information disclosure in XSS Auditor. Credit to Dhaval
      Kapil
    - CVE-2017-5046: Information disclosure in Blink. Credit to Masato Kinugawa
  * Drop arm and MADV_FREE patches, which are now applied upstream.

 -- Michael Gilbert <email address hidden>  Fri, 10 Mar 2017 22:00:06 +0000

56.0.2924.76-5

Superseded in stretch-release on 2017-03-14

Superseded in sid-release on 2017-03-12

chromium-browser (56.0.2924.76-5) unstable; urgency=medium

  * Configure with fieldtrial_testing_like_official_build=true to avoid
    building with experimental features enabled (closes: #855434).
  * Do not disable background networking when remote extensions are enabled,
    since that option also blocks updates to extensions (closes: #841401).
    - Thanks to Tarmo Huuhka.

 -- Michael Gilbert <email address hidden>  Sat, 25 Feb 2017 21:41:02 +0000

56.0.2924.76-4

Superseded in stretch-release on 2017-03-08

Superseded in sid-release on 2017-03-04

chromium-browser (56.0.2924.76-4) unstable; urgency=medium

  * Do not create a dbgsym package for widevine (closes: #855529).

 -- Michael Gilbert <email address hidden>  Sun, 19 Feb 2017 20:17:38 +0000

56.0.2924.76-3

Superseded in sid-release on 2017-02-20

chromium-browser (56.0.2924.76-3) unstable; urgency=medium

  * Upload to unstable.

 -- Michael Gilbert <email address hidden>  Sun, 05 Feb 2017 19:47:22 +0000

56.0.2924.76-2

Deleted in experimental-release (Reason: None provided.)

chromium-browser (56.0.2924.76-2) experimental; urgency=medium

  * Backport upstream bugfix for non-NEON builds, closes: #853108
  * Fix seccomp sandboxing on arm64 platforms with DRI3

 -- Riku Voipio <email address hidden>  Thu, 02 Feb 2017 09:37:05 +0200

56.0.2924.76-1

Superseded in experimental-release on 2017-02-03

chromium-browser (56.0.2924.76-1) experimental; urgency=medium

  * New upstream stable release:
    - CVE-2017-5007: Universal XSS in Blink. Credit to Mariusz Mlynski
    - CVE-2017-5006: Universal XSS in Blink. Credit to Mariusz Mlynski
    - CVE-2017-5008: Universal XSS in Blink. Credit to Mariusz Mlynski
    - CVE-2017-5010: Universal XSS in Blink. Credit to Mariusz Mlynski
    - CVE-2017-5011: Unauthorised file access in Devtools. Credit to Khalil
      Zhani
    - CVE-2017-5009: Out of bounds memory access in WebRTC. Credit to Sean
      Stanek and Chip Bradford
    - CVE-2017-5012: Heap overflow in V8. Credit to Gergely Nagy
    - CVE-2017-5013: Address spoofing in Omnibox. Credit to Haosheng Wang
    - CVE-2017-5014: Heap overflow in Skia. Credit to sweetchip
    - CVE-2017-5015: Address spoofing in Omnibox. Credit to Armin Razmdjou
    - CVE-2017-5019: Use after free in Renderer. Credit to Wadih Matar
    - CVE-2017-5016: UI spoofing in Blink. Credit to Haosheng Wang
    - CVE-2017-5017: Uninitialised memory access in webm video. Credit to
      danberm
    - CVE-2017-5018: Universal XSS in chrome://apps. Credit to Rob Wu
    - CVE-2017-5020: Universal XSS in chrome://downloads. Credit to Rob Wu
    - CVE-2017-5021: Use after free in Extensions. Credit to Rob Wu
    - CVE-2017-5022: Bypass of Content Security Policy in Blink. Credit to
      PKAV Team.
    - CVE-2017-5023: Type confusion in metrics. Credit to the UK's National
      Cyber Security Centre (NCSC)
    - CVE-2017-5026: UI spoofing. Credit to Ronni Skansing

 -- Michael Gilbert <email address hidden>  Thu, 26 Jan 2017 01:42:21 +0000

55.0.2883.75-6

Superseded in stretch-release on 2017-02-27

Superseded in sid-release on 2017-02-06

chromium-browser (55.0.2883.75-6) unstable; urgency=medium

  * Organize patches.
  * Move widevine package to contrib (closes: #851917).
  * Conflict with very old versions of libsecret (closes: #838864).
  * Support --enable-remote-extensions option passed through CHROMIUM_FLAGS
    (closes: #851927).

 -- Michael Gilbert <email address hidden>  Sun, 22 Jan 2017 00:47:28 +0000

55.0.2883.75-5

Superseded in sid-release on 2017-01-24

chromium-browser (55.0.2883.75-5) unstable; urgency=medium

  * Fix new lintian warnings.
  * Fix quoting error in run script (closes: #851634).

 -- Michael Gilbert <email address hidden>  Thu, 19 Jan 2017 01:19:24 +0000

Debian
chromium-browser package

Change log for chromium-browser package in Debian

Debianchromium-browser package

Change log for chromium-browser package in Debian

Debian
chromium-browser package