Change log for chromium-browser package in Ubuntu

chromium-browser (51.0.2704.79-0ubuntu2~cm1) yakkety; urgency=medium

  * debian/rules: Don't use tcmalloc on armhf.

 -- Chad MILLER <email address hidden>  Mon, 27 Jun 2016 06:14:58 -0400

Available diffs

• diff from 49.0.2623.108-0ubuntu1.1233 to 51.0.2704.79-0ubuntu2~cm1 (pending)
• diff from 50.0.2661.102-0ubuntu1.1242 to 51.0.2704.79-0ubuntu2~cm1 (80.4 MiB)

chromium-browser (51.0.2704.79-0ubuntu0.14.04.1.1121) trusty-security; urgency=medium

  * Upstream release 51.0.2704.79:
    - CVE-2016-1696: Cross-origin bypass in Extension bindings.
    - CVE-2016-1697: Cross-origin bypass in Blink.
    - CVE-2016-1698: Information leak in Extension bindings.
    - CVE-2016-1699: Parameter sanitization failure in DevTools.
    - CVE-2016-1700: Use-after-free in Extensions.
    - CVE-2016-1701: Use-after-free in Autofill.
    - CVE-2016-1702: Out-of-bounds read in Skia.
    - CVE-2016-1703: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 51.0.2704.63:
    - CVE-2016-1672: Cross-origin bypass in extension bindings.
    - CVE-2016-1673: Cross-origin bypass in Blink.
    - CVE-2016-1674: Cross-origin bypass in extensions.
    - CVE-2016-1675: Cross-origin bypass in Blink.
    - CVE-2016-1676: Cross-origin bypass in extension bindings.
    - CVE-2016-1677: Type confusion in V8.
    - CVE-2016-1678: Heap overflow in V8.
    - CVE-2016-1679: Heap use-after-free in V8 bindings.
    - CVE-2016-1680: Heap use-after-free in Skia.
    - CVE-2016-1681: Heap overflow in PDFium.
    - CVE-2016-1682: CSP bypass for ServiceWorker.
    - CVE-2016-1683: Out-of-bounds access in libxslt.
    - CVE-2016-1684: Integer overflow in libxslt.
    - CVE-2016-1685: Out-of-bounds read in PDFium.
    - CVE-2016-1686: Out-of-bounds read in PDFium.
    - CVE-2016-1687: Information leak in extensions.
    - CVE-2016-1688: Out-of-bounds read in V8.
    - CVE-2016-1689: Heap buffer overflow in media.
    - CVE-2016-1690: Heap use-after-free in Autofill.
    - CVE-2016-1691: Heap buffer-overflow in Skia.
    - CVE-2016-1692: Limited cross-origin bypass in ServiceWorker.
    - CVE-2016-1693: HTTP Download of Software Removal Tool.
    - CVE-2016-1694: HPKP pins removed on cache clearance.
    - CVE-2016-1695: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/blink-platform-export-class: remove patch. Unnecessary.

 -- Chad MILLER <email address hidden>  Thu, 26 May 2016 10:54:29 -0400

Available diffs

• diff from 50.0.2661.102-0ubuntu0.14.04.1.1117 to 51.0.2704.79-0ubuntu0.14.04.1.1121 (80.3 MiB)
• diff from 51.0.2704.63-0ubuntu0.14.04.1.1120 to 51.0.2704.79-0ubuntu0.14.04.1.1121 (8.2 MiB)

chromium-browser (51.0.2704.79-0ubuntu0.15.10.1.1232) wily-security; urgency=medium

  * Upstream release 51.0.2704.79:
    - CVE-2016-1696: Cross-origin bypass in Extension bindings.
    - CVE-2016-1697: Cross-origin bypass in Blink.
    - CVE-2016-1698: Information leak in Extension bindings.
    - CVE-2016-1699: Parameter sanitization failure in DevTools.
    - CVE-2016-1700: Use-after-free in Extensions.
    - CVE-2016-1701: Use-after-free in Autofill.
    - CVE-2016-1702: Out-of-bounds read in Skia.
    - CVE-2016-1703: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 51.0.2704.63:
    - CVE-2016-1672: Cross-origin bypass in extension bindings.
    - CVE-2016-1673: Cross-origin bypass in Blink.
    - CVE-2016-1674: Cross-origin bypass in extensions.
    - CVE-2016-1675: Cross-origin bypass in Blink.
    - CVE-2016-1676: Cross-origin bypass in extension bindings.
    - CVE-2016-1677: Type confusion in V8.
    - CVE-2016-1678: Heap overflow in V8.
    - CVE-2016-1679: Heap use-after-free in V8 bindings.
    - CVE-2016-1680: Heap use-after-free in Skia.
    - CVE-2016-1681: Heap overflow in PDFium.
    - CVE-2016-1682: CSP bypass for ServiceWorker.
    - CVE-2016-1683: Out-of-bounds access in libxslt.
    - CVE-2016-1684: Integer overflow in libxslt.
    - CVE-2016-1685: Out-of-bounds read in PDFium.
    - CVE-2016-1686: Out-of-bounds read in PDFium.
    - CVE-2016-1687: Information leak in extensions.
    - CVE-2016-1688: Out-of-bounds read in V8.
    - CVE-2016-1689: Heap buffer overflow in media.
    - CVE-2016-1690: Heap use-after-free in Autofill.
    - CVE-2016-1691: Heap buffer-overflow in Skia.
    - CVE-2016-1692: Limited cross-origin bypass in ServiceWorker.
    - CVE-2016-1693: HTTP Download of Software Removal Tool.
    - CVE-2016-1694: HPKP pins removed on cache clearance.
    - CVE-2016-1695: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/blink-platform-export-class: remove patch. Unnecessary.

 -- Chad MILLER <email address hidden>  Thu, 26 May 2016 10:54:29 -0400

Available diffs

• diff from 50.0.2661.102-0ubuntu0.15.10.1.1227 to 51.0.2704.79-0ubuntu0.15.10.1.1232 (80.3 MiB)
• diff from 51.0.2704.63-0ubuntu0.15.10.1.1231 to 51.0.2704.79-0ubuntu0.15.10.1.1232 (8.2 MiB)

chromium-browser (51.0.2704.79-0ubuntu0.16.04.1.1242) xenial-security; urgency=medium

  * Upstream release 51.0.2704.79:
    - CVE-2016-1696: Cross-origin bypass in Extension bindings.
    - CVE-2016-1697: Cross-origin bypass in Blink.
    - CVE-2016-1698: Information leak in Extension bindings.
    - CVE-2016-1699: Parameter sanitization failure in DevTools.
    - CVE-2016-1700: Use-after-free in Extensions.
    - CVE-2016-1701: Use-after-free in Autofill.
    - CVE-2016-1702: Out-of-bounds read in Skia.
    - CVE-2016-1703: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 51.0.2704.63:
    - CVE-2016-1672: Cross-origin bypass in extension bindings.
    - CVE-2016-1673: Cross-origin bypass in Blink.
    - CVE-2016-1674: Cross-origin bypass in extensions.
    - CVE-2016-1675: Cross-origin bypass in Blink.
    - CVE-2016-1676: Cross-origin bypass in extension bindings.
    - CVE-2016-1677: Type confusion in V8.
    - CVE-2016-1678: Heap overflow in V8.
    - CVE-2016-1679: Heap use-after-free in V8 bindings.
    - CVE-2016-1680: Heap use-after-free in Skia.
    - CVE-2016-1681: Heap overflow in PDFium.
    - CVE-2016-1682: CSP bypass for ServiceWorker.
    - CVE-2016-1683: Out-of-bounds access in libxslt.
    - CVE-2016-1684: Integer overflow in libxslt.
    - CVE-2016-1685: Out-of-bounds read in PDFium.
    - CVE-2016-1686: Out-of-bounds read in PDFium.
    - CVE-2016-1687: Information leak in extensions.
    - CVE-2016-1688: Out-of-bounds read in V8.
    - CVE-2016-1689: Heap buffer overflow in media.
    - CVE-2016-1690: Heap use-after-free in Autofill.
    - CVE-2016-1691: Heap buffer-overflow in Skia.
    - CVE-2016-1692: Limited cross-origin bypass in ServiceWorker.
    - CVE-2016-1693: HTTP Download of Software Removal Tool.
    - CVE-2016-1694: HPKP pins removed on cache clearance.
    - CVE-2016-1695: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/blink-platform-export-class: remove patch. Unnecessary.

 -- Chad MILLER <email address hidden>  Thu, 26 May 2016 10:54:29 -0400

Available diffs

• diff from 50.0.2661.102-0ubuntu0.16.04.1.1237 to 51.0.2704.79-0ubuntu0.16.04.1.1242 (80.3 MiB)
• diff from 51.0.2704.63-0ubuntu0.16.04.1.1241 to 51.0.2704.79-0ubuntu0.16.04.1.1242 (8.2 MiB)

chromium-browser (50.0.2661.102-0ubuntu1.1242) yakkety; urgency=medium

  * Upstream release 50.0.2661.102:
    - CVE-2016-1667: Same origin bypass in DOM.
    - CVE-2016-1668: Same origin bypass in Blink V8 bindings.
    - CVE-2016-1669: Buffer overflow in V8.
    - CVE-2016-1670: Race condition in loader.
    - CVE-2016-1671: Directory traversal using the file scheme on Android.
  * Upstream release 50.0.2661.94:
    - CVE-2016-1660: Out-of-bounds write in Blink.
    - CVE-2016-1661: Memory corruption in cross-process frames.
    - CVE-2016-1662: Use-after-free in extensions.
    - CVE-2016-1663: Use-after-free in Blink’s V8 bindings.
    - CVE-2016-1664: Address bar spoofing.
    - CVE-2016-1665: Information leak in V8.
    - CVE-2016-1666: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 50.0.2661.75:
    - CVE-2016-1652: Universal XSS in extension bindings.
    - CVE-2016-1653: Out-of-bounds write in V8.
    - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding.
    - CVE-2016-1654: Uninitialized memory read in media.
    - CVE-2016-1655: Use-after-free related to extensions.
    - CVE-2016-1656: Android downloaded file path restriction bypass.
    - CVE-2016-1657: Address bar spoofing.
    - CVE-2016-1658: Potential leak of sensitive information to malicious
      extensions.
    - CVE-2015-1659: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/seccomp-allow-set-robust-list: pass through syscall
    set_robust_list. glibc nptl thread creation uses it.
  * debian/rules: use new libsecret way of contacting keyring.
  * debian/patches/blink-platform-export-class: avoid Trusty bug where
    WebKit Platform class vtable not found at link time.
  * debian/apport/chromium-browser.py: Handle case when crash and no
    chromium directory exists. Still report errors in apport.

 -- Chad MILLER <email address hidden>  Fri, 13 May 2016 10:52:23 -0400

Available diffs

• diff from 49.0.2623.108-0ubuntu1.1233 to 50.0.2661.102-0ubuntu1.1242 (54.8 MiB)

chromium-browser (50.0.2661.102-0ubuntu0.14.04.1.1117) trusty-security; urgency=medium

  * Upstream release 50.0.2661.102:
    - CVE-2016-1667: Same origin bypass in DOM.
    - CVE-2016-1668: Same origin bypass in Blink V8 bindings.
    - CVE-2016-1669: Buffer overflow in V8.
    - CVE-2016-1670: Race condition in loader.
    - CVE-2016-1671: Directory traversal using the file scheme on Android.
  * Upstream release 50.0.2661.94:
    - CVE-2016-1660: Out-of-bounds write in Blink.
    - CVE-2016-1661: Memory corruption in cross-process frames.
    - CVE-2016-1662: Use-after-free in extensions.
    - CVE-2016-1663: Use-after-free in Blink’s V8 bindings.
    - CVE-2016-1664: Address bar spoofing.
    - CVE-2016-1665: Information leak in V8.
    - CVE-2016-1666: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 50.0.2661.75:
    - CVE-2016-1652: Universal XSS in extension bindings.
    - CVE-2016-1653: Out-of-bounds write in V8.
    - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding.
    - CVE-2016-1654: Uninitialized memory read in media.
    - CVE-2016-1655: Use-after-free related to extensions.
    - CVE-2016-1656: Android downloaded file path restriction bypass.
    - CVE-2016-1657: Address bar spoofing.
    - CVE-2016-1658: Potential leak of sensitive information to malicious
      extensions.
    - CVE-2015-1659: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/seccomp-allow-set-robust-list: pass through syscall
    set_robust_list. glibc nptl thread creation uses it.
  * debian/rules: use new libsecret way of contacting keyring.
  * debian/patches/blink-platform-export-class: avoid Trusty bug where
    WebKit Platform class vtable not found at link time.
  * debian/apport/chromium-browser.py: Handle case when crash and no
    chromium directory exists. Still report errors in apport.

 -- Chad MILLER <email address hidden>  Fri, 13 May 2016 10:52:23 -0400

Available diffs

• diff from 49.0.2623.108-0ubuntu0.14.04.1.1113 to 50.0.2661.102-0ubuntu0.14.04.1.1117 (54.8 MiB)
• diff from 50.0.2661.102-0ubuntu0.14.04.1.1116 to 50.0.2661.102-0ubuntu0.14.04.1.1117 (1.9 KiB)

chromium-browser (50.0.2661.102-0ubuntu0.15.10.1.1227) wily-security; urgency=medium

  * Upstream release 50.0.2661.102:
    - CVE-2016-1667: Same origin bypass in DOM.
    - CVE-2016-1668: Same origin bypass in Blink V8 bindings.
    - CVE-2016-1669: Buffer overflow in V8.
    - CVE-2016-1670: Race condition in loader.
    - CVE-2016-1671: Directory traversal using the file scheme on Android.
  * Upstream release 50.0.2661.94:
    - CVE-2016-1660: Out-of-bounds write in Blink.
    - CVE-2016-1661: Memory corruption in cross-process frames.
    - CVE-2016-1662: Use-after-free in extensions.
    - CVE-2016-1663: Use-after-free in Blink’s V8 bindings.
    - CVE-2016-1664: Address bar spoofing.
    - CVE-2016-1665: Information leak in V8.
    - CVE-2016-1666: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 50.0.2661.75:
    - CVE-2016-1652: Universal XSS in extension bindings.
    - CVE-2016-1653: Out-of-bounds write in V8.
    - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding.
    - CVE-2016-1654: Uninitialized memory read in media.
    - CVE-2016-1655: Use-after-free related to extensions.
    - CVE-2016-1656: Android downloaded file path restriction bypass.
    - CVE-2016-1657: Address bar spoofing.
    - CVE-2016-1658: Potential leak of sensitive information to malicious
      extensions.
    - CVE-2015-1659: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/seccomp-allow-set-robust-list: pass through syscall
    set_robust_list. glibc nptl thread creation uses it.
  * debian/rules: use new libsecret way of contacting keyring.
  * debian/patches/blink-platform-export-class: avoid Trusty bug where
    WebKit Platform class vtable not found at link time.
  * debian/apport/chromium-browser.py: Handle case when crash and no
    chromium directory exists. Still report errors in apport.

 -- Chad MILLER <email address hidden>  Fri, 13 May 2016 10:52:23 -0400

Available diffs

• diff from 49.0.2623.108-0ubuntu0.15.10.1.1223 to 50.0.2661.102-0ubuntu0.15.10.1.1227 (54.8 MiB)
• diff from 50.0.2661.102-0ubuntu0.15.10.1.1226 to 50.0.2661.102-0ubuntu0.15.10.1.1227 (pending)

chromium-browser (50.0.2661.102-0ubuntu0.16.04.1.1237) xenial-security; urgency=medium

  * Upstream release 50.0.2661.102:
    - CVE-2016-1667: Same origin bypass in DOM.
    - CVE-2016-1668: Same origin bypass in Blink V8 bindings.
    - CVE-2016-1669: Buffer overflow in V8.
    - CVE-2016-1670: Race condition in loader.
    - CVE-2016-1671: Directory traversal using the file scheme on Android.
  * Upstream release 50.0.2661.94:
    - CVE-2016-1660: Out-of-bounds write in Blink.
    - CVE-2016-1661: Memory corruption in cross-process frames.
    - CVE-2016-1662: Use-after-free in extensions.
    - CVE-2016-1663: Use-after-free in Blink’s V8 bindings.
    - CVE-2016-1664: Address bar spoofing.
    - CVE-2016-1665: Information leak in V8.
    - CVE-2016-1666: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 50.0.2661.75:
    - CVE-2016-1652: Universal XSS in extension bindings.
    - CVE-2016-1653: Out-of-bounds write in V8.
    - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding.
    - CVE-2016-1654: Uninitialized memory read in media.
    - CVE-2016-1655: Use-after-free related to extensions.
    - CVE-2016-1656: Android downloaded file path restriction bypass.
    - CVE-2016-1657: Address bar spoofing.
    - CVE-2016-1658: Potential leak of sensitive information to malicious
      extensions.
    - CVE-2015-1659: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/seccomp-allow-set-robust-list: pass through syscall
    set_robust_list. glibc nptl thread creation uses it.
  * debian/rules: use new libsecret way of contacting keyring.
  * debian/patches/blink-platform-export-class: avoid Trusty bug where
    WebKit Platform class vtable not found at link time.
  * debian/apport/chromium-browser.py: Handle case when crash and no
    chromium directory exists. Still report errors in apport.

 -- Chad MILLER <email address hidden>  Fri, 13 May 2016 10:52:23 -0400

Available diffs

• diff from 50.0.2661.94-0ubuntu0.16.04.1.1235 to 50.0.2661.102-0ubuntu0.16.04.1.1237 (pending)

chromium-browser (49.0.2623.108-0ubuntu1.1233) xenial; urgency=medium

  * Upstream release 49.0.2623.108:
    - CVE-2016-1646: Out-of-bounds read in V8.
    - CVE-2016-1647: Use-after-free in Navigation.
    - CVE-2016-1648: Use-after-free in Extensions.
    - CVE-2016-1649: Buffer overflow in libANGLE.
    - CVE-2016-1650: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
      (currently 4.9.385.33).

 -- Chad MILLER <email address hidden>  Thu, 24 Mar 2016 16:52:52 -0400

Available diffs

• diff from 49.0.2623.87-0ubuntu1.1232 to 49.0.2623.108-0ubuntu1.1233 (818.4 KiB)

chromium-browser (49.0.2623.108-0ubuntu0.14.04.1.1113) trusty-security; urgency=medium

  * Upstream release 49.0.2623.108:
    - CVE-2016-1646: Out-of-bounds read in V8.
    - CVE-2016-1647: Use-after-free in Navigation.
    - CVE-2016-1648: Use-after-free in Extensions.
    - CVE-2016-1649: Buffer overflow in libANGLE.
    - CVE-2016-1650: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
      (currently 4.9.385.33).

 -- Chad MILLER <email address hidden>  Thu, 24 Mar 2016 16:52:52 -0400

Available diffs

• diff from 49.0.2623.87-0ubuntu0.14.04.1.1112 to 49.0.2623.108-0ubuntu0.14.04.1.1113 (818.5 KiB)

chromium-browser (49.0.2623.108-0ubuntu0.15.10.1.1223) wily-security; urgency=medium

  * Upstream release 49.0.2623.108:
    - CVE-2016-1646: Out-of-bounds read in V8.
    - CVE-2016-1647: Use-after-free in Navigation.
    - CVE-2016-1648: Use-after-free in Extensions.
    - CVE-2016-1649: Buffer overflow in libANGLE.
    - CVE-2016-1650: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
      (currently 4.9.385.33).

 -- Chad MILLER <email address hidden>  Thu, 24 Mar 2016 16:52:52 -0400

Available diffs

• diff from 49.0.2623.87-0ubuntu0.15.10.1.1222 to 49.0.2623.108-0ubuntu0.15.10.1.1223 (818.5 KiB)

chromium-browser (49.0.2623.87-0ubuntu1.1232) xenial; urgency=medium

  * debian/patches/system-xdg-settings: Insist on using system xdg utilities.
  * Upstream release 49.0.2623.87:
    - CVE-2016-1643: Type confusion in Blink.
    - CVE-2016-1644: Use-after-free in Blink.
    - CVE-2016-1645: Out-of-bounds write in PDFium.
  * Upstream release 49.0.2623.75:
    - CVE-2016-1630: Same-origin bypass in Blink.
    - CVE-2016-1631: Same-origin bypass in Pepper Plugin.
    - CVE-2016-1632: Bad cast in Extensions.
    - CVE-2016-1633: Use-after-free in Blink.
    - CVE-2016-1634: Use-after-free in Blink.
    - CVE-2016-1635: Use-after-free in Blink.
    - CVE-2016-1636: SRI Validation Bypass.
    - CVE-2015-8126: Out-of-bounds access in libpng.
    - CVE-2016-1637: Information Leak in Skia.
    - CVE-2016-1638: WebAPI Bypass.
    - CVE-2016-1639: Use-after-free in WebRTC.
    - CVE-2016-1640: Origin confusion in Extensions UI.
    - CVE-2016-1641: Use-after-free in Favicon.
    - CVE-2016-1642: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
      (currently 4.9.385.26).
  * debian/rules: No longer fabricate snap package as side effect.
  * debian/control: build-dep on libffi-dev, mesa-common-dev.
  * debian/patches/format-flag: Remove patch.

 -- Chad MILLER <email address hidden>  Tue, 15 Mar 2016 09:42:48 -0400

Available diffs

• diff from 48.0.2564.116-0ubuntu1.1229 to 49.0.2623.87-0ubuntu1.1232 (63.5 MiB)

chromium-browser (49.0.2623.87-0ubuntu0.14.04.1.1112) trusty-security; urgency=medium

  * debian/patches/system-xdg-settings: Insist on using system xdg utilities.
  * Upstream release 49.0.2623.87:
    - CVE-2016-1643: Type confusion in Blink.
    - CVE-2016-1644: Use-after-free in Blink.
    - CVE-2016-1645: Out-of-bounds write in PDFium.
  * Upstream release 49.0.2623.75:
    - CVE-2016-1630: Same-origin bypass in Blink.
    - CVE-2016-1631: Same-origin bypass in Pepper Plugin.
    - CVE-2016-1632: Bad cast in Extensions.
    - CVE-2016-1633: Use-after-free in Blink.
    - CVE-2016-1634: Use-after-free in Blink.
    - CVE-2016-1635: Use-after-free in Blink.
    - CVE-2016-1636: SRI Validation Bypass.
    - CVE-2015-8126: Out-of-bounds access in libpng.
    - CVE-2016-1637: Information Leak in Skia.
    - CVE-2016-1638: WebAPI Bypass.
    - CVE-2016-1639: Use-after-free in WebRTC.
    - CVE-2016-1640: Origin confusion in Extensions UI.
    - CVE-2016-1641: Use-after-free in Favicon.
    - CVE-2016-1642: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
      (currently 4.9.385.26).
  * debian/rules: No longer fabricate snap package as side effect.
  * debian/control: build-dep on libffi-dev, mesa-common-dev.
  * debian/patches/format-flag: Remove patch.

 -- Chad MILLER <email address hidden>  Tue, 15 Mar 2016 09:42:48 -0400

Available diffs

• diff from 48.0.2564.116-0ubuntu0.14.04.1.1111 to 49.0.2623.87-0ubuntu0.14.04.1.1112 (63.5 MiB)

chromium-browser (49.0.2623.87-0ubuntu0.15.10.1.1222) wily-security; urgency=medium

  * debian/patches/system-xdg-settings: Insist on using system xdg utilities.
  * Upstream release 49.0.2623.87:
    - CVE-2016-1643: Type confusion in Blink.
    - CVE-2016-1644: Use-after-free in Blink.
    - CVE-2016-1645: Out-of-bounds write in PDFium.
  * Upstream release 49.0.2623.75:
    - CVE-2016-1630: Same-origin bypass in Blink.
    - CVE-2016-1631: Same-origin bypass in Pepper Plugin.
    - CVE-2016-1632: Bad cast in Extensions.
    - CVE-2016-1633: Use-after-free in Blink.
    - CVE-2016-1634: Use-after-free in Blink.
    - CVE-2016-1635: Use-after-free in Blink.
    - CVE-2016-1636: SRI Validation Bypass.
    - CVE-2015-8126: Out-of-bounds access in libpng.
    - CVE-2016-1637: Information Leak in Skia.
    - CVE-2016-1638: WebAPI Bypass.
    - CVE-2016-1639: Use-after-free in WebRTC.
    - CVE-2016-1640: Origin confusion in Extensions UI.
    - CVE-2016-1641: Use-after-free in Favicon.
    - CVE-2016-1642: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
      (currently 4.9.385.26).
  * debian/rules: No longer fabricate snap package as side effect.
  * debian/control: build-dep on libffi-dev, mesa-common-dev.
  * debian/patches/format-flag: Remove patch.

 -- Chad MILLER <email address hidden>  Tue, 15 Mar 2016 09:42:48 -0400

Available diffs

• diff from 48.0.2564.116-0ubuntu0.15.10.1.1221 to 49.0.2623.87-0ubuntu0.15.10.1.1222 (63.5 MiB)

chromium-browser (37.0.2062.120-0ubuntu0.12.04.2) precise-security; urgency=medium

  * debian/patches/nss-321-fix.patch: fix compatibility with nss 3.21.
    (LP: #1520568)

 -- Marc Deslauriers <email address hidden>  Wed, 24 Feb 2016 13:42:57 -0500

Available diffs

• diff from 37.0.2062.120-0ubuntu0.12.04.1~pkg917 (in ~canonical-chromium-builds/ubuntu/stage) to 37.0.2062.120-0ubuntu0.12.04.2 (969 bytes)
• diff from 18.0.1025.151~r130497-0ubuntu1 (in Ubuntu) to 37.0.2062.120-0ubuntu0.12.04.2 (447.4 MiB)

chromium-browser (48.0.2564.116-0ubuntu1.1229) xenial; urgency=medium

  * Upstream release 48.0.2564.109:
    - CVE-2016-1622: Same-origin bypass in Extensions.
    - CVE-2016-1623: Same-origin bypass in DOM.
    - CVE-2016-1624: Buffer overflow in Brotli.
    - CVE-2016-1625: Navigation bypass in Chrome Instant.
    - CVE-2016-1626: Out-of-bounds read in PDFium.
    - CVE-2016-1627: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 48.0.2564.116:
    - CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome.

 -- Chad MILLER <email address hidden>  Thu, 18 Feb 2016 17:55:30 -0500

Available diffs

• diff from 48.0.2564.82-0ubuntu1.1222 to 48.0.2564.116-0ubuntu1.1229 (242.0 KiB)

chromium-browser (48.0.2564.116-0ubuntu0.14.04.1.1111) trusty-security; urgency=medium

  * Upstream release 48.0.2564.109:
    - CVE-2016-1622: Same-origin bypass in Extensions.
    - CVE-2016-1623: Same-origin bypass in DOM.
    - CVE-2016-1624: Buffer overflow in Brotli.
    - CVE-2016-1625: Navigation bypass in Chrome Instant.
    - CVE-2016-1626: Out-of-bounds read in PDFium.
    - CVE-2016-1627: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 48.0.2564.116:
    - CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome.

 -- Chad MILLER <email address hidden>  Thu, 18 Feb 2016 17:55:30 -0500

Available diffs

• diff from 48.0.2564.82-0ubuntu0.14.04.1.1108 to 48.0.2564.116-0ubuntu0.14.04.1.1111 (242.0 KiB)
• diff from 48.0.2564.109-0ubuntu0.14.04.1.1110 to 48.0.2564.116-0ubuntu0.14.04.1.1111 (18.6 KiB)

chromium-browser (48.0.2564.116-0ubuntu0.15.10.1.1221) wily-security; urgency=medium

  * Upstream release 48.0.2564.109:
    - CVE-2016-1622: Same-origin bypass in Extensions.
    - CVE-2016-1623: Same-origin bypass in DOM.
    - CVE-2016-1624: Buffer overflow in Brotli.
    - CVE-2016-1625: Navigation bypass in Chrome Instant.
    - CVE-2016-1626: Out-of-bounds read in PDFium.
    - CVE-2016-1627: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 48.0.2564.116:
    - CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome.

 -- Chad MILLER <email address hidden>  Thu, 18 Feb 2016 17:55:30 -0500

Available diffs

• diff from 48.0.2564.82-0ubuntu0.15.10.1.1219 to 48.0.2564.116-0ubuntu0.15.10.1.1221 (242.0 KiB)
• diff from 48.0.2564.109-0ubuntu0.15.10.1.1220 to 48.0.2564.116-0ubuntu0.15.10.1.1221 (18.6 KiB)

chromium-browser (48.0.2564.82-0ubuntu1.1222) xenial; urgency=medium

  * Upstream release 48.0.2564.82:
    - CVE-2016-1612: Bad cast in V8.
    - CVE-2016-1613: Use-after-free in PDFium.
    - CVE-2016-1614: Information leak in Blink.
    - CVE-2016-1615: Origin confusion in Omnibox.
    - CVE-2016-1616: URL Spoofing.
    - CVE-2016-1617: History sniffing with HSTS and CSP.
    - CVE-2016-1618: Weak random number generator in Blink.
    - CVE-2016-1619: Out-of-bounds read in PDFium.
    - CVE-2016-1620: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch
      (currently 4.8.271.17).

 -- Chad MILLER <email address hidden>  Thu, 21 Jan 2016 08:39:10 -0500

Available diffs

• diff from 47.0.2526.106-0ubuntu1.1221 to 48.0.2564.82-0ubuntu1.1222 (82.3 MiB)

chromium-browser (48.0.2564.82-0ubuntu0.14.04.1.1108) trusty-security; urgency=medium

  * Upstream release 48.0.2564.82:
    - CVE-2016-1612: Bad cast in V8.
    - CVE-2016-1613: Use-after-free in PDFium.
    - CVE-2016-1614: Information leak in Blink.
    - CVE-2016-1615: Origin confusion in Omnibox.
    - CVE-2016-1616: URL Spoofing.
    - CVE-2016-1617: History sniffing with HSTS and CSP.
    - CVE-2016-1618: Weak random number generator in Blink.
    - CVE-2016-1619: Out-of-bounds read in PDFium.
    - CVE-2016-1620: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch
      (currently 4.8.271.17).

 -- Chad MILLER <email address hidden>  Thu, 21 Jan 2016 08:39:10 -0500

Available diffs

• diff from 47.0.2526.106-0ubuntu0.14.04.1.1107 to 48.0.2564.82-0ubuntu0.14.04.1.1108 (82.3 MiB)

chromium-browser (48.0.2564.82-0ubuntu0.15.04.1.1193) vivid-security; urgency=medium

  * Upstream release 48.0.2564.82:
    - CVE-2016-1612: Bad cast in V8.
    - CVE-2016-1613: Use-after-free in PDFium.
    - CVE-2016-1614: Information leak in Blink.
    - CVE-2016-1615: Origin confusion in Omnibox.
    - CVE-2016-1616: URL Spoofing.
    - CVE-2016-1617: History sniffing with HSTS and CSP.
    - CVE-2016-1618: Weak random number generator in Blink.
    - CVE-2016-1619: Out-of-bounds read in PDFium.
    - CVE-2016-1620: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch
      (currently 4.8.271.17).

 -- Chad MILLER <email address hidden>  Thu, 21 Jan 2016 08:39:10 -0500

Available diffs

• diff from 47.0.2526.106-0ubuntu0.15.04.1.1192 to 48.0.2564.82-0ubuntu0.15.04.1.1193 (pending)

chromium-browser (48.0.2564.82-0ubuntu0.15.10.1.1219) wily-security; urgency=medium

  * Upstream release 48.0.2564.82:
    - CVE-2016-1612: Bad cast in V8.
    - CVE-2016-1613: Use-after-free in PDFium.
    - CVE-2016-1614: Information leak in Blink.
    - CVE-2016-1615: Origin confusion in Omnibox.
    - CVE-2016-1616: URL Spoofing.
    - CVE-2016-1617: History sniffing with HSTS and CSP.
    - CVE-2016-1618: Weak random number generator in Blink.
    - CVE-2016-1619: Out-of-bounds read in PDFium.
    - CVE-2016-1620: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.8 branch
      (currently 4.8.271.17).

 -- Chad MILLER <email address hidden>  Thu, 21 Jan 2016 08:39:10 -0500

Available diffs

• diff from 47.0.2526.106-0ubuntu0.15.10.1.1218 to 48.0.2564.82-0ubuntu0.15.10.1.1219 (pending)

chromium-browser (47.0.2526.106-0ubuntu1.1221) xenial; urgency=medium

  * Upstream release 47.0.2526.106:
    - CVE-2015-6792: Fixes from internal audits and fuzzing.
  * Upstream release 47.0.2526.80:
    - CVE-2015-6788: Type confusion in extensions.
    - CVE-2015-6789: Use-after-free in Blink.
    - CVE-2015-6790: Escaping issue in saved pages.
    - CVE-2015-6791: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
      (currently 4.7.80.23).
  * debian/rules: Don't use bundled binutils. Remove execute bits on programs
    so we can be sure they aren't run.

 -- Chad MILLER <email address hidden>  Tue, 15 Dec 2015 19:33:00 -0500

Available diffs

• diff from 47.0.2526.73-0ubuntu1.1218 to 47.0.2526.106-0ubuntu1.1221 (41.3 MiB)

chromium-browser (47.0.2526.106-0ubuntu0.15.04.1.1192) vivid-security; urgency=medium

  * Upstream release 47.0.2526.106:
    - CVE-2015-6792: Fixes from internal audits and fuzzing.
  * Upstream release 47.0.2526.80:
    - CVE-2015-6788: Type confusion in extensions.
    - CVE-2015-6789: Use-after-free in Blink.
    - CVE-2015-6790: Escaping issue in saved pages.
    - CVE-2015-6791: Various fixes from internal audits, fuzzing and other
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
      (currently 4.7.80.23).
  * debian/rules: Don't use bundled binutils. Remove execute bits on programs
    so we can be sure they aren't run.

 -- Chad MILLER <email address hidden>  Wed, 16 Dec 2015 10:35:12 -0500

Available diffs

• diff from 47.0.2526.73-0ubuntu0.15.04.1.1190 to 47.0.2526.106-0ubuntu0.15.04.1.1192 (41.3 MiB)

chromium-browser (47.0.2526.106-0ubuntu0.14.04.1.1107) trusty-security; urgency=medium

  * Upstream release 47.0.2526.106:
    - CVE-2015-6792: Fixes from internal audits and fuzzing.
  * Upstream release 47.0.2526.80:
    - CVE-2015-6788: Type confusion in extensions.
    - CVE-2015-6789: Use-after-free in Blink.
    - CVE-2015-6790: Escaping issue in saved pages.
    - CVE-2015-6791: Various fixes from internal audits, fuzzing and other
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
      (currently 4.7.80.23).
  * debian/rules: Don't use bundled binutils. Remove execute bits on programs
    so we can be sure they aren't run.

 -- Chad MILLER <email address hidden>  Wed, 16 Dec 2015 10:35:12 -0500

Available diffs

• diff from 47.0.2526.73-0ubuntu0.14.04.1.1106 to 47.0.2526.106-0ubuntu0.14.04.1.1107 (41.3 MiB)

chromium-browser (47.0.2526.106-0ubuntu0.15.10.1.1218) wily-security; urgency=medium

  * Upstream release 47.0.2526.106:
    - CVE-2015-6792: Fixes from internal audits and fuzzing.
  * Upstream release 47.0.2526.80:
    - CVE-2015-6788: Type confusion in extensions.
    - CVE-2015-6789: Use-after-free in Blink.
    - CVE-2015-6790: Escaping issue in saved pages.
    - CVE-2015-6791: Various fixes from internal audits, fuzzing and other
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
      (currently 4.7.80.23).
  * debian/rules: Don't use bundled binutils. Remove execute bits on programs
    so we can be sure they aren't run.

 -- Chad MILLER <email address hidden>  Wed, 16 Dec 2015 10:35:12 -0500

Available diffs

• diff from 47.0.2526.73-0ubuntu0.15.10.1.1215 to 47.0.2526.106-0ubuntu0.15.10.1.1218 (pending)

chromium-browser (47.0.2526.73-0ubuntu1.1218) xenial; urgency=medium

  * Upstream release 47.0.2526.73:
    - CVE-2015-6765: Use-after-free in AppCache.
    - CVE-2015-6766: Use-after-free in AppCache.
    - CVE-2015-6767: Use-after-free in AppCache.
    - CVE-2015-6768: Cross-origin bypass in DOM.
    - CVE-2015-6769: Cross-origin bypass in core.
    - CVE-2015-6770: Cross-origin bypass in DOM.
    - CVE-2015-6771: Out of bounds access in v8.
    - CVE-2015-6772: Cross-origin bypass in DOM.
    - CVE-2015-6764: Out of bounds access in v8.
    - CVE-2015-6773: Out of bounds access in Skia.
    - CVE-2015-6774: Use-after-free in Extensions.
    - CVE-2015-6775: Type confusion in PDFium.
    - CVE-2015-6776: Out of bounds access in PDFium.
    - CVE-2015-6777: Use-after-free in DOM.
    - CVE-2015-6778: Out of bounds access in PDFium.
    - CVE-2015-6779: Scheme bypass in PDFium.
    - CVE-2015-6780: Use-after-free in Infobars.
    - CVE-2015-6781: Integer overflow in Sfntly.
    - CVE-2015-6782: Content spoofing in Omnibox.
    - CVE-2015-6783: Signature validation issue in Android Crazy Linker.
    - CVE-2015-6784: Escaping issue in saved pages.
    - CVE-2015-6785: Wildcard matching issue in CSP.
    - CVE-2015-6786: Scheme bypass in CSP.
    - CVE-2015-6787: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
      (currently 4.7.80.23).
  * Upstream release 46.0.2490.86:
    - CVE-2015-1302: Information leak in PDF viewer.
  * Upstream release 46.0.2490.71:
    - CVE-2015-6755: Cross-origin bypass in Blink.
    - CVE-2015-6756: Use-after-free in PDFium.
    - CVE-2015-6757: Use-after-free in ServiceWorker.
    - CVE-2015-6758: Bad-cast in PDFium.
    - CVE-2015-6759: Information leakage in LocalStorage.
    - CVE-2015-6760: Improper error handling in libANGLE.
    - CVE-2015-6761: Memory corruption in FFMpeg.
    - CVE-2015-6762: CORS bypass via CSS fonts.
    - CVE-2015-6763: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/gpu-hangs: remove. Not useful.
  * Switch to Clang to compile.
  * debian/rules: Explicitly create remoting resources.
  * debian/patches/cr46-missing-test-files:
  * debian/rules: support screen sharing in Hangouts.
  * debian/patches/xdg-settings-multiexec-desktopfiles.patch: Always prefer
    local xdg-settings.
  * debian/chromium-browser.desktop: Don't override WM class matching.

 -- Chad MILLER <email address hidden>  Tue, 01 Dec 2015 15:37:11 -0500

Available diffs

• diff from 45.0.2454.101-0ubuntu1.1201 (in ~canonical-chromium-builds/ubuntu/stage) to 47.0.2526.73-0ubuntu1.1218 (184.4 MiB)

chromium-browser (47.0.2526.73-0ubuntu0.14.04.1.1106) trusty-security; urgency=medium

  * Upstream release 47.0.2526.73:
    - CVE-2015-6765: Use-after-free in AppCache.
    - CVE-2015-6766: Use-after-free in AppCache.
    - CVE-2015-6767: Use-after-free in AppCache.
    - CVE-2015-6768: Cross-origin bypass in DOM.
    - CVE-2015-6769: Cross-origin bypass in core.
    - CVE-2015-6770: Cross-origin bypass in DOM.
    - CVE-2015-6771: Out of bounds access in v8.
    - CVE-2015-6772: Cross-origin bypass in DOM.
    - CVE-2015-6764: Out of bounds access in v8.
    - CVE-2015-6773: Out of bounds access in Skia.
    - CVE-2015-6774: Use-after-free in Extensions.
    - CVE-2015-6775: Type confusion in PDFium.
    - CVE-2015-6776: Out of bounds access in PDFium.
    - CVE-2015-6777: Use-after-free in DOM.
    - CVE-2015-6778: Out of bounds access in PDFium.
    - CVE-2015-6779: Scheme bypass in PDFium.
    - CVE-2015-6780: Use-after-free in Infobars.
    - CVE-2015-6781: Integer overflow in Sfntly.
    - CVE-2015-6782: Content spoofing in Omnibox.
    - CVE-2015-6783: Signature validation issue in Android Crazy Linker.
    - CVE-2015-6784: Escaping issue in saved pages.
    - CVE-2015-6785: Wildcard matching issue in CSP.
    - CVE-2015-6786: Scheme bypass in CSP.
    - CVE-2015-6787: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
      (currently 4.7.80.23).
  * Upstream release 46.0.2490.86:
    - CVE-2015-1302: Information leak in PDF viewer.
  * Upstream release 46.0.2490.71:
    - CVE-2015-6755: Cross-origin bypass in Blink.
    - CVE-2015-6756: Use-after-free in PDFium.
    - CVE-2015-6757: Use-after-free in ServiceWorker.
    - CVE-2015-6758: Bad-cast in PDFium.
    - CVE-2015-6759: Information leakage in LocalStorage.
    - CVE-2015-6760: Improper error handling in libANGLE.
    - CVE-2015-6761: Memory corruption in FFMpeg.
    - CVE-2015-6762: CORS bypass via CSS fonts.
    - CVE-2015-6763: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/gpu-hangs: remove. Not useful.
  * debian/rules: Explicitly create remoting resources.
  * debian/patches/cr46-missing-test-files:
  * debian/rules: support screen sharing in Hangouts.
  * debian/patches/xdg-settings-multiexec-desktopfiles.patch: Always prefer
    local xdg-settings.
  * debian/chromium-browser.desktop: Don't override WM class matching.

 -- Chad MILLER <email address hidden>  Tue, 01 Dec 2015 15:37:11 -0500

Available diffs

• diff from 45.0.2454.101-0ubuntu0.14.04.1.1099 to 47.0.2526.73-0ubuntu0.14.04.1.1106 (184.4 MiB)
• diff from 46.0.2490.86-0ubuntu0.14.04.1.1105 to 47.0.2526.73-0ubuntu0.14.04.1.1106 (41.6 MiB)

chromium-browser (47.0.2526.73-0ubuntu0.15.04.1.1190) vivid-security; urgency=medium

  * Upstream release 47.0.2526.73:
    - CVE-2015-6765: Use-after-free in AppCache.
    - CVE-2015-6766: Use-after-free in AppCache.
    - CVE-2015-6767: Use-after-free in AppCache.
    - CVE-2015-6768: Cross-origin bypass in DOM.
    - CVE-2015-6769: Cross-origin bypass in core.
    - CVE-2015-6770: Cross-origin bypass in DOM.
    - CVE-2015-6771: Out of bounds access in v8.
    - CVE-2015-6772: Cross-origin bypass in DOM.
    - CVE-2015-6764: Out of bounds access in v8.
    - CVE-2015-6773: Out of bounds access in Skia.
    - CVE-2015-6774: Use-after-free in Extensions.
    - CVE-2015-6775: Type confusion in PDFium.
    - CVE-2015-6776: Out of bounds access in PDFium.
    - CVE-2015-6777: Use-after-free in DOM.
    - CVE-2015-6778: Out of bounds access in PDFium.
    - CVE-2015-6779: Scheme bypass in PDFium.
    - CVE-2015-6780: Use-after-free in Infobars.
    - CVE-2015-6781: Integer overflow in Sfntly.
    - CVE-2015-6782: Content spoofing in Omnibox.
    - CVE-2015-6783: Signature validation issue in Android Crazy Linker.
    - CVE-2015-6784: Escaping issue in saved pages.
    - CVE-2015-6785: Wildcard matching issue in CSP.
    - CVE-2015-6786: Scheme bypass in CSP.
    - CVE-2015-6787: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
      (currently 4.7.80.23).
  * Upstream release 46.0.2490.86:
    - CVE-2015-1302: Information leak in PDF viewer.
  * Upstream release 46.0.2490.71:
    - CVE-2015-6755: Cross-origin bypass in Blink.
    - CVE-2015-6756: Use-after-free in PDFium.
    - CVE-2015-6757: Use-after-free in ServiceWorker.
    - CVE-2015-6758: Bad-cast in PDFium.
    - CVE-2015-6759: Information leakage in LocalStorage.
    - CVE-2015-6760: Improper error handling in libANGLE.
    - CVE-2015-6761: Memory corruption in FFMpeg.
    - CVE-2015-6762: CORS bypass via CSS fonts.
    - CVE-2015-6763: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/gpu-hangs: remove. Not useful.
  * debian/rules: Explicitly create remoting resources.
  * debian/patches/cr46-missing-test-files:
  * debian/rules: support screen sharing in Hangouts.
  * debian/patches/xdg-settings-multiexec-desktopfiles.patch: Always prefer
    local xdg-settings.
  * debian/chromium-browser.desktop: Don't override WM class matching.

 -- Chad MILLER <email address hidden>  Tue, 01 Dec 2015 15:37:11 -0500

Available diffs

• diff from 45.0.2454.101-0ubuntu0.15.04.1.1183 to 47.0.2526.73-0ubuntu0.15.04.1.1190 (184.4 MiB)
• diff from 46.0.2490.86-0ubuntu0.15.04.1.1189 to 47.0.2526.73-0ubuntu0.15.04.1.1190 (41.6 MiB)

chromium-browser (47.0.2526.73-0ubuntu0.15.10.1.1215) wily-security; urgency=medium

  * Upstream release 47.0.2526.73:
    - CVE-2015-6765: Use-after-free in AppCache.
    - CVE-2015-6766: Use-after-free in AppCache.
    - CVE-2015-6767: Use-after-free in AppCache.
    - CVE-2015-6768: Cross-origin bypass in DOM.
    - CVE-2015-6769: Cross-origin bypass in core.
    - CVE-2015-6770: Cross-origin bypass in DOM.
    - CVE-2015-6771: Out of bounds access in v8.
    - CVE-2015-6772: Cross-origin bypass in DOM.
    - CVE-2015-6764: Out of bounds access in v8.
    - CVE-2015-6773: Out of bounds access in Skia.
    - CVE-2015-6774: Use-after-free in Extensions.
    - CVE-2015-6775: Type confusion in PDFium.
    - CVE-2015-6776: Out of bounds access in PDFium.
    - CVE-2015-6777: Use-after-free in DOM.
    - CVE-2015-6778: Out of bounds access in PDFium.
    - CVE-2015-6779: Scheme bypass in PDFium.
    - CVE-2015-6780: Use-after-free in Infobars.
    - CVE-2015-6781: Integer overflow in Sfntly.
    - CVE-2015-6782: Content spoofing in Omnibox.
    - CVE-2015-6783: Signature validation issue in Android Crazy Linker.
    - CVE-2015-6784: Escaping issue in saved pages.
    - CVE-2015-6785: Wildcard matching issue in CSP.
    - CVE-2015-6786: Scheme bypass in CSP.
    - CVE-2015-6787: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch
      (currently 4.7.80.23).
  * Upstream release 46.0.2490.86:
    - CVE-2015-1302: Information leak in PDF viewer.
  * Upstream release 46.0.2490.71:
    - CVE-2015-6755: Cross-origin bypass in Blink.
    - CVE-2015-6756: Use-after-free in PDFium.
    - CVE-2015-6757: Use-after-free in ServiceWorker.
    - CVE-2015-6758: Bad-cast in PDFium.
    - CVE-2015-6759: Information leakage in LocalStorage.
    - CVE-2015-6760: Improper error handling in libANGLE.
    - CVE-2015-6761: Memory corruption in FFMpeg.
    - CVE-2015-6762: CORS bypass via CSS fonts.
    - CVE-2015-6763: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/gpu-hangs: remove. Not useful.
  * Switch to Clang to compile.
  * debian/rules: Explicitly create remoting resources.
  * debian/patches/cr46-missing-test-files:
  * debian/rules: support screen sharing in Hangouts.
  * debian/patches/xdg-settings-multiexec-desktopfiles.patch: Always prefer
    local xdg-settings.
  * debian/chromium-browser.desktop: Don't override WM class matching.

 -- Chad MILLER <email address hidden>  Tue, 01 Dec 2015 15:37:11 -0500

Available diffs

• diff from 46.0.2490.86-0ubuntu0.15.10.1.1214 to 47.0.2526.73-0ubuntu0.15.10.1.1215 (41.6 MiB)

chromium-browser (45.0.2454.101-0ubuntu0.14.04.1.1099) trusty-security; urgency=medium

  * Upstream release 45.0.2454.101:
    - CVE-2015-1303: Cross-origin bypass in DOM.
    - CVE-2015-1304: Cross-origin bypass in V8.
  * debian/tests/testdata/xx-test-tool-is-functional-if-this-prints-functional.sikuli
    Only use GUI test tool to test IF it works on its own.  If it is broken,
    don't use that to test chromium.
  * debian/rules: Include our own "xdg-settings" file until a bug is fixed.
  * debian/patches/xdg-settings-multiexec-desktopfiles.patch : Locally fix
    aforementioned bug. More than one Exec line in a destop file (like ours)
    triggers a bug in badly-written shell code in portland xdg-utils-common.in

 -- Chad MILLER <email address hidden>  Tue, 29 Sep 2015 08:06:37 -0400

Available diffs

• diff from 45.0.2454.85-0ubuntu0.14.04.1.1097 to 45.0.2454.101-0ubuntu0.14.04.1.1099 (55.3 KiB)
• diff from 45.0.2454.101-0ubuntu0.14.04.1.1098 to 45.0.2454.101-0ubuntu0.14.04.1.1099 (629 bytes)

chromium-browser (45.0.2454.101-0ubuntu0.15.04.1.1183) vivid-security; urgency=medium

  * Upstream release 45.0.2454.101:
    - CVE-2015-1303: Cross-origin bypass in DOM.
    - CVE-2015-1304: Cross-origin bypass in V8.
  * debian/tests/testdata/xx-test-tool-is-functional-if-this-prints-functional.sikuli
    Only use GUI test tool to test IF it works on its own.  If it is broken,
    don't use that to test chromium.
  * debian/rules: Include our own "xdg-settings" file until a bug is fixed.
  * debian/patches/xdg-settings-multiexec-desktopfiles.patch : Locally fix
    aforementioned bug. More than one Exec line in a destop file (like ours)
    triggers a bug in badly-written shell code in portland xdg-utils-common.in

 -- Chad MILLER <email address hidden>  Tue, 29 Sep 2015 08:06:37 -0400

Available diffs

• diff from 45.0.2454.85-0ubuntu0.15.04.1.1181 to 45.0.2454.101-0ubuntu0.15.04.1.1183 (55.3 KiB)
• diff from 45.0.2454.101-0ubuntu0.15.04.1.1182 to 45.0.2454.101-0ubuntu0.15.04.1.1183 (630 bytes)

chromium-browser (45.0.2454.101-0ubuntu1.1201) wily; urgency=medium

  * Upstream release 45.0.2454.101:
    - CVE-2015-1303: Cross-origin bypass in DOM.
    - CVE-2015-1304: Cross-origin bypass in V8.
  * debian/tests/testdata/xx-test-tool-is-functional-if-this-prints-functional.sikuli
    Only use GUI test tool to test IF it works on its own.  If it is broken,
    don't use that to test chromium.
  * debian/rules: Include our own "xdg-settings" file until a bug is fixed.
  * debian/patches/xdg-settings-multiexec-desktopfiles.patch : Locally fix
    aforementioned bug. More than one Exec line in a destop file (like ours)
    triggers a bug in badly-written shell code in portland xdg-utils-common.in

 -- Chad MILLER <email address hidden>  Tue, 29 Sep 2015 08:06:37 -0400

Available diffs

• diff from 45.0.2454.85-0ubuntu1.1198 (in Ubuntu) to 45.0.2454.101-0ubuntu1.1201 (55.2 KiB)
• diff from 45.0.2454.101-0ubuntu1.1200 to 45.0.2454.101-0ubuntu1.1201 (602 bytes)

chromium-browser (45.0.2454.85-0ubuntu1.1198) wily; urgency=medium

  * Upstream release 45.0.2454.85:
    - CVE-2015-1291: Cross-origin bypass in DOM.
    - CVE-2015-1292: Cross-origin bypass in ServiceWorker.
    - CVE-2015-1293: Cross-origin bypass in DOM.
    - CVE-2015-1294: Use-after-free in Skia.
    - CVE-2015-1295: Use-after-free in Printing.
    - CVE-2015-1296: Character spoofing in omnibox.
    - CVE-2015-1297: Permission scoping error in WebRequest.
    - CVE-2015-1298: URL validation error in extensions.
    - CVE-2015-1299: Use-after-free in Blink.
    - CVE-2015-1300: Information leak in Blink.
    - CVE-2015-1301: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/search-credit.patch: Don't add GET param if search URL
    doesn't already use them. (LP: #1490237)
  * debian/source/lintian-overrides: Ignore new binaries in orig tar.
  * debian/patches/disable-sse2: SSE exclusion is smarter now. Re-include.

 -- Chad MILLER <email address hidden>  Mon, 14 Sep 2015 20:11:00 -0400

Available diffs

• diff from 44.0.2403.89-0ubuntu1.1195 to 45.0.2454.85-0ubuntu1.1198 (111.1 MiB)

chromium-browser (45.0.2454.85-0ubuntu0.14.04.1.1097) trusty-security; urgency=medium

  * Upstream release 45.0.2454.85:
    - CVE-2015-1291: Cross-origin bypass in DOM.
    - CVE-2015-1292: Cross-origin bypass in ServiceWorker.
    - CVE-2015-1293: Cross-origin bypass in DOM.
    - CVE-2015-1294: Use-after-free in Skia.
    - CVE-2015-1295: Use-after-free in Printing.
    - CVE-2015-1296: Character spoofing in omnibox.
    - CVE-2015-1297: Permission scoping error in WebRequest.
    - CVE-2015-1298: URL validation error in extensions.
    - CVE-2015-1299: Use-after-free in Blink.
    - CVE-2015-1300: Information leak in Blink.
    - CVE-2015-1301: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/search-credit.patch: Don't add GET param if search URL
    doesn't already use them. (LP: #1490237)
  * debian/source/lintian-overrides: Ignore new binaries in orig tar.
  * debian/patches/gpu_default_disabled: No longer disable GPU rendering by
    default.
  * debian/patches/disable-sse2: SSE exclusion is smarter now. Re-include.

 -- Chad MILLER <email address hidden>  Mon, 14 Sep 2015 20:11:00 -0400

Available diffs

• diff from 44.0.2403.89-0ubuntu0.14.04.1.1095 to 45.0.2454.85-0ubuntu0.14.04.1.1097 (111.1 MiB)
• diff from 45.0.2454.85-0ubuntu0.14.04.1.1096 to 45.0.2454.85-0ubuntu0.14.04.1.1097 (1.1 KiB)

chromium-browser (45.0.2454.85-0ubuntu0.15.04.1.1181) vivid-security; urgency=medium

  * Upstream release 45.0.2454.85:
    - CVE-2015-1291: Cross-origin bypass in DOM.
    - CVE-2015-1292: Cross-origin bypass in ServiceWorker.
    - CVE-2015-1293: Cross-origin bypass in DOM.
    - CVE-2015-1294: Use-after-free in Skia.
    - CVE-2015-1295: Use-after-free in Printing.
    - CVE-2015-1296: Character spoofing in omnibox.
    - CVE-2015-1297: Permission scoping error in WebRequest.
    - CVE-2015-1298: URL validation error in extensions.
    - CVE-2015-1299: Use-after-free in Blink.
    - CVE-2015-1300: Information leak in Blink.
    - CVE-2015-1301: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/search-credit.patch: Don't add GET param if search URL
    doesn't already use them. (LP: #1490237)
  * debian/source/lintian-overrides: Ignore new binaries in orig tar.
  * debian/patches/gpu_default_disabled: No longer disable GPU rendering by
    default.
  * debian/patches/disable-sse2: SSE exclusion is smarter now. Re-include.

 -- Chad MILLER <email address hidden>  Mon, 14 Sep 2015 20:11:00 -0400

Available diffs

• diff from 44.0.2403.89-0ubuntu0.15.04.1.1177 to 45.0.2454.85-0ubuntu0.15.04.1.1181 (111.1 MiB)
• diff from 45.0.2454.85-0ubuntu0.15.04.1.1179 to 45.0.2454.85-0ubuntu0.15.04.1.1181 (1.1 KiB)

chromium-browser (44.0.2403.89-0ubuntu1.1195) wily; urgency=medium

  * Upstream release 44.0.2403.89: (LP: #1477662)
    - CVE-2015-1271: Heap-buffer-overflow in pdfium.
    - CVE-2015-1273: Heap-buffer-overflow in pdfium.
    - CVE-2015-1274: Settings allowed executable files to run immediately
      after download.
    - CVE-2015-1275: UXSS in Chrome for Android.
    - CVE-2015-1276: Use-after-free in IndexedDB.
    - CVE-2015-1279: Heap-buffer-overflow in pdfium.
    - CVE-2015-1280: Memory corruption in skia.
    - CVE-2015-1281: CSP bypass.
    - CVE-2015-1282: Use-after-free in pdfium.
    - CVE-2015-1283: Heap-buffer-overflow in expat.
    - CVE-2015-1284: Use-after-free in blink.
    - CVE-2015-1286: UXSS in blink.
    - CVE-2015-1287: SOP bypass with CSS.
    - CVE-2015-1270: Uninitialized memory read in ICU.
    - CVE-2015-1272: Use-after-free related to unexpected GPU process
      termination.
    - CVE-2015-1277: Use-after-free in accessibility.
    - CVE-2015-1278: URL spoofing using pdf files.
    - CVE-2015-1285: Information leak in XSS auditor.
    - CVE-2015-1288: Spell checking dictionaries fetched over HTTP.
    - CVE-2015-1289: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules, debian/chromium-codecs-ffmpeg{,-extra}.install: ffmpeg is a
    first-class component library now, not a special snowflake. Still, build
    it differently, but build flags are different.
  * debian/tests/smoketest-actual: Remove some innocuous mentions of "error"
    before testing for actual errors.
  * debian/control: codec library packages replace the libffmpeg.so that
    was in chromium packages before now.
  * debian/control: codec packages can't reasonably be updated separately
    than chromium. Depend with version specification also.

 -- Chad MILLER <email address hidden>  Tue, 28 Jul 2015 11:19:11 -0400

Available diffs

• diff from 43.0.2357.130-0ubuntu2 to 44.0.2403.89-0ubuntu1.1195 (56.2 MiB)

chromium-browser (44.0.2403.89-0ubuntu0.14.04.1.1095) trusty-security; urgency=medium

  * Upstream release 44.0.2403.89: (LP: #1477662)
    - CVE-2015-1271: Heap-buffer-overflow in pdfium.
    - CVE-2015-1273: Heap-buffer-overflow in pdfium.
    - CVE-2015-1274: Settings allowed executable files to run immediately
      after download.
    - CVE-2015-1275: UXSS in Chrome for Android.
    - CVE-2015-1276: Use-after-free in IndexedDB.
    - CVE-2015-1279: Heap-buffer-overflow in pdfium.
    - CVE-2015-1280: Memory corruption in skia.
    - CVE-2015-1281: CSP bypass.
    - CVE-2015-1282: Use-after-free in pdfium.
    - CVE-2015-1283: Heap-buffer-overflow in expat.
    - CVE-2015-1284: Use-after-free in blink.
    - CVE-2015-1286: UXSS in blink.
    - CVE-2015-1287: SOP bypass with CSS.
    - CVE-2015-1270: Uninitialized memory read in ICU.
    - CVE-2015-1272: Use-after-free related to unexpected GPU process
      termination.
    - CVE-2015-1277: Use-after-free in accessibility.
    - CVE-2015-1278: URL spoofing using pdf files.
    - CVE-2015-1285: Information leak in XSS auditor.
    - CVE-2015-1288: Spell checking dictionaries fetched over HTTP.
    - CVE-2015-1289: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules, debian/chromium-codecs-ffmpeg{,-extra}.install: ffmpeg is a
    first-class component library now, not a special snowflake. Still, build
    it differently, but build flags are different.
  * debian/tests/smoketest-actual: Remove some innocuous mentions of "error"
    before testing for actual errors.
  * debian/control: codec library packages replace the libffmpeg.so that
    was in chromium packages before now.
  * debian/control: codec packages can't reasonably be updated separately
    than chromium. Depend with version specification also.

 -- Chad MILLER <email address hidden>  Tue, 28 Jul 2015 11:19:11 -0400

Available diffs

• diff from 43.0.2357.130-0ubuntu0.14.04.1.1092 to 44.0.2403.89-0ubuntu0.14.04.1.1095 (56.2 MiB)
• diff from 44.0.2403.89-0ubuntu0.14.04.1.1094 to 44.0.2403.89-0ubuntu0.14.04.1.1095 (1.2 KiB)

chromium-browser (44.0.2403.89-0ubuntu0.15.04.1.1177) vivid-security; urgency=medium

  * Upstream release 44.0.2403.89: (LP: #1477662)
    - CVE-2015-1271: Heap-buffer-overflow in pdfium.
    - CVE-2015-1273: Heap-buffer-overflow in pdfium.
    - CVE-2015-1274: Settings allowed executable files to run immediately
      after download.
    - CVE-2015-1275: UXSS in Chrome for Android.
    - CVE-2015-1276: Use-after-free in IndexedDB.
    - CVE-2015-1279: Heap-buffer-overflow in pdfium.
    - CVE-2015-1280: Memory corruption in skia.
    - CVE-2015-1281: CSP bypass.
    - CVE-2015-1282: Use-after-free in pdfium.
    - CVE-2015-1283: Heap-buffer-overflow in expat.
    - CVE-2015-1284: Use-after-free in blink.
    - CVE-2015-1286: UXSS in blink.
    - CVE-2015-1287: SOP bypass with CSS.
    - CVE-2015-1270: Uninitialized memory read in ICU.
    - CVE-2015-1272: Use-after-free related to unexpected GPU process
      termination.
    - CVE-2015-1277: Use-after-free in accessibility.
    - CVE-2015-1278: URL spoofing using pdf files.
    - CVE-2015-1285: Information leak in XSS auditor.
    - CVE-2015-1288: Spell checking dictionaries fetched over HTTP.
    - CVE-2015-1289: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules, debian/chromium-codecs-ffmpeg{,-extra}.install: ffmpeg is a
    first-class component library now, not a special snowflake. Still, build
    it differently, but build flags are different.
  * debian/tests/smoketest-actual: Remove some innocuous mentions of "error"
    before testing for actual errors.
  * debian/control: codec library packages replace the libffmpeg.so that
    was in chromium packages before now.
  * debian/control: codec packages can't reasonably be updated separately
    than chromium. Depend with version specification also.

 -- Chad MILLER <email address hidden>  Tue, 28 Jul 2015 11:19:11 -0400

Available diffs

• diff from 43.0.2357.130-0ubuntu0.15.04.1.1174 to 44.0.2403.89-0ubuntu0.15.04.1.1177 (56.2 MiB)
• diff from 44.0.2403.89-0ubuntu0.15.04.1.1176 to 44.0.2403.89-0ubuntu0.15.04.1.1177 (1.2 KiB)

chromium-browser (43.0.2357.130-0ubuntu2) wily; urgency=medium

  * test-dep on imagemagick - we use 'convert'
  * whitelist some "error" messages in the test runner which are actually
    harmless.

 -- Iain Lane <email address hidden>  Thu, 23 Jul 2015 15:35:23 +0100

Available diffs

• diff from 43.0.2357.81-0ubuntu2 to 43.0.2357.130-0ubuntu2 (68.9 KiB)
• diff from 43.0.2357.130-0ubuntu1.1188 to 43.0.2357.130-0ubuntu2 (873 bytes)

chromium-browser (43.0.2357.130-0ubuntu1.1188) wily; urgency=medium

  * Upstream release 43.0.2357.130:
    - CVE-2015-1266: Scheme validation error in WebUI.
    - CVE-2015-1268: Cross-origin bypass in Blink.
    - CVE-2015-1267: Cross-origin bypass in Blink.
    - CVE-2015-1269: Normalization error in HSTS/HPKP preload list.
  * debian/tests/smoketest-actual: Capture web-server log so we can
    get port and test retreival. Fixes autopkgtest failures.
  * debian/patches/widevine-other-locations: Search Chrome install
    location to find widevine plugins.
  * Reenable GPU usage on Wily only. Silent disabling is probably a
    bad idea. On all other distros, default to off, but don't blacklist.
  * Use new Flash plugin name in apport collector.

 -- Chad MILLER <email address hidden>  Mon, 29 Jun 2015 15:54:16 -0400

Available diffs

• diff from 43.0.2357.81-0ubuntu2 to 43.0.2357.130-0ubuntu1.1188 (68.7 KiB)

chromium-browser (43.0.2357.130-0ubuntu0.14.04.1.1092) trusty-security; urgency=medium

  [Chad Miller]
  * Upstream release 43.0.2357.130:
    - CVE-2015-1266: Scheme validation error in WebUI.
    - CVE-2015-1268: Cross-origin bypass in Blink.
    - CVE-2015-1267: Cross-origin bypass in Blink.
    - CVE-2015-1269: Normalization error in HSTS/HPKP preload list.
  * debian/tests/smoketest-actual: Capture web-server log so we can
    get port and test retreival. Fixes autopkgtest failures.
  * debian/patches/widevine-other-locations: Search Chrome install
    location to find widevine plugins.
  * Use new Flash plugin name in apport collector.
  * debian/patches/gpu_default_disabled: Make GPU activation a (default off)
    preference instead of blacklisting.
  [Iain Lane]
  * Test fixes.
  * debian/tests/control: Add a test-dep on python3-httplib2 and dbus-x11
    which are required by the testsuite.
  * debian/tests/smoketest-actual: Redirect webserver-out and webserver-err so
    that the test can read these.

 -- Chad MILLER <email address hidden>  Mon, 29 Jun 2015 15:54:16 -0400

Available diffs

• diff from 43.0.2357.81-0ubuntu0.14.04.1.1089 to 43.0.2357.130-0ubuntu0.14.04.1.1092 (68.5 KiB)

chromium-browser (43.0.2357.130-0ubuntu0.14.10.1.1134) utopic-security; urgency=medium

  [Chad Miller]
  * Upstream release 43.0.2357.130:
    - CVE-2015-1266: Scheme validation error in WebUI.
    - CVE-2015-1268: Cross-origin bypass in Blink.
    - CVE-2015-1267: Cross-origin bypass in Blink.
    - CVE-2015-1269: Normalization error in HSTS/HPKP preload list.
  * debian/tests/smoketest-actual: Capture web-server log so we can
    get port and test retreival. Fixes autopkgtest failures.
  * debian/patches/widevine-other-locations: Search Chrome install
    location to find widevine plugins.
  * Use new Flash plugin name in apport collector.
  * debian/patches/gpu_default_disabled: Make GPU activation a (default off)
    preference instead of blacklisting.
  [Iain Lane]
  * Test fixes.
  * debian/tests/control: Add a test-dep on python3-httplib2 and dbus-x11
    which are required by the testsuite.
  * debian/tests/smoketest-actual: Redirect webserver-out and webserver-err so
    that the test can read these.

 -- Chad MILLER <email address hidden>  Mon, 29 Jun 2015 15:54:16 -0400

Available diffs

• diff from 43.0.2357.81-0ubuntu0.14.10.1.1131 to 43.0.2357.130-0ubuntu0.14.10.1.1134 (68.5 KiB)

chromium-browser (43.0.2357.130-0ubuntu0.15.04.1.1174) vivid-security; urgency=medium

  [Chad Miller]
  * Upstream release 43.0.2357.130:
    - CVE-2015-1266: Scheme validation error in WebUI.
    - CVE-2015-1268: Cross-origin bypass in Blink.
    - CVE-2015-1267: Cross-origin bypass in Blink.
    - CVE-2015-1269: Normalization error in HSTS/HPKP preload list.
  * debian/tests/smoketest-actual: Capture web-server log so we can
    get port and test retreival. Fixes autopkgtest failures.
  * debian/patches/widevine-other-locations: Search Chrome install
    location to find widevine plugins.
  * Use new Flash plugin name in apport collector.
  * debian/patches/gpu_default_disabled: Make GPU activation a (default off)
    preference instead of blacklisting.
  [Iain Lane]
  * Test fixes.
  * debian/tests/control: Add a test-dep on python3-httplib2 and dbus-x11
    which are required by the testsuite.
  * debian/tests/smoketest-actual: Redirect webserver-out and webserver-err so
    that the test can read these.

 -- Chad MILLER <email address hidden>  Mon, 29 Jun 2015 15:54:16 -0400

Available diffs

• diff from 43.0.2357.81-0ubuntu0.15.04.1.1170 to 43.0.2357.130-0ubuntu0.15.04.1.1174 (68.5 KiB)

chromium-browser (43.0.2357.81-0ubuntu2) wily; urgency=medium

  * Test fixes.
  * debian/tests/control: Add a test-dep on python3-httplib2 and dbus-x11
    which are required by the testsuite.
  * debian/tests/smoketest-actual: Redirect webserver-out and webserver-err so
    that the test can read these.

 -- Iain Lane <email address hidden>  Wed, 24 Jun 2015 13:40:23 +0100

Available diffs

• diff from 42.0.2311.135-1ubuntu1.1160 (in ~canonical-chromium-builds/ubuntu/stage) to 43.0.2357.81-0ubuntu2 (57.0 MiB)
• diff from 43.0.2357.81-0ubuntu1.1179 to 43.0.2357.81-0ubuntu2 (713 bytes)

chromium-browser (43.0.2357.81-0ubuntu1.1179) wily; urgency=medium

  * Upstream release 43.0.2357.81.
    - "Icons not displaying properly on Linux" (LP: #1449063)
  * Upstream release 43.0.2357.65:
    - CVE-2015-1252: Sandbox escape in Chrome.
    - CVE-2015-1253: Cross-origin bypass in DOM.
    - CVE-2015-1254: Cross-origin bypass in Editing.
    - CVE-2015-1255: Use-after-free in WebAudio.
    - CVE-2015-1256: Use-after-free in SVG.
    - CVE-2015-1251: Use-after-free in Speech.
    - CVE-2015-1257: Container-overflow in SVG.
    - CVE-2015-1258: Negative-size parameter in Libvpx.
    - CVE-2015-1259: Uninitialized value in PDFium.
    - CVE-2015-1260: Use-after-free in WebRTC.
    - CVE-2015-1261: URL bar spoofing.
    - CVE-2015-1262: Uninitialized value in Blink.
    - CVE-2015-1263: Insecure download of spellcheck dictionary.
    - CVE-2015-1264: Cross-site scripting in bookmarks.
    - CVE-2015-1265: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.3 branch
      (currently 4.3.61.21).
  * debian/patches/display-scaling-report-hardware-info: removed, unnecessary.
  * debian/patches/coordinate-space-map: removed, unnecessary.
  * debian/patches/enable_vaapi_on_linux.diff: Temporarily disable patch until
    ARM works.
  * debian/chromium-browser.sh.in: Add --verbose to get logging info.
  * debian/patches/{notifications-nicer,mir-support}: disable unnecessary
    patches.
  * debian/control, debian/chromium-browser.sh.in: Prompt nothing about
    Flash plugin. Send Help clicks to Wiki instead.

 -- Chad MILLER <email address hidden>  Mon, 01 Jun 2015 15:29:04 -0400

Available diffs

• diff from 42.0.2311.135-1ubuntu1.1160 (in ~canonical-chromium-builds/ubuntu/stage) to 43.0.2357.81-0ubuntu1.1179 (57.0 MiB)

chromium-browser (43.0.2357.81-0ubuntu0.14.04.1.1089) trusty-security; urgency=medium

  * Upstream release 43.0.2357.81.
    - "Icons not displaying properly on Linux" (LP: #1449063)
  * Upstream release 43.0.2357.65:
    - CVE-2015-1252: Sandbox escape in Chrome.
    - CVE-2015-1253: Cross-origin bypass in DOM.
    - CVE-2015-1254: Cross-origin bypass in Editing.
    - CVE-2015-1255: Use-after-free in WebAudio.
    - CVE-2015-1256: Use-after-free in SVG.
    - CVE-2015-1251: Use-after-free in Speech.
    - CVE-2015-1257: Container-overflow in SVG.
    - CVE-2015-1258: Negative-size parameter in Libvpx.
    - CVE-2015-1259: Uninitialized value in PDFium.
    - CVE-2015-1260: Use-after-free in WebRTC.
    - CVE-2015-1261: URL bar spoofing.
    - CVE-2015-1262: Uninitialized value in Blink.
    - CVE-2015-1263: Insecure download of spellcheck dictionary.
    - CVE-2015-1264: Cross-site scripting in bookmarks.
    - CVE-2015-1265: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.3 branch
      (currently 4.3.61.21).
  * debian/patches/display-scaling-report-hardware-info: removed, unnecessary.
  * debian/patches/coordinate-space-map: removed, unnecessary.
  * debian/patches/enable_vaapi_on_linux.diff: Temporarily disable patch until
    ARM works.
  * debian/chromium-browser.sh.in: Add --verbose to get logging info.
  * debian/patches/{notifications-nicer,mir-support}: disable unnecessary
    patches.
  * debian/control, debian/chromium-browser.sh.in: Prompt nothing about
    Flash plugin. Send Help clicks to Wiki instead.

 -- Chad MILLER <email address hidden>  Mon, 01 Jun 2015 15:29:04 -0400

Available diffs

• diff from 41.0.2272.76-0ubuntu0.14.04.1.1076 to 43.0.2357.81-0ubuntu0.14.04.1.1089 (93.0 MiB)
• diff from 43.0.2357.81-0ubuntu0.14.04.1.1088 to 43.0.2357.81-0ubuntu0.14.04.1.1089 (756 bytes)

chromium-browser (43.0.2357.81-0ubuntu0.14.10.1.1131) utopic-security; urgency=medium

  * Upstream release 43.0.2357.81.
    - "Icons not displaying properly on Linux" (LP: #1449063)
  * Upstream release 43.0.2357.65:
    - CVE-2015-1252: Sandbox escape in Chrome.
    - CVE-2015-1253: Cross-origin bypass in DOM.
    - CVE-2015-1254: Cross-origin bypass in Editing.
    - CVE-2015-1255: Use-after-free in WebAudio.
    - CVE-2015-1256: Use-after-free in SVG.
    - CVE-2015-1251: Use-after-free in Speech.
    - CVE-2015-1257: Container-overflow in SVG.
    - CVE-2015-1258: Negative-size parameter in Libvpx.
    - CVE-2015-1259: Uninitialized value in PDFium.
    - CVE-2015-1260: Use-after-free in WebRTC.
    - CVE-2015-1261: URL bar spoofing.
    - CVE-2015-1262: Uninitialized value in Blink.
    - CVE-2015-1263: Insecure download of spellcheck dictionary.
    - CVE-2015-1264: Cross-site scripting in bookmarks.
    - CVE-2015-1265: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.3 branch
      (currently 4.3.61.21).
  * debian/patches/display-scaling-report-hardware-info: removed, unnecessary.
  * debian/patches/coordinate-space-map: removed, unnecessary.
  * debian/patches/enable_vaapi_on_linux.diff: Temporarily disable patch until
    ARM works.
  * debian/chromium-browser.sh.in: Add --verbose to get logging info.
  * debian/patches/{notifications-nicer,mir-support}: disable unnecessary
    patches.
  * debian/control, debian/chromium-browser.sh.in: Prompt nothing about
    Flash plugin. Send Help clicks to Wiki instead.

 -- Chad MILLER <email address hidden>  Mon, 01 Jun 2015 15:29:04 -0400

Available diffs

• diff from 41.0.2272.76-0ubuntu0.14.10.1.1118 to 43.0.2357.81-0ubuntu0.14.10.1.1131 (93.0 MiB)
• diff from 43.0.2357.81-0ubuntu0.14.10.1.1130 to 43.0.2357.81-0ubuntu0.14.10.1.1131 (755 bytes)

chromium-browser (43.0.2357.81-0ubuntu0.15.04.1.1170) vivid-security; urgency=medium

  * Upstream release 43.0.2357.81.
    - "Icons not displaying properly on Linux" (LP: #1449063)
  * Upstream release 43.0.2357.65:
    - CVE-2015-1252: Sandbox escape in Chrome.
    - CVE-2015-1253: Cross-origin bypass in DOM.
    - CVE-2015-1254: Cross-origin bypass in Editing.
    - CVE-2015-1255: Use-after-free in WebAudio.
    - CVE-2015-1256: Use-after-free in SVG.
    - CVE-2015-1251: Use-after-free in Speech.
    - CVE-2015-1257: Container-overflow in SVG.
    - CVE-2015-1258: Negative-size parameter in Libvpx.
    - CVE-2015-1259: Uninitialized value in PDFium.
    - CVE-2015-1260: Use-after-free in WebRTC.
    - CVE-2015-1261: URL bar spoofing.
    - CVE-2015-1262: Uninitialized value in Blink.
    - CVE-2015-1263: Insecure download of spellcheck dictionary.
    - CVE-2015-1264: Cross-site scripting in bookmarks.
    - CVE-2015-1265: Various fixes from internal audits, fuzzing and other
      initiatives.
    - Multiple vulnerabilities in V8 fixed at the tip of the 4.3 branch
      (currently 4.3.61.21).
  * debian/patches/display-scaling-report-hardware-info: removed, unnecessary.
  * debian/patches/coordinate-space-map: removed, unnecessary.
  * debian/patches/enable_vaapi_on_linux.diff: Temporarily disable patch until
    ARM works.
  * debian/chromium-browser.sh.in: Add --verbose to get logging info.
  * debian/patches/{notifications-nicer,mir-support}: disable unnecessary
    patches.
  * debian/control, debian/chromium-browser.sh.in: Prompt nothing about
    Flash plugin. Send Help clicks to Wiki instead.

 -- Chad MILLER <email address hidden>  Mon, 01 Jun 2015 15:29:04 -0400

Available diffs

• diff from 43.0.2357.81-0ubuntu0.15.04.1.1169 to 43.0.2357.81-0ubuntu0.15.04.1.1170 (756 bytes)

chromium-browser (42.0.2311.135-1ubuntu1.1160) wily; urgency=medium

  * Upstream release 42.0.2311.135:
    - CVE-2015-1243: Use-after-free in DOM.
    - CVE-2015-1250: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 42.0.2311.90:
    - CVE-2015-1235: Cross-origin-bypass in HTML parser.
    - CVE-2015-1236: Cross-origin-bypass in Blink.
    - CVE-2015-1237: Use-after-free in IPC.
    - CVE-2015-1238: Out-of-bounds write in Skia.
    - CVE-2015-1240: Out-of-bounds read in WebGL.
    - CVE-2015-1241: Tap-Jacking.
    - CVE-2015-1242: Type confusion in V8.
    - CVE-2015-1244: HSTS bypass in WebSockets.
    - CVE-2015-1245: Use-after-free in PDFium.
    - CVE-2015-1247: Scheme issues in OpenSearch.
    - CVE-2015-1248: SafeBrowsing bypass.
  * Upstream release 41.0.2272.118:
    - CVE-2015-1233: A special thanks to Anonymous for a combination of V8,
      Gamepad and IPC bugs that can lead to remote code execution outside of
      the sandbox.
    - CVE-2015-1234: Buffer overflow via race condition in GPU.
  * Change assumed X-resource DPI from 108 to 96. That's closer to 100.
  * Autopkgtest now depends on x11-apps to get xwd. Make smoketest exit val
    nonzero on failure.
  * debian/generate-snappy.mk, debian/rules: Start to generate snap packages
    if available.
  * debian/chromium-browser.sh.in: Test for /etc/ dir before listing it.
  * debian/chromium-browser.sh.in,
    debian/chromium-browser-etc-customizations-flash-staleness: Ask sudo users
    to update flash player.
  * debian/chromium-browser-etc-customizations-flash-staleness: Pass only one
    flash-player start param to chromium. Prefer the new one.
  * debian/patches/arm-neon.patch: exclude new armv7=neon assumptions.
  * debian/patches/all_gpus_blacklisted: AMD, Intel, and NVIDIA cards all
    contribute to the largest crash report in errors.ubuntu.com. Let's disable
    GPUs for now.

 -- Chad MILLER <email address hidden>  Mon, 04 May 2015 12:09:02 -0400

Available diffs

• diff from 41.0.2272.76-0ubuntu1.1134 (in Ubuntu) to 42.0.2311.135-1ubuntu1.1160 (75.9 MiB)
• diff from 42.0.2311.135-0ubuntu2.1158 to 42.0.2311.135-1ubuntu1.1160 (42.1 KiB)

chromium-browser (41.0.2272.76-0ubuntu1.1134) vivid; urgency=medium

  * Upstream release 41.0.2272.76:
    - CVE-2015-1212: Out-of-bounds write in media.
    - CVE-2015-1213: Out-of-bounds write in skia filters.
    - CVE-2015-1214: Out-of-bounds write in skia filters.
    - CVE-2015-1215: Out-of-bounds write in skia filters.
    - CVE-2015-1216: Use-after-free in v8 bindings.
    - CVE-2015-1217: Type confusion in v8 bindings.
    - CVE-2015-1218: Use-after-free in dom.
    - CVE-2015-1219: Integer overflow in webgl.
    - CVE-2015-1220: Use-after-free in gif decoder.
    - CVE-2015-1221: Use-after-free in web databases.
    - CVE-2015-1222: Use-after-free in service workers.
    - CVE-2015-1223: Use-after-free in dom.
    - CVE-2015-1230: Type confusion in v8.
    - CVE-2015-1224: Out-of-bounds read in vpxdecoder.
    - CVE-2015-1225: Out-of-bounds read in pdfium.
    - CVE-2015-1226: Validation issue in debugger.
    - CVE-2015-1227: Uninitialized value in blink.
    - CVE-2015-1228: Uninitialized value in rendering.
    - CVE-2015-1229: Cookie injection via proxies.
    - CVE-2015-1231: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 40.0.2214.115.
  * debian/patches/coordinate-space-map: Backport v43 and unofficial
    coordinate mapping to fix some high-dpi problems in popup menu placement.
  * debian/apport/chromium-browser.py: Simplify. Use more standard functions
    from apport utility. Add CPU usage information. Add bargraph of "running"
    processes, so bugpatterns can sort away busy machines, and then classify
    remainder according to procline "gpu-vendor=id" param.
  * debian/patches/gpu-hangs: Extend the GPU watchdog to 30 seconds. If the
    GPU is really hung, the extra time matters little. It's probably not
    recoverable. Reviews of apport reports find no common thread among GPUs
    vendors. Notes at  crbug.com/221882  suggest busy CPUs could trigger hang.
    Will additionally use apport bugpatterns to comb dmesg for actual crashes
    and route to specific GPU-driver bugs.
 -- Chad MILLER <email address hidden>   Wed, 04 Mar 2015 10:25:03 -0500

Available diffs

• diff from 40.0.2214.111-0ubuntu1.1121 to 41.0.2272.76-0ubuntu1.1134 (65.9 MiB)

chromium-browser (41.0.2272.76-0ubuntu0.14.04.1.1076) trusty-security; urgency=medium

  * Upstream release 41.0.2272.76:
    - CVE-2015-1212: Out-of-bounds write in media.
    - CVE-2015-1213: Out-of-bounds write in skia filters.
    - CVE-2015-1214: Out-of-bounds write in skia filters.
    - CVE-2015-1215: Out-of-bounds write in skia filters.
    - CVE-2015-1216: Use-after-free in v8 bindings.
    - CVE-2015-1217: Type confusion in v8 bindings.
    - CVE-2015-1218: Use-after-free in dom.
    - CVE-2015-1219: Integer overflow in webgl.
    - CVE-2015-1220: Use-after-free in gif decoder.
    - CVE-2015-1221: Use-after-free in web databases.
    - CVE-2015-1222: Use-after-free in service workers.
    - CVE-2015-1223: Use-after-free in dom.
    - CVE-2015-1230: Type confusion in v8.
    - CVE-2015-1224: Out-of-bounds read in vpxdecoder.
    - CVE-2015-1225: Out-of-bounds read in pdfium.
    - CVE-2015-1226: Validation issue in debugger.
    - CVE-2015-1227: Uninitialized value in blink.
    - CVE-2015-1228: Uninitialized value in rendering.
    - CVE-2015-1229: Cookie injection via proxies.
    - CVE-2015-1231: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 40.0.2214.115.
  * debian/patches/coordinate-space-map: Backport v43 and unofficial
    coordinate mapping to fix some high-dpi problems in popup menu placement.
  * debian/apport/chromium-browser.py: Simplify. Use more standard functions
    from apport utility. Add CPU usage information. Add bargraph of "running"
    processes, so bugpatterns can sort away busy machines, and then classify
    remainder according to procline "gpu-vendor=id" param.
  * debian/patches/gpu-hangs: Extend the GPU watchdog to 30 seconds. If the
    GPU is really hung, the extra time matters little. It's probably not
    recoverable. Reviews of apport reports find no common thread among GPUs
    vendors. Notes at  crbug.com/221882  suggest busy CPUs could trigger hang.
    Will additionally use apport bugpatterns to comb dmesg for actual crashes
    and route to specific GPU-driver bugs.
 -- Chad MILLER <email address hidden>   Wed, 04 Mar 2015 10:25:03 -0500

Available diffs

• diff from 40.0.2214.111-0ubuntu0.14.04.1.1069 to 41.0.2272.76-0ubuntu0.14.04.1.1076 (65.9 MiB)
• diff from 41.0.2272.76-0ubuntu0.14.04.1.1075 to 41.0.2272.76-0ubuntu0.14.04.1.1076 (850 bytes)

chromium-browser (41.0.2272.76-0ubuntu0.14.10.1.1118) utopic-security; urgency=medium

  * Upstream release 41.0.2272.76:
    - CVE-2015-1212: Out-of-bounds write in media.
    - CVE-2015-1213: Out-of-bounds write in skia filters.
    - CVE-2015-1214: Out-of-bounds write in skia filters.
    - CVE-2015-1215: Out-of-bounds write in skia filters.
    - CVE-2015-1216: Use-after-free in v8 bindings.
    - CVE-2015-1217: Type confusion in v8 bindings.
    - CVE-2015-1218: Use-after-free in dom.
    - CVE-2015-1219: Integer overflow in webgl.
    - CVE-2015-1220: Use-after-free in gif decoder.
    - CVE-2015-1221: Use-after-free in web databases.
    - CVE-2015-1222: Use-after-free in service workers.
    - CVE-2015-1223: Use-after-free in dom.
    - CVE-2015-1230: Type confusion in v8.
    - CVE-2015-1224: Out-of-bounds read in vpxdecoder.
    - CVE-2015-1225: Out-of-bounds read in pdfium.
    - CVE-2015-1226: Validation issue in debugger.
    - CVE-2015-1227: Uninitialized value in blink.
    - CVE-2015-1228: Uninitialized value in rendering.
    - CVE-2015-1229: Cookie injection via proxies.
    - CVE-2015-1231: Various fixes from internal audits, fuzzing and other
      initiatives.
  * Upstream release 40.0.2214.115.
  * debian/patches/coordinate-space-map: Backport v43 and unofficial
    coordinate mapping to fix some high-dpi problems in popup menu placement.
  * debian/apport/chromium-browser.py: Simplify. Use more standard functions
    from apport utility. Add CPU usage information. Add bargraph of "running"
    processes, so bugpatterns can sort away busy machines, and then classify
    remainder according to procline "gpu-vendor=id" param.
  * debian/patches/gpu-hangs: Extend the GPU watchdog to 30 seconds. If the
    GPU is really hung, the extra time matters little. It's probably not
    recoverable. Reviews of apport reports find no common thread among GPUs
    vendors. Notes at  crbug.com/221882  suggest busy CPUs could trigger hang.
    Will additionally use apport bugpatterns to comb dmesg for actual crashes
    and route to specific GPU-driver bugs.
 -- Chad MILLER <email address hidden>   Wed, 04 Mar 2015 10:25:03 -0500

Available diffs

• diff from 40.0.2214.111-0ubuntu0.14.10.1.1111 to 41.0.2272.76-0ubuntu0.14.10.1.1118 (65.9 MiB)
• diff from 41.0.2272.76-0ubuntu0.14.10.1.1117 to 41.0.2272.76-0ubuntu0.14.10.1.1118 (850 bytes)

chromium-browser (40.0.2214.111-0ubuntu1.1121) vivid; urgency=medium

  * Upstream release 40.0.2214.111:
    - CVE-2015-1209: Use-after-free in DOM.
    - CVE-2015-1210: Cross-origin-bypass in V8 bindings.
    - CVE-2015-1211: Privilege escalation using service workers.
    - CVE-2015-1212: Various fixes from internal audits, fuzzing and other
      initiatives.
 -- Chad MILLER <email address hidden>   Fri, 06 Feb 2015 09:38:15 -0500

Available diffs

• diff from 40.0.2214.94-0ubuntu1.1120 (in ~canonical-chromium-builds/ubuntu/stage) to 40.0.2214.111-0ubuntu1.1121 (32.8 KiB)

chromium-browser (40.0.2214.111-0ubuntu0.14.04.1.1069) trusty-security; urgency=medium

  * Upstream release 40.0.2214.111:
    - CVE-2015-1209: Use-after-free in DOM.
    - CVE-2015-1210: Cross-origin-bypass in V8 bindings.
    - CVE-2015-1211: Privilege escalation using service workers.
    - CVE-2015-1212: Various fixes from internal audits, fuzzing and other
      initiatives.
 -- Chad MILLER <email address hidden>   Fri, 06 Feb 2015 09:38:15 -0500

Available diffs

• diff from 40.0.2214.94-0ubuntu0.14.04.1.1068 to 40.0.2214.111-0ubuntu0.14.04.1.1069 (32.8 KiB)

chromium-browser (40.0.2214.111-0ubuntu0.14.10.1.1111) utopic-security; urgency=medium

  * Upstream release 40.0.2214.111:
    - CVE-2015-1209: Use-after-free in DOM.
    - CVE-2015-1210: Cross-origin-bypass in V8 bindings.
    - CVE-2015-1211: Privilege escalation using service workers.
    - CVE-2015-1212: Various fixes from internal audits, fuzzing and other
      initiatives.
 -- Chad MILLER <email address hidden>   Fri, 06 Feb 2015 09:38:15 -0500

Available diffs

• diff from 40.0.2214.94-0ubuntu0.14.10.1.1110 to 40.0.2214.111-0ubuntu0.14.10.1.1111 (32.8 KiB)

chromium-browser (40.0.2214.94-0ubuntu0.14.04.1.1068) trusty-security; urgency=medium

  * Upstream release 40.0.2214.94.
  * Upstream release 40.0.2214.93.
  * Upstream release 40.0.2214.91. (LP: #1414753)
    - CVE-2014-7923: Memory corruption in ICU.
    - CVE-2014-7924: Use-after-free in IndexedDB.
    - CVE-2014-7925: Use-after-free in WebAudio.
    - CVE-2014-7926: Memory corruption in ICU.
    - CVE-2014-7927: Memory corruption in V8.
    - CVE-2014-7928: Memory corruption in V8.
    - CVE-2014-7930: Use-after-free in DOM.
    - CVE-2014-7931: Memory corruption in V8.
    - CVE-2014-7929: Use-after-free in DOM.
    - CVE-2014-7932: Use-after-free in DOM.
    - CVE-2014-7933: Use-after-free in FFmpeg.
    - CVE-2014-7934: Use-after-free in DOM.
    - CVE-2014-7935: Use-after-free in Speech.
    - CVE-2014-7936: Use-after-free in Views.
    - CVE-2014-7937: Use-after-free in FFmpeg.
    - CVE-2014-7938: Memory corruption in Fonts.
    - CVE-2014-7939: Same-origin-bypass in V8.
    - CVE-2014-7940: Uninitialized-value in ICU.
    - CVE-2014-7941: Out-of-bounds read in UI.
    - CVE-2014-7942: Uninitialized-value in Fonts.
    - CVE-2014-7943: Out-of-bounds read in Skia.
    - CVE-2014-7944: Out-of-bounds read in PDFium.
    - CVE-2014-7945: Out-of-bounds read in PDFium.
    - CVE-2014-7946: Out-of-bounds read in Fonts.
    - CVE-2014-7947: Out-of-bounds read in PDFium.
    - CVE-2014-7948: Caching error in AppCache.
  * debian/patch/search-credit: Don't force client in GOOG suggestions search.
    (LP: #1398900)
  * debian/patches/dri3-within-sandbox: Backport V41 sandbox, fixing DRI3.
    (LP: #1378627)
  * debian/patches/macro-templates-not-match: Remove. No longer necessary.
  * debian/patches/arm-neon.patch: Kill armv7=neon assumption. Fix typos.
  * debian/rules: chrpath for all packages.  (LP: #1415555)
 -- Chad MILLER <email address hidden>   Fri, 30 Jan 2015 15:48:09 -0500

Available diffs

• diff from 39.0.2171.65-0ubuntu0.14.04.1.1064 to 40.0.2214.94-0ubuntu0.14.04.1.1068 (99.7 MiB)
• diff from 40.0.2214.93-0ubuntu0.14.04.1.1067 to 40.0.2214.94-0ubuntu0.14.04.1.1068 (2.6 KiB)

chromium-browser (40.0.2214.94-0ubuntu0.14.10.1.1110) utopic-security; urgency=medium

  * Upstream release 40.0.2214.94.
  * Upstream release 40.0.2214.93.
  * Upstream release 40.0.2214.91. (LP: #1414753)
    - CVE-2014-7923: Memory corruption in ICU.
    - CVE-2014-7924: Use-after-free in IndexedDB.
    - CVE-2014-7925: Use-after-free in WebAudio.
    - CVE-2014-7926: Memory corruption in ICU.
    - CVE-2014-7927: Memory corruption in V8.
    - CVE-2014-7928: Memory corruption in V8.
    - CVE-2014-7930: Use-after-free in DOM.
    - CVE-2014-7931: Memory corruption in V8.
    - CVE-2014-7929: Use-after-free in DOM.
    - CVE-2014-7932: Use-after-free in DOM.
    - CVE-2014-7933: Use-after-free in FFmpeg.
    - CVE-2014-7934: Use-after-free in DOM.
    - CVE-2014-7935: Use-after-free in Speech.
    - CVE-2014-7936: Use-after-free in Views.
    - CVE-2014-7937: Use-after-free in FFmpeg.
    - CVE-2014-7938: Memory corruption in Fonts.
    - CVE-2014-7939: Same-origin-bypass in V8.
    - CVE-2014-7940: Uninitialized-value in ICU.
    - CVE-2014-7941: Out-of-bounds read in UI.
    - CVE-2014-7942: Uninitialized-value in Fonts.
    - CVE-2014-7943: Out-of-bounds read in Skia.
    - CVE-2014-7944: Out-of-bounds read in PDFium.
    - CVE-2014-7945: Out-of-bounds read in PDFium.
    - CVE-2014-7946: Out-of-bounds read in Fonts.
    - CVE-2014-7947: Out-of-bounds read in PDFium.
    - CVE-2014-7948: Caching error in AppCache.
  * debian/patch/search-credit: Don't force client in GOOG suggestions search.
    (LP: #1398900)
  * debian/patches/dri3-within-sandbox: Backport V41 sandbox, fixing DRI3.
    (LP: #1378627)
  * debian/patches/macro-templates-not-match: Remove. No longer necessary.
  * debian/patches/arm-neon.patch: Kill armv7=neon assumption. Fix typos.
  * debian/rules: chrpath for all packages.  (LP: #1415555)
 -- Chad MILLER <email address hidden>   Fri, 30 Jan 2015 15:48:09 -0500

Available diffs

• diff from 39.0.2171.65-0ubuntu0.14.10.1.1106 to 40.0.2214.94-0ubuntu0.14.10.1.1110 (99.7 MiB)
• diff from 40.0.2214.93-0ubuntu0.14.10.1.1109 to 40.0.2214.94-0ubuntu0.14.10.1.1110 (2.6 KiB)

chromium-browser (40.0.2214.94-0ubuntu1.1120) vivid; urgency=medium

  * Upstream release 40.0.2214.94.
  * Upstream release 40.0.2214.93.
  * Upstream release 40.0.2214.91. (LP: #1414753)
    - CVE-2014-7923: Memory corruption in ICU.
    - CVE-2014-7924: Use-after-free in IndexedDB.
    - CVE-2014-7925: Use-after-free in WebAudio.
    - CVE-2014-7926: Memory corruption in ICU.
    - CVE-2014-7927: Memory corruption in V8.
    - CVE-2014-7928: Memory corruption in V8.
    - CVE-2014-7930: Use-after-free in DOM.
    - CVE-2014-7931: Memory corruption in V8.
    - CVE-2014-7929: Use-after-free in DOM.
    - CVE-2014-7932: Use-after-free in DOM.
    - CVE-2014-7933: Use-after-free in FFmpeg.
    - CVE-2014-7934: Use-after-free in DOM.
    - CVE-2014-7935: Use-after-free in Speech.
    - CVE-2014-7936: Use-after-free in Views.
    - CVE-2014-7937: Use-after-free in FFmpeg.
    - CVE-2014-7938: Memory corruption in Fonts.
    - CVE-2014-7939: Same-origin-bypass in V8.
    - CVE-2014-7940: Uninitialized-value in ICU.
    - CVE-2014-7941: Out-of-bounds read in UI.
    - CVE-2014-7942: Uninitialized-value in Fonts.
    - CVE-2014-7943: Out-of-bounds read in Skia.
    - CVE-2014-7944: Out-of-bounds read in PDFium.
    - CVE-2014-7945: Out-of-bounds read in PDFium.
    - CVE-2014-7946: Out-of-bounds read in Fonts.
    - CVE-2014-7947: Out-of-bounds read in PDFium.
    - CVE-2014-7948: Caching error in AppCache.
  * debian/patch/search-credit: Don't force client in GOOG suggestions search.
    (LP: #1398900)
  * debian/patches/dri3-within-sandbox: Backport V41 sandbox, fixing DRI3.
    (LP: #1378627)
  * debian/patches/macro-templates-not-match: Remove. No longer necessary.
  * debian/patches/arm-neon.patch: Kill armv7=neon assumption. Fix typos.
  * debian/rules: chrpath for all packages.  (LP: #1415555)
 -- Chad MILLER <email address hidden>   Fri, 30 Jan 2015 15:48:09 -0500

Available diffs

• diff from 39.0.2171.65-0ubuntu1.1108 (in Ubuntu) to 40.0.2214.94-0ubuntu1.1120 (99.7 MiB)
• diff from 40.0.2214.94-0ubuntu1.1119 to 40.0.2214.94-0ubuntu1.1120 (623 bytes)

chromium-browser (39.0.2171.65-0ubuntu1.1108) vivid; urgency=medium

  * Upstream release 39.0.2171.65:
    - CVE-2014-7899: Address bar spoofing.
    - CVE-2014-7900: Use-after-free in pdfium.
    - CVE-2014-7901: Integer overflow in pdfium.
    - CVE-2014-7902: Use-after-free in pdfium.
    - CVE-2014-7903: Buffer overflow in pdfium.
    - CVE-2014-7904: Buffer overflow in Skia.
    - CVE-2014-7905: Flaw allowing navigation to intents that do not have the
      BROWSABLE category.
    - CVE-2014-7906: Use-after-free in pepper plugins.
    - CVE-2014-0574: Double-free in Flash.
    - CVE-2014-7907: Use-after-free in blink.
    - CVE-2014-7908: Integer overflow in media.
    - CVE-2014-7909: Uninitialized memory read in Skia.
    - CVE-2014-7910: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/search-credit.patch: Include "client" in google search
    prepopulated template's parameters.
  * debian/tests/testdata/9-search-credit.sikuli: Verify search URL has
    parameter.
  * debian/source/lintian-overrides: Ignore android tools we don't use.
  * debian/chromium-browser-dbg.lintian-overrides: Ignore libraries that we
    configure to have no symbols in builder (because they are humongous
    otherwise).
  * debian/control: Bump standards version. Version dep "bash". Remove
    duplicate language from package descriptions.
  * debian/tests/testdata/1-normal-extension-active.sikuli/: Destroy test
    for dead NPAPI unity-webapps extension.
 -- Chad MILLER <email address hidden>   Sat, 22 Nov 2014 14:06:34 -0500

Available diffs

• diff from 38.0.2125.111-0ubuntu1.1103 to 39.0.2171.65-0ubuntu1.1108 (42.0 MiB)

chromium-browser (39.0.2171.65-0ubuntu0.14.04.1.1064) trusty-security; urgency=medium

  * Upstream release 39.0.2171.65:
    - CVE-2014-7899: Address bar spoofing.
    - CVE-2014-7900: Use-after-free in pdfium.
    - CVE-2014-7901: Integer overflow in pdfium.
    - CVE-2014-7902: Use-after-free in pdfium.
    - CVE-2014-7903: Buffer overflow in pdfium.
    - CVE-2014-7904: Buffer overflow in Skia.
    - CVE-2014-7905: Flaw allowing navigation to intents that do not have the
      BROWSABLE category.
    - CVE-2014-7906: Use-after-free in pepper plugins.
    - CVE-2014-0574: Double-free in Flash.
    - CVE-2014-7907: Use-after-free in blink.
    - CVE-2014-7908: Integer overflow in media.
    - CVE-2014-7909: Uninitialized memory read in Skia.
    - CVE-2014-7910: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/search-credit.patch: Include "client" in google search
    prepopulated template's parameters.
  * debian/tests/testdata/9-search-credit.sikuli: Verify search URL has
    parameter.
  * debian/source/lintian-overrides: Ignore android tools we don't use.
  * debian/chromium-browser-dbg.lintian-overrides: Ignore libraries that we
    configure to have no symbols in builder (because they are humongous
    otherwise).
  * debian/control: Bump standards version. Version dep "bash". Remove
    duplicate language from package descriptions.
  * debian/tests/testdata/1-normal-extension-active.sikuli/: Destroy test
    for dead NPAPI unity-webapps extension.
 -- Chad MILLER <email address hidden>   Sat, 22 Nov 2014 14:06:34 -0500

Available diffs

• diff from 38.0.2125.111-0ubuntu0.14.04.1.1061 to 39.0.2171.65-0ubuntu0.14.04.1.1064 (42.0 MiB)
• diff from 39.0.2171.65-0ubuntu0.14.04.1.1062 to 39.0.2171.65-0ubuntu0.14.04.1.1064 (2.4 KiB)

chromium-browser (39.0.2171.65-0ubuntu0.14.10.1.1106) utopic-security; urgency=medium

  * Upstream release 39.0.2171.65:
    - CVE-2014-7899: Address bar spoofing.
    - CVE-2014-7900: Use-after-free in pdfium.
    - CVE-2014-7901: Integer overflow in pdfium.
    - CVE-2014-7902: Use-after-free in pdfium.
    - CVE-2014-7903: Buffer overflow in pdfium.
    - CVE-2014-7904: Buffer overflow in Skia.
    - CVE-2014-7905: Flaw allowing navigation to intents that do not have the
      BROWSABLE category.
    - CVE-2014-7906: Use-after-free in pepper plugins.
    - CVE-2014-0574: Double-free in Flash.
    - CVE-2014-7907: Use-after-free in blink.
    - CVE-2014-7908: Integer overflow in media.
    - CVE-2014-7909: Uninitialized memory read in Skia.
    - CVE-2014-7910: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/search-credit.patch: Include "client" in google search
    prepopulated template's parameters.
  * debian/tests/testdata/9-search-credit.sikuli: Verify search URL has
    parameter.
  * debian/source/lintian-overrides: Ignore android tools we don't use.
  * debian/chromium-browser-dbg.lintian-overrides: Ignore libraries that we
    configure to have no symbols in builder (because they are humongous
    otherwise).
  * debian/control: Bump standards version. Version dep "bash". Remove
    duplicate language from package descriptions.
  * debian/tests/testdata/1-normal-extension-active.sikuli/: Destroy test
    for dead NPAPI unity-webapps extension.
 -- Chad MILLER <email address hidden>   Sat, 22 Nov 2014 14:06:34 -0500

Available diffs

• diff from 38.0.2125.111-0ubuntu0.14.10.1.1103 to 39.0.2171.65-0ubuntu0.14.10.1.1106 (42.0 MiB)
• diff from 39.0.2171.65-0ubuntu0.14.10.1.1104 to 39.0.2171.65-0ubuntu0.14.10.1.1106 (41.9 KiB)

chromium-browser (38.0.2125.111-0ubuntu1.1103) vivid; urgency=medium

  * Upstream release 38.0.2125.111.
  * Upstream release 38.0.2125.104.
  * Upstream release 38.0.2125.101:  (LP: #1310163)
    - CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and
      IPC bugs that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3189: Out-of-bounds read in PDFium.
    - CVE-2014-3190: Use-after-free in Events.
    - CVE-2014-3191: Use-after-free in Rendering.
    - CVE-2014-3192: Use-after-free in DOM.
    - CVE-2014-3193: Type confusion in Session Management.
    - CVE-2014-3194: Use-after-free in Web Workers.
    - CVE-2014-3195: Information Leak in V8.
    - CVE-2014-3196: Permissions bypass in Windows Sandbox.
    - CVE-2014-3197: Information Leak in XSS Auditor.
    - CVE-2014-3198: Out-of-bounds read in PDFium.
    - CVE-2014-3199: Release Assert in V8 bindings.
    - CVE-2014-3200: Various fixes from internal audits, fuzzing and other
      initiatives (Chrome 38).
  * debian/rules: Prefer GCC 4.8 when compiling. 4.9 remains buggy.
  * Make the verification step in clean make more compare-able output.
  * debian/patches/configuration-directory.patch: Account for new location of
    policies directory in /etc . Change back. (LP: #1373802)
  * debian/patches/lp-translations-paths: Map old third_party filenames to
    new name after processor compiles.
  * debian/rules: Fix patch-translations rule, workflow.
  * debian/patches/macro-templates-not-match: Anonymous struct isn't sizable.
  * debian/chromium-browser.sh.in: Fix broken logic of CHROMIUM_USER_FLAGS,
    which has never worked. (LP: #1381644)
  * debian/patches/disable-sse: Disable more SSE #includes.
  * debian/rules: Omit unnecessary files from packaging.
  * debian/chromium-browser.sh.in: Fix variable name bug and suggest
    ~/.chromium-browser.init file over hamfisted CHROMIUM_USER_FLAGS.
  * debian/patches/5-desktop-integration-settings.patch: Adapt to new settings
    APIs.

Available diffs

• diff from 37.0.2062.94-0ubuntu1~pkg1065 to 38.0.2125.111-0ubuntu1.1103 (77.4 MiB)

chromium-browser (38.0.2125.111-0ubuntu0.14.04.1.1061) trusty-security; urgency=medium

  * Upstream release 38.0.2125.111.
  * Upstream release 38.0.2125.104.
  * Upstream release 38.0.2125.101:  (LP: #1310163)
    - CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and
      IPC bugs that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3189: Out-of-bounds read in PDFium.
    - CVE-2014-3190: Use-after-free in Events.
    - CVE-2014-3191: Use-after-free in Rendering.
    - CVE-2014-3192: Use-after-free in DOM.
    - CVE-2014-3193: Type confusion in Session Management.
    - CVE-2014-3194: Use-after-free in Web Workers.
    - CVE-2014-3195: Information Leak in V8.
    - CVE-2014-3196: Permissions bypass in Windows Sandbox.
    - CVE-2014-3197: Information Leak in XSS Auditor.
    - CVE-2014-3198: Out-of-bounds read in PDFium.
    - CVE-2014-3199: Release Assert in V8 bindings.
    - CVE-2014-3200: Various fixes from internal audits, fuzzing and other
      initiatives (Chrome 38).
  * debian/rules: Prefer GCC 4.8 when compiling. 4.9 remains buggy.
  * Make the verification step in clean make more compare-able output.
  * debian/patches/configuration-directory.patch: Account for new location of
    policies directory in /etc . Change back. (LP: #1373802)
  * debian/patches/lp-translations-paths: Map old third_party filenames to
    new name after processor compiles.
  * debian/rules: Fix patch-translations rule, workflow.
  * debian/patches/macro-templates-not-match: Anonymous struct isn't sizable.
  * debian/chromium-browser.sh.in: Fix broken logic of CHROMIUM_USER_FLAGS,
    which has never worked. (LP: #1381644)
  * debian/patches/disable-sse: Disable more SSE #includes.
  * debian/rules: Omit unnecessary files from packaging.
  * debian/chromium-browser.sh.in: Fix variable name bug and suggest
    ~/.chromium-browser.init file over hamfisted CHROMIUM_USER_FLAGS.
  * debian/patches/5-desktop-integration-settings.patch: Adapt to new settings
    APIs.

Available diffs

• diff from 37.0.2062.120-0ubuntu0.14.04.1~pkg1049 to 38.0.2125.111-0ubuntu0.14.04.1.1061 (77.3 MiB)
• diff from 38.0.2125.104-0ubuntu0.14.04.1.1060 to 38.0.2125.111-0ubuntu0.14.04.1.1061 (173.0 KiB)

chromium-browser (38.0.2125.111-0ubuntu0.14.10.1.1103) utopic-security; urgency=medium

  * Upstream release 38.0.2125.111.
  * Upstream release 38.0.2125.104.
  * Upstream release 38.0.2125.101:  (LP: #1310163)
    - CVE-2014-3188: A special thanks to Jüri Aedla for a combination of V8 and
      IPC bugs that can lead to remote code execution outside of the sandbox.
    - CVE-2014-3189: Out-of-bounds read in PDFium.
    - CVE-2014-3190: Use-after-free in Events.
    - CVE-2014-3191: Use-after-free in Rendering.
    - CVE-2014-3192: Use-after-free in DOM.
    - CVE-2014-3193: Type confusion in Session Management.
    - CVE-2014-3194: Use-after-free in Web Workers.
    - CVE-2014-3195: Information Leak in V8.
    - CVE-2014-3196: Permissions bypass in Windows Sandbox.
    - CVE-2014-3197: Information Leak in XSS Auditor.
    - CVE-2014-3198: Out-of-bounds read in PDFium.
    - CVE-2014-3199: Release Assert in V8 bindings.
    - CVE-2014-3200: Various fixes from internal audits, fuzzing and other
      initiatives (Chrome 38).
  * debian/rules: Prefer GCC 4.8 when compiling. 4.9 remains buggy.
  * Make the verification step in clean make more compare-able output.
  * debian/patches/configuration-directory.patch: Account for new location of
    policies directory in /etc . Change back. (LP: #1373802)
  * debian/patches/lp-translations-paths: Map old third_party filenames to
    new name after processor compiles.
  * debian/rules: Fix patch-translations rule, workflow.
  * debian/patches/macro-templates-not-match: Anonymous struct isn't sizable.
  * debian/chromium-browser.sh.in: Fix broken logic of CHROMIUM_USER_FLAGS,
    which has never worked. (LP: #1381644)
  * debian/patches/disable-sse: Disable more SSE #includes.
  * debian/rules: Omit unnecessary files from packaging.
  * debian/chromium-browser.sh.in: Fix variable name bug and suggest
    ~/.chromium-browser.init file over hamfisted CHROMIUM_USER_FLAGS.
  * debian/patches/5-desktop-integration-settings.patch: Adapt to new settings
    APIs.

Available diffs

• diff from 38.0.2125.104-0ubuntu1.1100 to 38.0.2125.111-0ubuntu0.14.10.1.1103 (175.1 KiB)

chromium-browser (37.0.2062.120-0ubuntu0.12.04.1~pkg917) precise-security; urgency=medium

  * Release to stage

Available diffs

• diff from 37.0.2062.94-0ubuntu0.12.04.1~pkg909 to 37.0.2062.120-0ubuntu0.12.04.1~pkg917 (150.6 KiB)
• diff from 37.0.2062.120-0ubuntu0.12.04.1~pkg915 to 37.0.2062.120-0ubuntu0.12.04.1~pkg917 (684 bytes)

chromium-browser (37.0.2062.120-0ubuntu0.14.04.1~pkg1049) trusty-security; urgency=medium

  * Release to stage

Available diffs

• diff from 37.0.2062.94-0ubuntu0.14.04.1~pkg1042 to 37.0.2062.120-0ubuntu0.14.04.1~pkg1049 (150.7 KiB)
• diff from 37.0.2062.120-0ubuntu0.14.04.1~pkg1048 to 37.0.2062.120-0ubuntu0.14.04.1~pkg1049 (597 bytes)

chromium-browser (37.0.2062.94-0ubuntu1~pkg1065) utopic; urgency=medium

  * Release to stage

Available diffs

• diff from 36.0.1985.143-0ubuntu1~pkg1042 (in ~canonical-chromium-builds/ubuntu/stage) to 37.0.2062.94-0ubuntu1~pkg1065 (37.6 MiB)

chromium-browser (37.0.2062.94-0ubuntu0.12.04.1~pkg909) precise-security; urgency=medium

  * Release to stage

Available diffs

• diff from 36.0.1985.125-0ubuntu1.12.04.0~pkg897 to 37.0.2062.94-0ubuntu0.12.04.1~pkg909 (37.7 MiB)
• diff from 37.0.2062.94-0ubuntu0.12.04.1~pkg908 to 37.0.2062.94-0ubuntu0.12.04.1~pkg909 (1.3 KiB)

chromium-browser (37.0.2062.94-0ubuntu0.14.04.1~pkg1042) trusty-security; urgency=medium

  * Release to stage

Available diffs

• diff from 36.0.1985.125-0ubuntu1.14.04.0~pkg1029 to 37.0.2062.94-0ubuntu0.14.04.1~pkg1042 (37.7 MiB)
• diff from 37.0.2062.94-0ubuntu0.14.04.1~pkg1041 to 37.0.2062.94-0ubuntu0.14.04.1~pkg1042 (1.3 KiB)

chromium-browser (36.0.1985.143-0ubuntu1~pkg1042) utopic; urgency=medium

  * Release to stage

Available diffs

• diff from 36.0.1985.125-0ubuntu2 (in Ubuntu) to 36.0.1985.143-0ubuntu1~pkg1042 (25.1 KiB)
• diff from 36.0.1985.143-0ubuntu1~pkg1041 to 36.0.1985.143-0ubuntu1~pkg1042 (1.7 KiB)

chromium-browser (36.0.1985.125-0ubuntu2) utopic; urgency=low

  * Upstream release 36.0.1985.125:
    - CVE-2014-3160: Same-Origin-Policy bypass in SVG.
    - CVE-2014-3162: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/patches/*: Moved more gtk related changes to aura code.
  * debian/control: Build-dep version of ninja-build should be recent.
  * debian/patches/gyp-icu-m32-test: Smarter g++ test, no "echo |bad".
  * Skip version -0ubuntu1 because Trusty postdates it.
 -- Chad MILLER <email address hidden>   Thu, 07 Aug 2014 17:22:20 -0400

Available diffs

• diff from 35.0.1916.153-0ubuntu1~pkg1029 to 36.0.1985.125-0ubuntu2 (33.1 MiB)

chromium-browser (36.0.1985.125-0ubuntu1.12.04.0~pkg897) precise-security; urgency=medium

  * Release to stage

Available diffs

• diff from 34.0.1847.116-0ubuntu~1.12.04.0~pkg884 to 36.0.1985.125-0ubuntu1.12.04.0~pkg897 (113.4 MiB)
• diff from 36.0.1985.125-0ubuntu1.12.04.0~pkg896 to 36.0.1985.125-0ubuntu1.12.04.0~pkg897 (833 bytes)

chromium-browser (36.0.1985.125-0ubuntu1.14.04.0~pkg1029) trusty-security; urgency=medium

  * Release to stage

Available diffs

• diff from 36.0.1985.125-0ubuntu1.14.04.0~pkg1028 to 36.0.1985.125-0ubuntu1.14.04.0~pkg1029 (19.8 KiB)

chromium-browser (35.0.1916.153-0ubuntu1~pkg1029) utopic; urgency=medium

  * Release to stage

Available diffs

• diff from 34.0.1847.116-0ubuntu2 to 35.0.1916.153-0ubuntu1~pkg1029 (87.4 MiB)