-
chromium-browser (67.0.3396.99-0ubuntu0.17.10.1) artful; urgency=medium
* Upstream release: 67.0.3396.99
- CVE-2018-6148: Incorrect handling of CSP header.
- CVE-2018-6149: Out of bounds write in V8.
-- Olivier Tilloy <email address hidden> Mon, 09 Jul 2018 23:29:07 +0200
-
chromium-browser (66.0.3359.181-0ubuntu0.17.10.1) artful; urgency=medium
* Upstream release: 66.0.3359.181
-- Olivier Tilloy <email address hidden> Tue, 15 May 2018 22:31:19 +0200
-
chromium-browser (66.0.3359.139-0ubuntu0.17.10.2) artful; urgency=medium
* debian/rules: do not build with use_custom_libcxx=false after all, this
didn't work on xenial and older because the system libstdc++ was too old,
and we'd rather stick to the same build options on all supported releases,
where possible
* debian/patches/libcxxabi-arm-ehabi-fix.patch: added (LP: #1768653)
-- Olivier Tilloy <email address hidden> Thu, 03 May 2018 16:59:03 +0200
-
chromium-browser (65.0.3325.181-0ubuntu0.17.10.1) artful; urgency=medium
* Upstream release: 65.0.3325.181
-- Olivier Tilloy <email address hidden> Wed, 21 Mar 2018 13:21:03 +0100
-
chromium-browser (64.0.3282.167-0ubuntu0.17.10.1) artful; urgency=medium
* Upstream release: 64.0.3282.167
- CVE-2018-6056: Incorrect derived class instantiation in V8.
-- Olivier Tilloy <email address hidden> Wed, 14 Feb 2018 11:33:57 +0100
-
chromium-browser (64.0.3282.140-0ubuntu0.17.10.1) artful; urgency=medium
* Upstream release: 64.0.3282.140
-- Olivier Tilloy <email address hidden> Fri, 02 Feb 2018 15:06:55 +0100
-
chromium-browser (64.0.3282.119-0ubuntu0.17.10.1) artful; urgency=medium
* Upstream release: 64.0.3282.119
- CVE-2018-6031: Use after free in PDFium.
- CVE-2018-6032: Same origin bypass in Shared Worker.
- CVE-2018-6033: Race when opening downloaded files.
- CVE-2018-6034: Integer overflow in Blink.
- CVE-2018-6035: Insufficient isolation of devtools from extensions.
- CVE-2018-6036: Integer underflow in WebAssembly.
- CVE-2018-6037: Insufficient user gesture requirements in autofill.
- CVE-2018-6038: Heap buffer overflow in WebGL.
- CVE-2018-6039: XSS in DevTools.
- CVE-2018-6040: Content security policy bypass.
- CVE-2018-6041: URL spoof in Navigation.
- CVE-2018-6042: URL spoof in OmniBox.
- CVE-2018-6043: Insufficient escaping with external URL handlers.
- CVE-2018-6045: Insufficient isolation of devtools from extensions.
- CVE-2018-6046: Insufficient isolation of devtools from extensions.
- CVE-2018-6047: Cross origin URL leak in WebGL.
- CVE-2018-6048: Referrer policy bypass in Blink.
- CVE-2017-15420: URL spoofing in Omnibox.
- CVE-2018-6049: UI spoof in Permissions.
- CVE-2018-6050: URL spoof in OmniBox.
- CVE-2018-6051: Referrer leak in XSS Auditor.
- CVE-2018-6052: Incomplete no-referrer policy implementation.
- CVE-2018-6053: Leak of page thumbnails in New Tab Page.
- CVE-2018-6054: Use after free in WebUI.
* debian/control: update reference URL for chromedriver
* debian/rules:
- remove enable_hotwording build flag
- exclude build artifacts from the binary package (LP: #1742653)
* debian/patches/add-missing-cstddef-include.patch: added
* debian/patches/configuration-directory.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default.patch: refreshed
* debian/patches/fix-ffmpeg-ia32-build.patch: added
* debian/patches/last-commit-position: refreshed
* debian/patches/no-xlocale-header.patch: removed, no longer needed
* debian/patches/revert-clang-nostdlib++.patch: updated
* debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/touch-v35: refreshed
* debian/patches/widevine-other-locations: updated (LP: #1738149)
* debian/known_gn_gen_args-*: remove enable_hotwording build flag
-- Olivier Tilloy <email address hidden> Wed, 24 Jan 2018 23:09:31 +0100
-
chromium-browser (63.0.3239.132-0ubuntu0.17.10.2) artful; urgency=medium
* debian/rules: do not install files used for building only (LP: #1742653)
-- Olivier Tilloy <email address hidden> Thu, 11 Jan 2018 17:08:05 +0100
-
chromium-browser (63.0.3239.84-0ubuntu0.17.10.1) artful; urgency=medium
* Upstream release: 63.0.3239.84
- CVE-2017-15407: Out of bounds write in QUIC.
- CVE-2017-15408: Heap buffer overflow in PDFium.
- CVE-2017-15409: Out of bounds write in Skia.
- CVE-2017-15410: Use after free in PDFium.
- CVE-2017-15411: Use after free in PDFium.
- CVE-2017-15412: Use after free in libXML.
- CVE-2017-15413: Type confusion in WebAssembly.
- CVE-2017-15415: Pointer information disclosure in IPC call.
- CVE-2017-15416: Out of bounds read in Blink.
- CVE-2017-15417: Cross origin information disclosure in Skia.
- CVE-2017-15418: Use of uninitialized value in Skia.
- CVE-2017-15419: Cross origin leak of redirect URL in Blink.
- CVE-2017-15420: URL spoofing in Omnibox.
- CVE-2017-15422: Integer overflow in ICU.
- CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
- CVE-2017-15424: URL Spoof in Omnibox.
- CVE-2017-15425: URL Spoof in Omnibox.
- CVE-2017-15426: URL Spoof in Omnibox.
- CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox.
* debian/rules:
- replace allow_posix_link_time_opt=false by use_lld=false,
is_cfi=false and use_thin_lto=false
- rename use_vulcanize GN flag to optimize_webui
- generate the man page as it's not being built with chromium any
longer (since commit 64b961499bebc54fe48478f5e37477252c7887fa)
* debian/patches/arm-neon.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix-gn-bootstrap.patch: removed, no longer needed
* debian/patches/fix_building_widevinecdm_with_chromium.patch: replaced by
debian/patches/widevine-revision.patch
* debian/patches/glibc-2-26-changes.patch: renamed to
debian/patches/no-xlocale-header.patch and updated
* debian/patches/revert-Xclang-instcombine-lower-dbg-declare.patch: added
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: updated
* debian/patches/suppress-newer-clang-warning-flags.patch: updated
* debian/patches/touch-v35: refreshed
* debian/patches/use-clang-versioned.patch: refreshed
* debian/patches/widevine-other-locations: updated (LP: #1652110)
* debian/patches/widevine-revision.patch: added (LP: #1652110)
-- Olivier Tilloy <email address hidden> Thu, 07 Dec 2017 13:28:26 +0100
-
chromium-browser (62.0.3202.94-0ubuntu0.17.10.1388) artful; urgency=medium
* Upstream release: 62.0.3202.94
-- Olivier Tilloy <email address hidden> Mon, 13 Nov 2017 22:48:24 +0100
-
chromium-browser (62.0.3202.89-0ubuntu0.17.10.1386) artful; urgency=medium
* Upstream release: 62.0.3202.89
- CVE-2017-15398: Stack buffer overflow in QUIC.
- CVE-2017-15399: Use after free in V8.
-- Olivier Tilloy <email address hidden> Mon, 06 Nov 2017 22:40:20 +0100
-
chromium-browser (62.0.3202.75-0ubuntu0.17.10.1384) artful; urgency=medium
* Upstream release: 62.0.3202.75
- CVE-2017-15396: Stack overflow in V8.
* debian/control: bump Standards-Version to 4.1.1
* debian/patches/set-rpath-on-chromium-executables.patch: updated
-- Olivier Tilloy <email address hidden> Fri, 27 Oct 2017 18:36:02 +0200
-
chromium-browser (62.0.3202.62-0ubuntu0.17.10.1380) artful; urgency=medium
* Upstream release: 62.0.3202.62
- CVE-2017-5124: UXSS with MHTML.
- CVE-2017-5125: Heap overflow in Skia.
- CVE-2017-5126: Use after free in PDFium.
- CVE-2017-5127: Use after free in PDFium.
- CVE-2017-5128: Heap overflow in WebGL.
- CVE-2017-5129: Use after free in WebAudio.
- CVE-2017-5132: Incorrect stack manipulation in WebAssembly.
- CVE-2017-5130: Heap overflow in libxml2.
- CVE-2017-5131: Out of bounds write in Skia.
- CVE-2017-5133: Out of bounds write in Skia.
- CVE-2017-15386: UI spoofing in Blink.
- CVE-2017-15387: Content security bypass.
- CVE-2017-15388: Out of bounds read in Skia.
- CVE-2017-15389: URL spoofing in OmniBox.
- CVE-2017-15390: URL spoofing in OmniBox.
- CVE-2017-15391: Extension limitation bypass in Extensions.
- CVE-2017-15392: Incorrect registry key handling in PlatformIntegration.
- CVE-2017-15393: Referrer leak in Devtools.
- CVE-2017-15394: URL spoofing in extensions UI.
- CVE-2017-15395: Null pointer dereference in ImageCapture.
* debian/control:
- bump Standards-Version to 4.1.0
- build against clang 5.0
* debian/patches/additional-search-engines.patch: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default.patch: refreshed
* debian/patches/fix-compilation-for-atk.patch: removed, no longer needed
* debian/patches/fix-gn-bootstrap.patch: updated
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/glibc-2-26-changes.patch: refreshed
* debian/patches/make-base-numerics-build-with-gcc.patch: removed, no longer
needed
* debian/patches/revert-clang-nostdlib++.patch: added
* debian/patches/search-credit.patch: refreshed
* debian/patches/set-rpath-on-chromium-executables.patch: refreshed
* debian/patches/suppress-newer-clang-warning-flags.patch: added
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/use-clang-versioned.patch: added
* debian/patches/widevine-other-locations: refreshed
* debian/tests/html5test: update test expectations
-- Olivier Tilloy <email address hidden> Wed, 18 Oct 2017 21:19:28 +0200
-
chromium-browser (61.0.3163.100-0ubuntu1.1378) artful; urgency=medium
* debian/patches/set-rpath-on-chromium-executables.patch: added
(LP: #1718885)
* debian/chromium-browser.sh.in: remove LD_LIBRARY_PATH manipulation,
made unnecessary by patch above
chromium-browser (61.0.3163.100-0ubuntu1.1376) artful; urgency=medium
* Upstream release: 61.0.3163.100
- CVE-2017-5121: Out-of-bounds access in V8.
- CVE-2017-5122: Out-of-bounds access in V8.
chromium-browser (61.0.3163.91-0ubuntu1.1374) artful; urgency=medium
* Upstream release: 61.0.3163.91
* debian/patches/glibc-2-26-changes.patch: added
-- Olivier Tilloy <email address hidden> Mon, 25 Sep 2017 17:38:56 -0400
-
chromium-browser (61.0.3163.79-0ubuntu1.1371) artful; urgency=medium
* Upstream release: 61.0.3163.79
- CVE-2017-5111: Use after free in PDFium.
- CVE-2017-5112: Heap buffer overflow in WebGL.
- CVE-2017-5113: Heap buffer overflow in Skia.
- CVE-2017-5114: Memory lifecycle issue in PDFium.
- CVE-2017-5115: Type confusion in V8.
- CVE-2017-5116: Type confusion in V8.
- CVE-2017-5117: Use of uninitialized value in Skia.
- CVE-2017-5118: Bypass of Content Security Policy in Blink.
- CVE-2017-5119: Use of uninitialized value in Skia.
- CVE-2017-5120: Potential HTTPS downgrade during redirect navigation.
* debian/control:
- bump Standards-Version to 4.0.0
- add build dependency on llvm
* debian/rules: build with is_component_build=false, is_official_build=true,
allow_posix_link_time_opt=false and fatal_linker_warnings=false
* debian/patches/additional-search-engines.patch: refreshed
* debian/patches/define__libc_malloc.patch: added
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default.patch: refreshed
* debian/patches/fix-compilation-for-atk.patch: added
* debian/patches/fix-gn-bootstrap.patch: updated
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/make-base-numerics-build-with-gcc.patch: added
* debian/patches/revert-llvm-ar.patch: removed, no longer needed
* debian/patches/search-credit.patch: refreshed
* debian/patches/skia-undef-HWCAP_CRC32.patch: added
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/tests/chromium-version: fix test shutdown
* debian/tests/html5test:
- fix test shutdown
- update test expectations
-- Olivier Tilloy <email address hidden> Mon, 11 Sep 2017 22:07:08 +0200
-
chromium-browser (60.0.3112.113-0ubuntu1.1369) artful; urgency=medium
* Upstream release: 60.0.3112.113
-- Olivier Tilloy <email address hidden> Fri, 25 Aug 2017 07:45:36 +0200
-
chromium-browser (60.0.3112.78-0ubuntu1.1363) artful; urgency=medium
* Upstream release: 60.0.3112.78
- CVE-2017-5091: Use after free in IndexedDB.
- CVE-2017-5092: Use after free in PPAPI.
- CVE-2017-5093: UI spoofing in Blink.
- CVE-2017-5094: Type confusion in extensions.
- CVE-2017-5095: Out-of-bounds write in PDFium.
- CVE-2017-5096: User information leak via Android intents.
- CVE-2017-5097: Out-of-bounds read in Skia.
- CVE-2017-5098: Use after free in V8.
- CVE-2017-5099: Out-of-bounds write in PPAPI.
- CVE-2017-5100: Use after free in Chrome Apps.
- CVE-2017-5101: URL spoofing in OmniBox.
- CVE-2017-5102: Uninitialized use in Skia.
- CVE-2017-5103: Uninitialized use in Skia.
- CVE-2017-5104: UI spoofing in browser.
- CVE-2017-5105: URL spoofing in OmniBox.
- CVE-2017-5106: URL spoofing in OmniBox.
- CVE-2017-5107: User information leak via SVG.
- CVE-2017-5108: Type confusion in PDFium.
- CVE-2017-5109: UI spoofing in browser.
- CVE-2017-5110: UI spoofing in payments dialog.
- CVE-2017-7000: Pointer disclosure in SQLite.
* debian/patches/additional-search-engines.patch: refreshed
* debian/patches/default-allocator: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/fix-gn-bootstrap.patch: added
* debian/patches/last-commit-position: refreshed
* debian/patches/linux-dma-buf.patch: removed, no longer needed
* debian/patches/memory-free-assertion-failure: removed, no longer needed
* debian/patches/revert-llvm-ar.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/snapshot-library-link: removed, no longer needed
* debian/patches/stdatomic: removed, no longer needed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/use-gcc-versioned: removed, no longer needed
* debian/tests/html5test:
- updated test expectations
- refactored test to not fail early, thus giving the test a chance to
list all failed expectations before bailing out
-- Olivier Tilloy <email address hidden> Mon, 31 Jul 2017 16:03:31 +0200
-
chromium-browser (59.0.3071.109-0ubuntu1.1360) artful; urgency=medium
* Upstream release: 59.0.3071.109
-- Olivier Tilloy <email address hidden> Wed, 21 Jun 2017 06:09:45 +0200
-
chromium-browser (58.0.3029.110-0ubuntu1.1354) artful; urgency=medium
* Upstream release: 58.0.3029.110
* debian/control: bump Standards-Version to 3.9.8
-- Olivier Tilloy <email address hidden> Wed, 10 May 2017 06:46:40 +0200
-
chromium-browser (58.0.3029.96-0ubuntu1.1352) artful; urgency=medium
* Upstream release: 58.0.3029.96
- CVE-2017-5068: Race condition in WebRTC.
-- Olivier Tilloy <email address hidden> Wed, 03 May 2017 06:39:50 +0200
-
chromium-browser (58.0.3029.81-0ubuntu2.1350) artful; urgency=medium
* Upstream release: 58.0.3029.81
- CVE-2017-5057: Type confusion in PDFium.
- CVE-2017-5058: Heap use after free in Print Preview.
- CVE-2017-5059: Type confusion in Blink.
- CVE-2017-5060: URL spoofing in Omnibox.
- CVE-2017-5061: URL spoofing in Omnibox.
- CVE-2017-5062: Use after free in Chrome Apps.
- CVE-2017-5063: Heap overflow in Skia.
- CVE-2017-5064: Use after free in Blink.
- CVE-2017-5065: Incorrect UI in Blink.
- CVE-2017-5066: Incorrect signature handing in Networking.
- CVE-2017-5067: URL spoofing in Omnibox.
- CVE-2017-5069: Cross-origin bypass in Blink.
* debian/patches/arm.patch: removed, no longer needed
* debian/patches/gtk-ui-stdmove: removed, no longer needed (upstreamed)
* debian/patches/screen_capturer: removed, no longer needed (upstreamed)
* debian/patches/default-allocator: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default: refreshed
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/snapshot-library-link: refreshed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/fix-gn-bootstrap.patch: added
* debian/rules: disable the use of Vulcanize, the required node.js modules
are not readily available
-- Olivier Tilloy <email address hidden> Mon, 24 Apr 2017 22:33:22 +0200
-
chromium-browser (57.0.2987.98-0ubuntu1.1348) zesty; urgency=medium
* Upstream release: 57.0.2987.98.
- CVE-2017-5030: Memory corruption in V8.
- CVE-2017-5031: Use after free in ANGLE.
- CVE-2017-5032: Out of bounds write in PDFium.
- CVE-2017-5029: Integer overflow in libxslt.
- CVE-2017-5034: Use after free in PDFium.
- CVE-2017-5035: Incorrect security UI in Omnibox.
- CVE-2017-5036: Use after free in PDFium.
- CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer.
- CVE-2017-5039: Use after free in PDFium.
- CVE-2017-5040: Information disclosure in V8.
- CVE-2017-5041: Address spoofing in Omnibox.
- CVE-2017-5033: Bypass of Content Security Policy in Blink.
- CVE-2017-5042: Incorrect handling of cookies in Cast.
- CVE-2017-5038: Use after free in GuestView.
- CVE-2017-5043: Use after free in GuestView.
- CVE-2017-5044: Heap overflow in Skia.
- CVE-2017-5045: Information disclosure in XSS Auditor.
- CVE-2017-5046: Information disclosure in Blink.
* debian/patches/arm64-support no longer needed
* debian/patches/stdatomic: Support gcc48.
* debian/patches/snapshot-library-link: Add missing libsnapshot link
* debian/patches/gtk-ui-stdmove: fix && pointer return with std::move
* debian/rules: Fix armhf float ABI and remove unnecessary envvars.
(LP: #1673276)
* debian/rules, debian/control: Use clang.
-- Chad MILLER <email address hidden> Wed, 15 Mar 2017 21:12:35 -0400
