-
chromium-browser (59.0.3071.109-0ubuntu0.16.10.1357) yakkety; urgency=medium
* Upstream release: 59.0.3071.109
-- Olivier Tilloy <email address hidden> Wed, 21 Jun 2017 06:45:30 +0200
-
chromium-browser (58.0.3029.110-0ubuntu0.16.10.1349) yakkety; urgency=medium
* Upstream release: 58.0.3029.110
* debian/control: bump Standards-Version to 3.9.8
-- Olivier Tilloy <email address hidden> Wed, 10 May 2017 07:21:06 +0200
-
chromium-browser (58.0.3029.96-0ubuntu0.16.10.1347) yakkety; urgency=medium
* Upstream release: 58.0.3029.96
- CVE-2017-5068: Race condition in WebRTC.
-- Olivier Tilloy <email address hidden> Wed, 03 May 2017 06:43:43 +0200
-
chromium-browser (58.0.3029.81-0ubuntu0.16.10.1345) yakkety; urgency=medium
* Upstream release: 58.0.3029.81
- CVE-2017-5057: Type confusion in PDFium.
- CVE-2017-5058: Heap use after free in Print Preview.
- CVE-2017-5059: Type confusion in Blink.
- CVE-2017-5060: URL spoofing in Omnibox.
- CVE-2017-5061: URL spoofing in Omnibox.
- CVE-2017-5062: Use after free in Chrome Apps.
- CVE-2017-5063: Heap overflow in Skia.
- CVE-2017-5064: Use after free in Blink.
- CVE-2017-5065: Incorrect UI in Blink.
- CVE-2017-5066: Incorrect signature handing in Networking.
- CVE-2017-5067: URL spoofing in Omnibox.
- CVE-2017-5069: Cross-origin bypass in Blink.
* debian/patches/arm.patch: removed, no longer needed
* debian/patches/gtk-ui-stdmove: removed, no longer needed (upstreamed)
* debian/patches/screen_capturer: removed, no longer needed (upstreamed)
* debian/patches/default-allocator: refreshed
* debian/patches/disable-sse2: refreshed
* debian/patches/enable-chromecast-by-default: refreshed
* debian/patches/fix_building_widevinecdm_with_chromium.patch: refreshed
* debian/patches/search-credit.patch: refreshed
* debian/patches/snapshot-library-link: refreshed
* debian/patches/title-bar-default-system.patch-v35: refreshed
* debian/patches/fix-gn-bootstrap.patch: added
* debian/rules: disable the use of Vulcanize, the required node.js modules
are not readily available
-- Olivier Tilloy <email address hidden> Mon, 24 Apr 2017 11:27:41 +0200
-
chromium-browser (57.0.2987.98-0ubuntu0.16.10.1344) yakkety-security; urgency=medium
* Upstream release: 57.0.2987.98.
- CVE-2017-5030: Memory corruption in V8.
- CVE-2017-5031: Use after free in ANGLE.
- CVE-2017-5032: Out of bounds write in PDFium.
- CVE-2017-5029: Integer overflow in libxslt.
- CVE-2017-5034: Use after free in PDFium.
- CVE-2017-5035: Incorrect security UI in Omnibox.
- CVE-2017-5036: Use after free in PDFium.
- CVE-2017-5037: Multiple out of bounds writes in ChunkDemuxer.
- CVE-2017-5039: Use after free in PDFium.
- CVE-2017-5040: Information disclosure in V8.
- CVE-2017-5041: Address spoofing in Omnibox.
- CVE-2017-5033: Bypass of Content Security Policy in Blink.
- CVE-2017-5042: Incorrect handling of cookies in Cast.
- CVE-2017-5038: Use after free in GuestView.
- CVE-2017-5043: Use after free in GuestView.
- CVE-2017-5044: Heap overflow in Skia.
- CVE-2017-5045: Information disclosure in XSS Auditor.
- CVE-2017-5046: Information disclosure in Blink.
* debian/patches/arm64-support no longer needed
* debian/patches/stdatomic: Support gcc48.
* debian/patches/snapshot-library-link: Add missing libsnapshot link
* debian/patches/gtk-ui-stdmove: fix && pointer return with std::move
* debian/control: Drop binary arch "any" and explicitly list four.
* debian/patches/arm64-vpx-alignment: Avoid ARM64 alignment bug on some
compilers.
* debian/rules: Fix armhf float ABI and remove unnecessary envvars.
(LP: #1673276)
-- Chad MILLER <email address hidden> Wed, 15 Mar 2017 21:12:35 -0400
-
chromium-browser (56.0.2924.76-0ubuntu0.16.10.1335) yakkety-security; urgency=medium
* Upstream release: 56.0.2924.76
- CVE-2017-5007: Universal XSS in Blink.
- CVE-2017-5006: Universal XSS in Blink.
- CVE-2017-5008: Universal XSS in Blink.
- CVE-2017-5010: Universal XSS in Blink.
- CVE-2017-5011: Unauthorised file access in Devtools.
- CVE-2017-5009: Out of bounds memory access in WebRTC.
- CVE-2017-5012: Heap overflow in V8.
- CVE-2017-5013: Address spoofing in Omnibox.
- CVE-2017-5014: Heap overflow in Skia.
- CVE-2017-5015: Address spoofing in Omnibox.
- CVE-2017-5019: Use after free in Renderer.
- CVE-2017-5016: UI spoofing in Blink.
- CVE-2017-5017: Uninitialised memory access in webm video.
- CVE-2017-5018: Universal XSS in chrome://apps.
- CVE-2017-5020: Universal XSS in chrome://downloads.
- CVE-2017-5021: Use after free in Extensions.
- CVE-2017-5022: Bypass of Content Security Policy in Blink.
- CVE-2017-5023: Type confusion in metrics.
- CVE-2017-5024: Heap overflow in FFmpeg.
- CVE-2017-5025: Heap overflow in FFmpeg.
- CVE-2017-5026: UI spoofing.
* debian/patches/screen_capturer: allow compilation on gcc4
* debian/patches/arm64-support: reenable arm64
* debian/patches/memory-free-assertion-failure: discover memory management
assertion failures.
* debian/rules: Avoid field trial experiments to get stable code.
(closes: LP#1667125)
* debian/patches/enable-chromecast-by-default: (closes: LP#1621753)
-- Chad MILLER <email address hidden> Wed, 22 Feb 2017 17:20:28 -0500
-
chromium-browser (55.0.2883.87-0ubuntu1.16.10.1330) yakkety-security; urgency=medium
* debian/rules: Build extra codecs as part of main chromium program,
and libre/crippled/h.264less on its own. Seems to make h.264 work
again. Weird.
* debian/chromium-browser.links: Make link to ./ instead of / to fix
path problems that codec-using other apps might see.
-- Chad MILLER <email address hidden> Sat, 17 Dec 2016 12:05:53 -0500
-
chromium-browser (55.0.2883.87-0ubuntu0.16.10.1328) yakkety-security; urgency=medium
* Upstream release of 55.0.2883.87:
- Change Flash running default to important content only.
* debian/chromium-browser.sh.in: Insert the Flash version if empty and
detectable.
* debian/rules, debian/control: Use gcc/g++ 4.8 to build.
* Upstream release of 55.0.2883.75:
- CVE-2016-9651: Private property access in V8.
- CVE-2016-5208: Universal XSS in Blink.
- CVE-2016-5207: Universal XSS in Blink.
- CVE-2016-5206: Same-origin bypass in PDFium.
- CVE-2016-5205: Universal XSS in Blink.
- CVE-2016-5204: Universal XSS in Blink.
- CVE-2016-5209: Out of bounds write in Blink.
- CVE-2016-5203: Use after free in PDFium.
- CVE-2016-5210: Out of bounds write in PDFium.
- CVE-2016-5212: Local file disclosure in DevTools.
- CVE-2016-5211: Use after free in PDFium.
- CVE-2016-5213: Use after free in V8.
- CVE-2016-5214: File download protection bypass.
- CVE-2016-5216: Use after free in PDFium.
- CVE-2016-5215: Use after free in Webaudio.
- CVE-2016-5217: Use of unvalidated data in PDFium.
- CVE-2016-5218: Address spoofing in Omnibox.
- CVE-2016-5219: Use after free in V8.
- CVE-2016-5221: Integer overflow in ANGLE.
- CVE-2016-5220: Local file access in PDFium.
- CVE-2016-5222: Address spoofing in Omnibox.
- CVE-2016-9650: CSP Referrer disclosure.
- CVE-2016-5223: Integer overflow in PDFium.
- CVE-2016-5226: Limited XSS in Blink.
- CVE-2016-5225: CSP bypass in Blink.
- CVE-2016-5224: Same-origin bypass in SVG
- CVE-2016-9652: Various fixes from internal audits, fuzzing and other
initiatives
* Upstream release of 54.0.2840.100:
- CVE-2016-5199: Heap corruption in FFmpeg.
- CVE-2016-5200: Out of bounds memory access in V8.
- CVE-2016-5201: Info leak in extensions.
- CVE-2016-5202: Various fixes from internal audits, fuzzing and other
initiatives
* Move to using GN to build chromium.
- debian/known_gn_gen_args
- debian/rules
patches
* debian/rules, lintians, installs, script: Move component libs out of
libs/, to /usr/lib/chromium-browser/ only.
* debian/patches/do-not-use-bundled-clang: Use clang from path.
* debian/control: Express that binary packages could be on "any"
architecture.
* debian/control: additionally build-dep on libgtk-3-dev
* debian/patches/arm64-support: Fail nicer if aarch64/arm64 mismatch.
* Upstrem release of 54.0.2840.59:
- CVE-2016-5181: Universal XSS in Blink.
- CVE-2016-5182: Heap overflow in Blink.
- CVE-2016-5183: Use after free in PDFium.
- CVE-2016-5184: Use after free in PDFium.
- CVE-2016-5185: Use after free in Blink.
- CVE-2016-5187: URL spoofing.
- CVE-2016-5188: UI spoofing.
- CVE-2016-5192: Cross-origin bypass in Blink.
- CVE-2016-5189: URL spoofing.
- CVE-2016-5186: Out of bounds read in DevTools.
- CVE-2016-5191: Universal XSS in Bookmarks.
- CVE-2016-5190: Use after free in Internals.
- CVE-2016-5193: Scheme bypass.
- CVE-2016-5194: Various fixes from internal audits, fuzzing and other
initiatives
* debian/patches/allow-component-build: Hard-code, override
release -> no component logic.
* debian/known_gyp_flags: Remove old GYP known-flags list.
* debian/default-allocator: Insist on not using tcmalloc allocator.
* debian/rules: Set LDFLAGS to limit memory usage.
* debian/control: Remove extraneous dependencies.
-- Chad MILLER <email address hidden> Sat, 03 Dec 2016 09:55:37 -0500
-
chromium-browser (53.0.2785.143-0ubuntu1.1307) yakkety; urgency=medium
* Upstream release 53.0.2785.143:
- CVE-2016-5177: Use after free in V8.
- CVE-2016-5178: Various fixes from internal audits, fuzzing and other
initiatives.
* Upstream release 53.0.2785.113:
- CVE-2016-5170: Use after free in Blink.
- CVE-2016-5171: Use after free in Blink.
- CVE-2016-5172: Arbitrary Memory Read in v8.
- CVE-2016-5173: Extension resource access.
- CVE-2016-5174: Popup not correctly suppressed.
- CVE-2016-5175: Various fixes from internal audits, fuzzing and other
initiatives.
* Upstream release 53.0.2785.89:
- CVE-2016-5147: Universal XSS in Blink.
- CVE-2016-5148: Universal XSS in Blink.
- CVE-2016-5149: Script injection in extensions.
- CVE-2016-5150: Use after free in Blink.
- CVE-2016-5151: Use after free in PDFium.
- CVE-2016-5152: Heap overflow in PDFium.
- CVE-2016-5153: Use after destruction in Blink.
- CVE-2016-5154: Heap overflow in PDFium.
- CVE-2016-5155: Address bar spoofing.
- CVE-2016-5156: Use after free in event bindings.
- CVE-2016-5157: Heap overflow in PDFium.
- CVE-2016-5158: Heap overflow in PDFium.
- CVE-2016-5159: Heap overflow in PDFium.
- CVE-2016-5161: Type confusion in Blink.
- CVE-2016-5162: Extensions web accessible resources bypass.
- CVE-2016-5163: Address bar spoofing.
- CVE-2016-5164: Universal XSS using DevTools.
- CVE-2016-5165: Script injection in DevTools.
- CVE-2016-5166: SMB Relay Attack via Save Page As.
- CVE-2016-5160: Extensions web accessible resources bypass.
- CVE-2016-5167: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/patches/cups-include-deprecated-ppd, debian/rules: include cups
functions.
* debian/rules, debian/control: Force using gcc-5 compiler.
* Use system libraries for expat, speex, zlib, opus, png, jpeg.
* Also build for arm64 architecture.
* Don't compile in cups support by default on all architectures.
* Upstream release 52.0.2743.116:
- CVE-2016-5141 Address bar spoofing.
- CVE-2016-5142 Use-after-free in Blink.
- CVE-2016-5139 Heap overflow in pdfium.
- CVE-2016-5140 Heap overflow in pdfium.
- CVE-2016-5145 Same origin bypass for images in Blink.
- CVE-2016-5143 Parameter sanitization failure in DevTools.
- CVE-2016-5144 Parameter sanitization failure in DevTools.
- CVE-2016-5146: Various fixes from internal audits, fuzzing and other
initiatives.
* Exclude harfbuzz and libxslt from system-library use.
* Upstream release 52.0.2743.82:
- CVE-2016-1706: Sandbox escape in PPAPI.
- CVE-2016-1707: URL spoofing on iOS.
- CVE-2016-1708: Use-after-free in Extensions.
- CVE-2016-1709: Heap-buffer-overflow in sfntly.
- CVE-2016-1710: Same-origin bypass in Blink.
- CVE-2016-1711: Same-origin bypass in Blink.
- CVE-2016-5127: Use-after-free in Blink.
- CVE-2016-5128: Same-origin bypass in V8.
- CVE-2016-5129: Memory corruption in V8.
- CVE-2016-5130: URL spoofing.
- CVE-2016-5131: Use-after-free in libxml.
- CVE-2016-5132: Limited same-origin bypass in Service Workers.
- CVE-2016-5133: Origin confusion in proxy authentication.
- CVE-2016-5134: URL leakage via PAC script.
- CVE-2016-5135: Content-Security-Policy bypass.
- CVE-2016-5136: Use after free in extensions.
- CVE-2016-5137: History sniffing with HSTS and CSP.
- CVE-2016-1705: Various fixes from internal audits, fuzzing and other
initiatives
* Upstream release 51.0.2704.106
* Upstream release 51.0.2704.103:
- CVE-2016-1704: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/control: remvove build-dep on clang.
* debian/rules: Disable Google Now. Creepy. Might mean downloads of opaque
programs too.
* debian/rules: Disable Wallet service.
* debian/rules: Remove precise-specific conditions. More simple.
* debian/rules: In install-validation, don't use mktemp. Hard-code
destination.
* debian/patches/gsettings-display-scaling: Disable because code moved and
needs refactoring.
* debian/patches/display-scaling-default-value: Disable because probbly not
needed any more.
* debian/rules: widevine cdm is not really available in this source. No
longer lie about that.
* Set new GOOG keys to bisect service overuse problem.
* debian/patches/linux45-madvfree: If MADV_FREE is not defined, do not allow
it in sandbox filter. Also, undefine it so we don't use MADV_FREE and
thereby depend on it at runtime.
* debian/rules: Use gold ld to link.
* debian/rules: Kill delete-null-pointer-checks. In the javascript engine,
we can not assume a memory access to address zero always results in a
trap.
* debian/patches/gsettings-display-scaling,
debian/patches/display-scaling-default-value, reenable DPI scaling taken
from dconf.
* debian/rules: explicitly set target arch for arm64.
* debian/patches/series, debian/rules: Re-enable widevine component.
-- Chad MILLER <email address hidden> Thu, 29 Sep 2016 16:54:11 -0400
-
chromium-browser (51.0.2704.79-0ubuntu2~cm1) yakkety; urgency=medium
* debian/rules: Don't use tcmalloc on armhf.
-- Chad MILLER <email address hidden> Mon, 27 Jun 2016 06:14:58 -0400
-
chromium-browser (50.0.2661.102-0ubuntu1.1242) yakkety; urgency=medium
* Upstream release 50.0.2661.102:
- CVE-2016-1667: Same origin bypass in DOM.
- CVE-2016-1668: Same origin bypass in Blink V8 bindings.
- CVE-2016-1669: Buffer overflow in V8.
- CVE-2016-1670: Race condition in loader.
- CVE-2016-1671: Directory traversal using the file scheme on Android.
* Upstream release 50.0.2661.94:
- CVE-2016-1660: Out-of-bounds write in Blink.
- CVE-2016-1661: Memory corruption in cross-process frames.
- CVE-2016-1662: Use-after-free in extensions.
- CVE-2016-1663: Use-after-free in Blink’s V8 bindings.
- CVE-2016-1664: Address bar spoofing.
- CVE-2016-1665: Information leak in V8.
- CVE-2016-1666: Various fixes from internal audits, fuzzing and other
initiatives.
* Upstream release 50.0.2661.75:
- CVE-2016-1652: Universal XSS in extension bindings.
- CVE-2016-1653: Out-of-bounds write in V8.
- CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding.
- CVE-2016-1654: Uninitialized memory read in media.
- CVE-2016-1655: Use-after-free related to extensions.
- CVE-2016-1656: Android downloaded file path restriction bypass.
- CVE-2016-1657: Address bar spoofing.
- CVE-2016-1658: Potential leak of sensitive information to malicious
extensions.
- CVE-2015-1659: Various fixes from internal audits, fuzzing and other
initiatives.
* debian/patches/seccomp-allow-set-robust-list: pass through syscall
set_robust_list. glibc nptl thread creation uses it.
* debian/rules: use new libsecret way of contacting keyring.
* debian/patches/blink-platform-export-class: avoid Trusty bug where
WebKit Platform class vtable not found at link time.
* debian/apport/chromium-browser.py: Handle case when crash and no
chromium directory exists. Still report errors in apport.
-- Chad MILLER <email address hidden> Fri, 13 May 2016 10:52:23 -0400
-
chromium-browser (49.0.2623.108-0ubuntu1.1233) xenial; urgency=medium
* Upstream release 49.0.2623.108:
- CVE-2016-1646: Out-of-bounds read in V8.
- CVE-2016-1647: Use-after-free in Navigation.
- CVE-2016-1648: Use-after-free in Extensions.
- CVE-2016-1649: Buffer overflow in libANGLE.
- CVE-2016-1650: Various fixes from internal audits, fuzzing and other
initiatives.
- Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch
(currently 4.9.385.33).
-- Chad MILLER <email address hidden> Thu, 24 Mar 2016 16:52:52 -0400
