http://googlechromereleases.blogspot.com/2015/09/stable-channel-update.html

openSUSE-SU-2015:1586

openSUSE-SU-2015:1873

RHSA-2015:1712

DSA-3351

1033472

https://code.google.com/p/chromium/issues/detail?id=492263

https://codereview.chromium.org/1188433011/

GLSA-201603-09

The remote host is affected by the vulnerability described in GLSA-201603-09 (Chromium: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the Chromium web       browser. Please review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code with the       privileges of the process, cause a Denial of Service condition, obtain       sensitive information, or bypass security restrictions.
  Workaround :

    There is no known workaround at this time.

Qt 5 was updated to the 5.5.1 release to deliver upstream improvements and fixes to Qt functionality.

The following Security fixes are contained in QtWebEngineCore :

  - ICU: CVE-2014-8146, CVE-2014-8147

  - Blink: CVE-2015-1284, CVE-2015-1291, CVE-2015-1292

  - Skia: CVE-2015-1294

  - V8: CVE-2015-1290

The following packages were rebuilt because they use private headers :

  - calibre

  - fcitx-qt5

  - frameworkintegration

  - kwayland

  - kwin5,

  - lxqt-powermanagement

  - lxqt-qtplugin

Chromium was updated to the 45.0.2454.85 of the stable channel to fix multiple security issues.

The following vulnerabilities were fixed :

  - CVE-2015-1291: Cross-origin bypass in DOM

  - CVE-2015-1292: Cross-origin bypass in ServiceWorker

  - CVE-2015-1293: Cross-origin bypass in DOM

  - CVE-2015-1294: Use-after-free in Skia

  - CVE-2015-1295: Use-after-free in Printing

  - CVE-2015-1296: Character spoofing in omnibox

  - CVE-2015-1297: Permission scoping error in WebRequest

  - CVE-2015-1298: URL validation error in extensions

  - CVE-2015-1299: Use-after-free in Blink

  - CVE-2015-1300: Information leak in Blink

  - CVE-2015-1301: Various fixes from internal audits,     fuzzing and other initiatives.

Updated chromium-browser packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Chromium is an open source web browser, powered by WebKit (Blink).

Several flaws were found in the processing of malformed web content. A web page containing malicious content could cause Chromium to crash or, potentially, execute arbitrary code with the privileges of the user running Chromium. (CVE-2015-1291, CVE-2015-1292, CVE-2015-1293, CVE-2015-1294, CVE-2015-1295, CVE-2015-1296, CVE-2015-1297, CVE-2015-1298, CVE-2015-1299, CVE-2015-1300, CVE-2015-1301)

All Chromium users should upgrade to these updated packages, which contain Chromium version 45.0.2454.85, which corrects these issues.
After installing the update, Chromium must be restarted for the changes to take effect.

It was discovered that the DOM tree could be corrupted during parsing in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions or cause a denial of service.
(CVE-2015-1291)

An issue was discovered in NavigatorServiceWorker::serviceWorker in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions. (CVE-2015-1292)

An issue was discovered in the DOM implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to bypass same-origin restrictions.
(CVE-2015-1293)

A use-after-free was discovered in Skia. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2015-1294)

A use-after-free was discovered in the shared-timer implementation in Blink. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via renderer crash, or execute arbitrary code with the privileges of the sandboxed render process. (CVE-2015-1299)

It was discovered that the availability of iframe Resource Timing API times was not properly restricted in some circumstances. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to obtain sensitive information.
(CVE-2015-1300)

Multiple security issues were discovered in Chromium. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to read uninitialized memory, cause a denial of service via application crash or execute arbitrary code with the privileges of the user invoking the program. (CVE-2015-1301)

A heap corruption issue was discovered in oxide::JavaScriptDialogManager. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking the program.
(CVE-2015-1332).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Google Chrome installed on the remote Windows host is prior to 45.0.2454.85 and is affected by multiple vulnerabilities :

 - A cross-origin bypass vulnerability exists due to a flaw in the 'ContainerNode::parserRemoveChild()' function in 'ContainerNode.cpp' wherein user scripts may unexpectedly run in 'onunload' handlers during Document Object Model (DOM) modification. A remote attacker can exploit this, via a specially crafted web page, to bypass cross-origin restrictions. (CVE-2015-1291)
 - A cross-origin bypass vulnerability exists due to a flaw in the 'LocalDOMWindow::navigator()' function in 'LocalDOMWindow.cpp' wherein an incorrect navigator associated with a frame may be returned. A remote attacker can exploit this, via a specially crafted web page, to bypass cross-origin restrictions. (CVE-2015-1292)
 - An unspecified cross-origin bypass vulnerability exists that allows a remote attacker, via a specially crafted web page, to bypass cross-origin restrictions. (CVE-2015-1293)
 - A use-after-free error exists in the 'SkMatrix::invertNonIdentity()' function in 'SkMatrix.cpp'. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code. (CVE-2015-1294)
 - A use-after-free error exists in 'print_web_view_helper.cc' that is triggered when handling nested IPC handlers. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code. (CVE-2015-1295)
 - A spoofing vulnerability exists due to a flaw that is triggered when displaying a URL containing certain characters in an omnibox. A remote attacker can exploit this to include characters that may look like a padlock, spoofing a secure connection. (CVE-2015-1296)
 - An unspecified flaw exists related to permission scoping as requests in an extension are not hidden from other extensions. (CVE-2015-1297)
 - An unspecified URL handling issue exists as the URL to be opened after an extension is uninstalled is not restricted to HTTP and HTTPS. (CVE-2015-1298)
 - A use-after-free error exists due to improper validation of user-supplied input. A remote attacker can exploit this to dereference already freed memory, potentially resulting in the execution of arbitrary code. (CVE-2015-1299)
 - An unspecified information disclosure vulnerability exists in Blink. (CVE-2015-1300)
 - Multiple unspecified flaws exist that allow an attacker to have unspecified medium severity impact. (CVE-2015-1301)
 - A flaw in Google V8 affects 'heap/heap.cc' when handling background tab heap growing. This may allow a context-dependent attacker to have an unspecified impact. (CVE-2015-6580)
 - The decompose function in 'platform/transforms/TransformationMatrix.cpp' in Blink does not verify that a matrix inversion succeeded, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site. (CVE-2015-6582)
 - A location bar is not displayed for a hosted app's window after navigation away from the installation site, which might make it easier for remote attackers to spoof content via a crafted app, related to 'browser.cc' and 'hosted_app_browser_controller.cc'. (CVE-2015-6583)
 - OpenJPEG contains a double-free flaw in the opj_j2k_copy_default_tcp_and_create_tcp() function in 'lib/openjp2/j2k.c'. This may allow a context-dependent attacker to crash an application linked against the library or potentially execute arbitrary code. This issue was originally reported as fixed in Google Chrome version 44.0.2403.89 as part of bug 459215. However, it was later reported as fixed in version 45.0.2454.85. (CVE-2015-1273, CVE-2015-1301, CVE-2015-6581)

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2015-1291     A cross-origin bypass issue was discovered in DOM.

  - CVE-2015-1292     Mariusz Mlynski discovered a cross-origin bypass issue     in ServiceWorker.

  - CVE-2015-1293     Mariusz Mlynski discovered a cross-origin bypass issue     in DOM.

  - CVE-2015-1294     cloudfuzzer discovered a use-after-free issue in the     Skia graphics library.

  - CVE-2015-1295     A use-after-free issue was discovered in the printing     component.

  - CVE-2015-1296     zcorpan discovered a character spoofing issue.

  - CVE-2015-1297     Alexander Kashev discovered a permission scoping error.

  - CVE-2015-1298     Rob Wu discovered an error validating the URL of     extensions.

  - CVE-2015-1299     taro.suzuki.dev discovered a use-after-free issue in the     Blink/WebKit library.

  - CVE-2015-1300     cgvwzq discovered an information disclosure issue in the     Blink/WebKit library.

  - CVE-2015-1301     The chrome 45 development team found and fixed various     issues during internal auditing. Also multiple issues     were fixed in the libv8 library, version 4.5.103.29.

Google Chrome Releases reports :

29 security fixes in this release, including :

- [516377] High CVE-2015-1291: Cross-origin bypass in DOM. Credit to anonymous.

- [522791] High CVE-2015-1292: Cross-origin bypass in ServiceWorker.
Credit to Mariusz Mlynski.

- [524074] High CVE-2015-1293: Cross-origin bypass in DOM. Credit to Mariusz Mlynski.

- [492263] High CVE-2015-1294: Use-after-free in Skia. Credit to cloudfuzzer.

- [502562] High CVE-2015-1295: Use-after-free in Printing. Credit to anonymous.

- [421332] High CVE-2015-1296: Character spoofing in omnibox. Credit to zcorpan.

- [510802] Medium CVE-2015-1297: Permission scoping error in Webrequest. Credit to Alexander Kashev.

- [518827] Medium CVE-2015-1298: URL validation error in extensions.
Credit to Rob Wu.

- [416362] Medium CVE-2015-1299: Use-after-free in Blink. Credit to taro.suzuki.dev.

- [511616] Medium CVE-2015-1300: Information leak in Blink. Credit to cgvwzq.

- [526825] CVE-2015-1301: Various fixes from internal audits, fuzzing and other initiatives.

The version of Google Chrome installed on the remote Mac OS X host is prior to 45.0.2454.85. It is, therefore, affected by multiple vulnerabilities :

  - A cross-origin bypass vulnerability exists due to a flaw     in the ContainerNode::parserRemoveChild() function in     ContainerNode.cpp wherein user scripts may unexpectedly     run in 'onunload' handlers during Document Object Model     (DOM) modification. A remote attacker can exploit this,     via a specially crafted web page, to bypass cross-origin     restrictions. (CVE-2015-1291)

  - A cross-origin bypass vulnerability exists due to a flaw     in the LocalDOMWindow::navigator() function in     LocalDOMWindow.cpp wherein an incorrect navigator     associated with a frame may be returned. A remote     attacker can exploit this, via a specially crafted web     page, to bypass cross-origin restrictions.
    (CVE-2015-1292)

  - An unspecified cross-origin bypass vulnerability exists     that allows a remote attacker, via a specially crafted     web page, to bypass cross-origin restrictions.
    (CVE-2015-1293)

  - A use-after-free error exists in the     SkMatrix::invertNonIdentity() function in SkMatrix.cpp.
    A remote attacker can exploit this to dereference     already freed memory, potentially resulting in the     execution of arbitrary code. (CVE-2015-1294)

  - A use-after-free error exists in     print_web_view_helper.cc that is triggered when handling     nested IPC handlers. A remote attacker can exploit this     to dereference already freed memory, potentially     resulting in the execution of arbitrary code.
    (CVE-2015-1295)

  - A spoofing vulnerability exists due to a flaw that is     triggered when displaying a URL containing certain     characters in an omnibox. A remote attacker can exploit     this to include characters that may look like a padlock,     spoofing a secure connection. (CVE-2015-1296)

  - An unspecified flaw exists related to permission scoping     as requests in an extension are not hidden from other     extensions. (CVE-2015-1297)

  - An unspecified URL handling issue exists as the URL to     be opened after an extension is uninstalled is not     restricted to HTTP and HTTPS. (CVE-2015-1298)

  - A use-after-free error exists due to improper validation     of user-supplied input. A remote attacker can exploit     this to dereference already freed memory, potentially     resulting in the execution of arbitrary code.
    (CVE-2015-1299)

  - An unspecified information disclosure vulnerability     exists in Blink. (CVE-2015-1300)

  - Multiple unspecified flaws exist that allow an attacker     to have unspecified medium severity impact.
    (CVE-2015-1301)

The version of Google Chrome installed on the remote Windows host is prior to 45.0.2454.85. It is, therefore, affected by multiple vulnerabilities :

  - A cross-origin bypass vulnerability exists due to a flaw     in the ContainerNode::parserRemoveChild() function in     ContainerNode.cpp wherein user scripts may unexpectedly     run in 'onunload' handlers during Document Object Model     (DOM) modification. A remote attacker can exploit this,     via a specially crafted web page, to bypass cross-origin     restrictions. (CVE-2015-1291)

  - A cross-origin bypass vulnerability exists due to a flaw     in the LocalDOMWindow::navigator() function in     LocalDOMWindow.cpp wherein an incorrect navigator     associated with a frame may be returned. A remote     attacker can exploit this, via a specially crafted web     page, to bypass cross-origin restrictions.
    (CVE-2015-1292)

  - An unspecified cross-origin bypass vulnerability exists     that allows a remote attacker, via a specially crafted     web page, to bypass cross-origin restrictions.
    (CVE-2015-1293)

  - A use-after-free error exists in the     SkMatrix::invertNonIdentity() function in SkMatrix.cpp.
    A remote attacker can exploit this to dereference     already freed memory, potentially resulting in the     execution of arbitrary code. (CVE-2015-1294)

  - A use-after-free error exists in     print_web_view_helper.cc that is triggered when handling     nested IPC handlers. A remote attacker can exploit this     to dereference already freed memory, potentially     resulting in the execution of arbitrary code.
    (CVE-2015-1295)

  - A spoofing vulnerability exists due to a flaw that is     triggered when displaying a URL containing certain     characters in an omnibox. A remote attacker can exploit     this to include characters that may look like a padlock,     spoofing a secure connection. (CVE-2015-1296)

  - An unspecified flaw exists related to permission scoping     as requests in an extension are not hidden from other     extensions. (CVE-2015-1297)

  - An unspecified URL handling issue exists as the URL to     be opened after an extension is uninstalled is not     restricted to HTTP and HTTPS. (CVE-2015-1298)

  - A use-after-free error exists due to improper validation     of user-supplied input. A remote attacker can exploit     this to dereference already freed memory, potentially     resulting in the execution of arbitrary code.
    (CVE-2015-1299)

  - An unspecified information disclosure vulnerability     exists in Blink. (CVE-2015-1300)

  - Multiple unspecified flaws exist that allow an attacker     to have unspecified medium severity impact.
    (CVE-2015-1301)

ID	Name	Product	Family	Severity
89902	GLSA-201603-09 : Chromium: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
87627	openSUSE Security Update : Qt 5 (openSUSE-2015-953)	Nessus	SuSE Local Security Checks	high
86056	openSUSE Security Update : Chromium (openSUSE-2015-595)	Nessus	SuSE Local Security Checks	high
85974	RHEL 6 : chromium-browser (RHSA-2015:1712)	Nessus	Red Hat Local Security Checks	high
85872	Ubuntu 14.04 LTS / 15.04 : oxide-qt vulnerabilities (USN-2735-1)	Nessus	Ubuntu Local Security Checks	high
8854	Google Chrome < 45.0.2454.85 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	high
85770	Debian DSA-3351-1 : chromium-browser - security update	Nessus	Debian Local Security Checks	high
85758	FreeBSD : chromium -- multiple vulnerabilities (a9350df8-5157-11e5-b5c1-e8e0b747a45a)	Nessus	FreeBSD Local Security Checks	high
85744	Google Chrome < 45.0.2454.85 Multiple Vulnerabilities (Mac OS X)	Nessus	MacOS X Local Security Checks	high
85743	Google Chrome < 45.0.2454.85 Multiple Vulnerabilities	Nessus	Windows	high

CVE-2015-1294

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high