Debian DSA-4103-1 : chromium-browser - security update

high Nessus Plugin ID 106537

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2017-15420 Drew Springall discovered a URL spoofing issue.

- CVE-2017-15429 A cross-site scripting issue was discovered in the v8 JavaScript library.

- CVE-2018-6031 A use-after-free issue was discovered in the pdfium library.

- CVE-2018-6032 Jun Kokatsu discovered a way to bypass the same origin policy.

- CVE-2018-6033 Juho Nurminen discovered a race condition when opening downloaded files.

- CVE-2018-6034 Tobias Klein discovered an integer overflow issue.

- CVE-2018-6035 Rob Wu discovered a way for extensions to access devtools.

- CVE-2018-6036 UK's National Cyber Security Centre discovered an integer overflow issue.

- CVE-2018-6037 Paul Stone discovered an issue in the autofill feature.

- CVE-2018-6038 cloudfuzzer discovered a buffer overflow issue.

- CVE-2018-6039 Juho Nurminen discovered a cross-site scripting issue in the developer tools.

- CVE-2018-6040 WenXu Wu discovered a way to bypass the content security policy.

- CVE-2018-6041 Luan Herrera discovered a URL spoofing issue.

- CVE-2018-6042 Khalil Zhani discovered a URL spoofing issue.

- CVE-2018-6043 A character escaping issue was discovered.

- CVE-2018-6045 Rob Wu discovered a way for extensions to access devtools.

- CVE-2018-6046 Rob Wu discovered a way for extensions to access devtools.

- CVE-2018-6047 Masato Kinugawa discovered an information leak issue.

- CVE-2018-6048 Jun Kokatsu discovered a way to bypass the referrer policy.

- CVE-2018-6049 WenXu Wu discovered a user interface spoofing issue.

- CVE-2018-6050 Jonathan Kew discovered a URL spoofing issue.

- CVE-2018-6051 Antonio Sanso discovered an information leak issue.

- CVE-2018-6052 Tanner Emek discovered that the referrer policy implementation was incomplete.

- CVE-2018-6053 Asset Kabdenov discovered an information leak issue.

- CVE-2018-6054 Rob Wu discovered a use-after-free issue.

Solution

Upgrade the chromium-browser packages.

For the oldstable distribution (jessie), security support for chromium has been discontinued.

For the stable distribution (stretch), these problems have been fixed in version 64.0.3282.119-1~deb9u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2017-15420

https://security-tracker.debian.org/tracker/CVE-2017-15429

https://security-tracker.debian.org/tracker/CVE-2018-6031

https://security-tracker.debian.org/tracker/CVE-2018-6032

https://security-tracker.debian.org/tracker/CVE-2018-6033

https://security-tracker.debian.org/tracker/CVE-2018-6034

https://security-tracker.debian.org/tracker/CVE-2018-6035

https://security-tracker.debian.org/tracker/CVE-2018-6036

https://security-tracker.debian.org/tracker/CVE-2018-6037

https://security-tracker.debian.org/tracker/CVE-2018-6038

https://security-tracker.debian.org/tracker/CVE-2018-6039

https://security-tracker.debian.org/tracker/CVE-2018-6040

https://security-tracker.debian.org/tracker/CVE-2018-6041

https://security-tracker.debian.org/tracker/CVE-2018-6042

https://security-tracker.debian.org/tracker/CVE-2018-6043

https://security-tracker.debian.org/tracker/CVE-2018-6045

https://security-tracker.debian.org/tracker/CVE-2018-6046

https://security-tracker.debian.org/tracker/CVE-2018-6047

https://security-tracker.debian.org/tracker/CVE-2018-6048

https://security-tracker.debian.org/tracker/CVE-2018-6049

https://security-tracker.debian.org/tracker/CVE-2018-6050

https://security-tracker.debian.org/tracker/CVE-2018-6051

https://security-tracker.debian.org/tracker/CVE-2018-6052

https://security-tracker.debian.org/tracker/CVE-2018-6053

https://security-tracker.debian.org/tracker/CVE-2018-6054

http://www.nessus.org/u?e33901a2

https://packages.debian.org/source/stretch/chromium-browser

https://www.debian.org/security/2018/dsa-4103

Plugin Details

Severity: High

ID: 106537

File Name: debian_DSA-4103.nasl

Version: 3.8

Type: local

Agent: unix

Published: 2/1/2018

Updated: 7/15/2019

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium-browser, cpe:/o:debian:debian_linux:9.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 1/31/2018

Vulnerability Publication Date: 8/28/2018

Reference Information

CVE: CVE-2017-15420, CVE-2017-15429, CVE-2018-6031, CVE-2018-6032, CVE-2018-6033, CVE-2018-6034, CVE-2018-6035, CVE-2018-6036, CVE-2018-6037, CVE-2018-6038, CVE-2018-6039, CVE-2018-6040, CVE-2018-6041, CVE-2018-6042, CVE-2018-6043, CVE-2018-6045, CVE-2018-6046, CVE-2018-6047, CVE-2018-6048, CVE-2018-6049, CVE-2018-6050, CVE-2018-6051, CVE-2018-6052, CVE-2018-6053, CVE-2018-6054

DSA: 4103