Debian DSA-4256-1 : chromium-browser - security update

Medium Nessus Plugin ID 111360

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 7.3

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2018-4117 AhsanEjaz discovered an information leak.

- CVE-2018-6044 Rob Wu discovered a way to escalate privileges using extensions.

- CVE-2018-6150 Rob Wu discovered an information disclosure issue (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time).

- CVE-2018-6151 Rob Wu discovered an issue in the developer tools (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time).

- CVE-2018-6152 Rob Wu discovered an issue in the developer tools (this problem was fixed in a previous release but was mistakenly omitted from upstream's announcement at the time).

- CVE-2018-6153 Zhen Zhou discovered a buffer overflow issue in the skia library.

- CVE-2018-6154 Omair discovered a buffer overflow issue in the WebGL implementation.

- CVE-2018-6155 Natalie Silvanovich discovered a use-after-free issue in the WebRTC implementation.

- CVE-2018-6156 Natalie Silvanovich discovered a buffer overflow issue in the WebRTC implementation.

- CVE-2018-6157 Natalie Silvanovich discovered a type confusion issue in the WebRTC implementation.

- CVE-2018-6158 Zhe Jin discovered a use-after-free issue.

- CVE-2018-6159 Jun Kokatsu discovered a way to bypass the same origin policy.

- CVE-2018-6161 Jun Kokatsu discovered a way to bypass the same origin policy.

- CVE-2018-6162 Omair discovered a buffer overflow issue in the WebGL implementation.

- CVE-2018-6163 Khalil Zhani discovered a URL spoofing issue.

- CVE-2018-6164 Jun Kokatsu discovered a way to bypass the same origin policy.

- CVE-2018-6165 evil1m0 discovered a URL spoofing issue.

- CVE-2018-6166 Lynas Zhang discovered a URL spoofing issue.

- CVE-2018-6167 Lynas Zhang discovered a URL spoofing issue.

- CVE-2018-6168 Gunes Acar and Danny Y. Huang discovered a way to bypass the Cross Origin Resource Sharing policy.

- CVE-2018-6169 Sam P discovered a way to bypass permissions when installing extensions.

- CVE-2018-6170 A type confusion issue was discovered in the pdfium library.

- CVE-2018-6171 A use-after-free issue was discovered in the WebBluetooth implementation.

- CVE-2018-6172 Khalil Zhani discovered a URL spoofing issue.

- CVE-2018-6173 Khalil Zhani discovered a URL spoofing issue.

- CVE-2018-6174 Mark Brand discovered an integer overflow issue in the swiftshader library.

- CVE-2018-6175 Khalil Zhani discovered a URL spoofing issue.

- CVE-2018-6176 Jann Horn discovered a way to escalate privileges using extensions.

- CVE-2018-6177 Ron Masas discovered an information leak.

- CVE-2018-6178 Khalil Zhani discovered a user interface spoofing issue.

- CVE-2018-6179 It was discovered that information about files local to the system could be leaked to extensions.

This version also fixes a regression introduced in the previous security update that could prevent decoding of particular audio/video codecs.

Solution

Upgrade the chromium-browser packages.

For the stable distribution (stretch), these problems have been fixed in version 68.0.3440.75-1~deb9u1.

Debian DSA-4256-1 : chromium-browser - security update

Medium Nessus Plugin ID 111360

New! Vulnerability Priority Rating (VPR)

Synopsis

Description

Solution

See Also

Plugin Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerability Information

Reference Information