Debian DSA-4562-1 : chromium - security update

Medium Nessus Plugin ID 130774

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 9.4

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2019-5869 Zhe Jin discovered a use-after-free issue.

- CVE-2019-5870 Guang Gong discovered a use-after-free issue.

- CVE-2019-5871 A buffer overflow issue was discovered in the skia library.

- CVE-2019-5872 Zhe Jin discovered a use-after-free issue.

- CVE-2019-5874 James Lee discovered an issue with external Uniform Resource Identifiers.

- CVE-2019-5875 Khalil Zhani discovered a URL spoofing issue.

- CVE-2019-5876 Man Yue Mo discovered a use-after-free issue.

- CVE-2019-5877 Guang Gong discovered an out-of-bounds read issue.

- CVE-2019-5878 Guang Gong discovered an use-after-free issue in the v8 JavaScript library.

- CVE-2019-5879 Jinseo Kim discover that extensions could read files on the local system.

- CVE-2019-5880 Jun Kokatsu discovered a way to bypass the SameSite cookie feature.

- CVE-2019-13659 Lnyas Zhang discovered a URL spoofing issue.

- CVE-2019-13660 Wenxu Wu discovered a user interface error in full screen mode.

- CVE-2019-13661 Wenxu Wu discovered a user interface spoofing issue in full screen mode.

- CVE-2019-13662 David Erceg discovered a way to bypass the Content Security Policy.

- CVE-2019-13663 Lnyas Zhang discovered a way to spoof Internationalized Domain Names.

- CVE-2019-13664 Thomas Shadwell discovered a way to bypass the SameSite cookie feature.

- CVE-2019-13665 Jun Kokatsu discovered a way to bypass the multiple file download protection feature.

- CVE-2019-13666 Tom Van Goethem discovered an information leak.

- CVE-2019-13667 Khalil Zhani discovered a URL spoofing issue.

- CVE-2019-13668 David Erceg discovered an information leak.

- CVE-2019-13669 Khalil Zhani discovered an authentication spoofing issue.

- CVE-2019-13670 Guang Gong discovered a memory corruption issue in the v8 JavaScript library.

- CVE-2019-13671 xisigr discovered a user interface error.

- CVE-2019-13673 David Erceg discovered an information leak.

- CVE-2019-13674 Khalil Zhani discovered a way to spoof Internationalized Domain Names.

- CVE-2019-13675 Jun Kokatsu discovered a way to disable extensions.

- CVE-2019-13676 Wenxu Wu discovered an error in a certificate warning.

- CVE-2019-13677 Jun Kokatsu discovered an error in the chrome web store.

- CVE-2019-13678 Ronni Skansing discovered a spoofing issue in the download dialog window.

- CVE-2019-13679 Conrad Irwin discovered that user activation was not required for printing.

- CVE-2019-13680 Thijs Alkamade discovered an IP address spoofing issue.

- CVE-2019-13681 David Erceg discovered a way to bypass download restrictions.

- CVE-2019-13682 Jun Kokatsu discovered a way to bypass the site isolation feature.

- CVE-2019-13683 David Erceg discovered an information leak.

- CVE-2019-13685 Khalil Zhani discovered a use-after-free issue.

- CVE-2019-13686 Brendon discovered a use-after-free issue.

- CVE-2019-13687 Man Yue Mo discovered a use-after-free issue.

- CVE-2019-13688 Man Yue Mo discovered a use-after-free issue.

- CVE-2019-13691 David Erceg discovered a user interface spoofing issue.

- CVE-2019-13692 Jun Kokatsu discovered a way to bypass the Same Origin Policy.

- CVE-2019-13693 Guang Gong discovered a use-after-free issue.

- CVE-2019-13694 banananapenguin discovered a use-after-free issue.

- CVE-2019-13695 Man Yue Mo discovered a use-after-free issue.

- CVE-2019-13696 Guang Gong discovered a use-after-free issue in the v8 JavaScript library.

- CVE-2019-13697 Luan Herrera discovered an information leak.

- CVE-2019-13699 Man Yue Mo discovered a use-after-free issue.

- CVE-2019-13700 Man Yue Mo discovered a buffer overflow issue.

- CVE-2019-13701 David Erceg discovered a URL spoofing issue.

- CVE-2019-13702 Phillip Langlois and Edward Torkington discovered a privilege escalation issue in the installer.

- CVE-2019-13703 Khalil Zhani discovered a URL spoofing issue.

- CVE-2019-13704 Jun Kokatsu discovered a way to bypass the Content Security Policy.

- CVE-2019-13705 Luan Herrera discovered a way to bypass extension permissions.

- CVE-2019-13706 pdknsk discovered an out-of-bounds read issue in the pdfium library.

- CVE-2019-13707 Andrea Palazzo discovered an information leak.

- CVE-2019-13708 Khalil Zhani discovered an authentication spoofing issue.

- CVE-2019-13709 Zhong Zhaochen discovered a way to bypass download restrictions.

- CVE-2019-13710 bernardo.mrod discovered a way to bypass download restrictions.

- CVE-2019-13711 David Erceg discovered an information leak.

- CVE-2019-13713 David Erceg discovered an information leak.

- CVE-2019-13714 Jun Kokatsu discovered an issue with Cascading Style Sheets.

- CVE-2019-13715 xisigr discovered a URL spoofing issue.

- CVE-2019-13716 Barron Hagerman discovered an error in the service worker implementation.

- CVE-2019-13717 xisigr discovered a user interface spoofing issue.

- CVE-2019-13718 Khalil Zhani discovered a way to spoof Internationalized Domain Names.

- CVE-2019-13719 Khalil Zhani discovered a user interface spoofing issue.

- CVE-2019-13720 Anton Ivanov and Alexey Kulaev discovered a use-after-free issue.

- CVE-2019-13721 banananapenguin discovered a use-after-free issue in the pdfium library.

Solution

Upgrade the chromium packages.

For the oldstable distribution (stretch), support for chromium has been discontinued. Please upgrade to the stable release (buster) to continue receiving chromium updates or switch to firefox, which continues to be supported in the oldstable release.

For the stable distribution (buster), these problems have been fixed in version 78.0.3904.97-1~deb10u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2019-5869

https://security-tracker.debian.org/tracker/CVE-2019-5870

https://security-tracker.debian.org/tracker/CVE-2019-5871

https://security-tracker.debian.org/tracker/CVE-2019-5872

https://security-tracker.debian.org/tracker/CVE-2019-5874

https://security-tracker.debian.org/tracker/CVE-2019-5875

https://security-tracker.debian.org/tracker/CVE-2019-5876

https://security-tracker.debian.org/tracker/CVE-2019-5877

https://security-tracker.debian.org/tracker/CVE-2019-5878

https://security-tracker.debian.org/tracker/CVE-2019-5879

https://security-tracker.debian.org/tracker/CVE-2019-5880

https://security-tracker.debian.org/tracker/CVE-2019-13659

https://security-tracker.debian.org/tracker/CVE-2019-13660

https://security-tracker.debian.org/tracker/CVE-2019-13661

https://security-tracker.debian.org/tracker/CVE-2019-13662

https://security-tracker.debian.org/tracker/CVE-2019-13663

https://security-tracker.debian.org/tracker/CVE-2019-13664

https://security-tracker.debian.org/tracker/CVE-2019-13665

https://security-tracker.debian.org/tracker/CVE-2019-13666

https://security-tracker.debian.org/tracker/CVE-2019-13667

https://security-tracker.debian.org/tracker/CVE-2019-13668

https://security-tracker.debian.org/tracker/CVE-2019-13669

https://security-tracker.debian.org/tracker/CVE-2019-13670

https://security-tracker.debian.org/tracker/CVE-2019-13671

https://security-tracker.debian.org/tracker/CVE-2019-13673

https://security-tracker.debian.org/tracker/CVE-2019-13674

https://security-tracker.debian.org/tracker/CVE-2019-13675

https://security-tracker.debian.org/tracker/CVE-2019-13676

https://security-tracker.debian.org/tracker/CVE-2019-13677

https://security-tracker.debian.org/tracker/CVE-2019-13678

https://security-tracker.debian.org/tracker/CVE-2019-13679

https://security-tracker.debian.org/tracker/CVE-2019-13680

https://security-tracker.debian.org/tracker/CVE-2019-13681

https://security-tracker.debian.org/tracker/CVE-2019-13682

https://security-tracker.debian.org/tracker/CVE-2019-13683

https://security-tracker.debian.org/tracker/CVE-2019-13685

https://security-tracker.debian.org/tracker/CVE-2019-13686

https://security-tracker.debian.org/tracker/CVE-2019-13687

https://security-tracker.debian.org/tracker/CVE-2019-13688

https://security-tracker.debian.org/tracker/CVE-2019-13691

https://security-tracker.debian.org/tracker/CVE-2019-13692

https://security-tracker.debian.org/tracker/CVE-2019-13693

https://security-tracker.debian.org/tracker/CVE-2019-13694

https://security-tracker.debian.org/tracker/CVE-2019-13695

https://security-tracker.debian.org/tracker/CVE-2019-13696

https://security-tracker.debian.org/tracker/CVE-2019-13697

https://security-tracker.debian.org/tracker/CVE-2019-13699

https://security-tracker.debian.org/tracker/CVE-2019-13700

https://security-tracker.debian.org/tracker/CVE-2019-13701

https://security-tracker.debian.org/tracker/CVE-2019-13702

https://security-tracker.debian.org/tracker/CVE-2019-13703

https://security-tracker.debian.org/tracker/CVE-2019-13704

https://security-tracker.debian.org/tracker/CVE-2019-13705

https://security-tracker.debian.org/tracker/CVE-2019-13706

https://security-tracker.debian.org/tracker/CVE-2019-13707

https://security-tracker.debian.org/tracker/CVE-2019-13708

https://security-tracker.debian.org/tracker/CVE-2019-13709

https://security-tracker.debian.org/tracker/CVE-2019-13710

https://security-tracker.debian.org/tracker/CVE-2019-13711

https://security-tracker.debian.org/tracker/CVE-2019-13713

https://security-tracker.debian.org/tracker/CVE-2019-13714

https://security-tracker.debian.org/tracker/CVE-2019-13715

https://security-tracker.debian.org/tracker/CVE-2019-13716

https://security-tracker.debian.org/tracker/CVE-2019-13717

https://security-tracker.debian.org/tracker/CVE-2019-13718

https://security-tracker.debian.org/tracker/CVE-2019-13719

https://security-tracker.debian.org/tracker/CVE-2019-13720

https://security-tracker.debian.org/tracker/CVE-2019-13721

https://security-tracker.debian.org/tracker/source-package/chromium

https://packages.debian.org/source/buster/chromium

https://www.debian.org/security/2019/dsa-4562

Plugin Details

Severity: Medium

ID: 130774

File Name: debian_DSA-4562.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2019/11/12

Updated: 2020/10/16

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 9.4

CVSS Score Source: CVE-2019-5878

CVSS v2.0

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium, cpe:/o:debian:debian_linux:10.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 2019/11/10

Vulnerability Publication Date: 2019/11/25

Reference Information

CVE: CVE-2019-13659, CVE-2019-13660, CVE-2019-13661, CVE-2019-13662, CVE-2019-13663, CVE-2019-13664, CVE-2019-13665, CVE-2019-13666, CVE-2019-13667, CVE-2019-13668, CVE-2019-13669, CVE-2019-13670, CVE-2019-13671, CVE-2019-13673, CVE-2019-13674, CVE-2019-13675, CVE-2019-13676, CVE-2019-13677, CVE-2019-13678, CVE-2019-13679, CVE-2019-13680, CVE-2019-13681, CVE-2019-13682, CVE-2019-13683, CVE-2019-13685, CVE-2019-13686, CVE-2019-13687, CVE-2019-13688, CVE-2019-13691, CVE-2019-13692, CVE-2019-13693, CVE-2019-13694, CVE-2019-13695, CVE-2019-13696, CVE-2019-13697, CVE-2019-13699, CVE-2019-13700, CVE-2019-13701, CVE-2019-13702, CVE-2019-13703, CVE-2019-13704, CVE-2019-13705, CVE-2019-13706, CVE-2019-13707, CVE-2019-13708, CVE-2019-13709, CVE-2019-13710, CVE-2019-13711, CVE-2019-13713, CVE-2019-13714, CVE-2019-13715, CVE-2019-13716, CVE-2019-13717, CVE-2019-13718, CVE-2019-13719, CVE-2019-13720, CVE-2019-13721, CVE-2019-5869, CVE-2019-5870, CVE-2019-5871, CVE-2019-5872, CVE-2019-5874, CVE-2019-5875, CVE-2019-5876, CVE-2019-5877, CVE-2019-5878, CVE-2019-5879, CVE-2019-5880

DSA: 4562