Debian DSA-3376-1 : chromium-browser - security update

high Nessus Plugin ID 86486
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2015-1303 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in the DOM implementation.

- CVE-2015-1304 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in the v8 JavaScript library.

- CVE-2015-6755 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in blink/webkit.

- CVE-2015-6756 A use-after-free issue was found in the pdfium library.

- CVE-2015-6757 Collin Payne found a use-after-free issue in the ServiceWorker implementation.

- CVE-2015-6758 Atte Kettunen found an issue in the pdfium library.

- CVE-2015-6759 Muneaki Nishimura discovered an information leak.

- CVE-2015-6760 Ronald Crane discovered a logic error in the ANGLE library involving lost device events.

- CVE-2015-6761 Aki Helin and Khalil Zhani discovered a memory corruption issue in the ffmpeg library.

- CVE-2015-6762 Muneaki Nishimura discovered a way to bypass the Same Origin Policy in the CSS implementation.

- CVE-2015-6763 The chrome 46 development team found and fixed various issues during internal auditing. Also multiple issues were fixed in the v8 JavaScript library, version 4.6.85.23.

Solution

Upgrade the chromium-browser packages.

For the stable distribution (jessie), these problems have been fixed in version 46.0.2490.71-1~deb8u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2015-1303

https://security-tracker.debian.org/tracker/CVE-2015-1304

https://security-tracker.debian.org/tracker/CVE-2015-6755

https://security-tracker.debian.org/tracker/CVE-2015-6756

https://security-tracker.debian.org/tracker/CVE-2015-6757

https://security-tracker.debian.org/tracker/CVE-2015-6758

https://security-tracker.debian.org/tracker/CVE-2015-6759

https://security-tracker.debian.org/tracker/CVE-2015-6760

https://security-tracker.debian.org/tracker/CVE-2015-6761

https://security-tracker.debian.org/tracker/CVE-2015-6762

https://security-tracker.debian.org/tracker/CVE-2015-6763

https://packages.debian.org/source/jessie/chromium-browser

https://www.debian.org/security/2015/dsa-3376

Plugin Details

Severity: High

ID: 86486

File Name: debian_DSA-3376.nasl

Version: 1.7

Type: local

Agent: unix

Published: 10/21/2015

Updated: 1/11/2021

Dependencies: ssh_get_info.nasl

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium-browser, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 10/20/2015

Reference Information

CVE: CVE-2015-1303, CVE-2015-1304, CVE-2015-6755, CVE-2015-6756, CVE-2015-6757, CVE-2015-6758, CVE-2015-6759, CVE-2015-6760, CVE-2015-6761, CVE-2015-6762, CVE-2015-6763

DSA: 3376