Debian DSA-3376-1 : chromium-browser - security update

High Nessus Plugin ID 86486

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2015-1303 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in the DOM implementation.

- CVE-2015-1304 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in the v8 JavaScript library.

- CVE-2015-6755 Mariusz Mlynski discovered a way to bypass the Same Origin Policy in blink/webkit.

- CVE-2015-6756 A use-after-free issue was found in the pdfium library.

- CVE-2015-6757 Collin Payne found a use-after-free issue in the ServiceWorker implementation.

- CVE-2015-6758 Atte Kettunen found an issue in the pdfium library.

- CVE-2015-6759 Muneaki Nishimura discovered an information leak.

- CVE-2015-6760 Ronald Crane discovered a logic error in the ANGLE library involving lost device events.

- CVE-2015-6761 Aki Helin and Khalil Zhani discovered a memory corruption issue in the ffmpeg library.

- CVE-2015-6762 Muneaki Nishimura discovered a way to bypass the Same Origin Policy in the CSS implementation.

- CVE-2015-6763 The chrome 46 development team found and fixed various issues during internal auditing. Also multiple issues were fixed in the v8 JavaScript library, version 4.6.85.23.

Solution

Upgrade the chromium-browser packages.

For the stable distribution (jessie), these problems have been fixed in version 46.0.2490.71-1~deb8u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2015-1303

https://security-tracker.debian.org/tracker/CVE-2015-1304

https://security-tracker.debian.org/tracker/CVE-2015-6755

https://security-tracker.debian.org/tracker/CVE-2015-6756

https://security-tracker.debian.org/tracker/CVE-2015-6757

https://security-tracker.debian.org/tracker/CVE-2015-6758

https://security-tracker.debian.org/tracker/CVE-2015-6759

https://security-tracker.debian.org/tracker/CVE-2015-6760

https://security-tracker.debian.org/tracker/CVE-2015-6761

https://security-tracker.debian.org/tracker/CVE-2015-6762

https://security-tracker.debian.org/tracker/CVE-2015-6763

https://packages.debian.org/source/jessie/chromium-browser

https://www.debian.org/security/2015/dsa-3376

Plugin Details

Severity: High

ID: 86486

File Name: debian_DSA-3376.nasl

Version: 1.6

Type: local

Agent: unix

Published: 2015/10/21

Updated: 2020/09/23

Dependencies: 12634

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium-browser, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Patch Publication Date: 2015/10/20

Reference Information

CVE: CVE-2015-1303, CVE-2015-1304, CVE-2015-6755, CVE-2015-6756, CVE-2015-6757, CVE-2015-6758, CVE-2015-6759, CVE-2015-6760, CVE-2015-6761, CVE-2015-6762, CVE-2015-6763

DSA: 3376