Debian DSA-3660-1 : chromium-browser - security update

high Nessus Plugin ID 93325

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the chromium web browser.

- CVE-2016-5147 A cross-site scripting issue was discovered.

- CVE-2016-5148 Another cross-site scripting issue was discovered.

- CVE-2016-5149 Max Justicz discovered a script injection issue in extension handling.

- CVE-2016-5150 A use-after-free issue was discovered in Blink/Webkit.

- CVE-2016-5151 A use-after-free issue was discovered in the pdfium library.

- CVE-2016-5152 GiWan Go discovered a heap overflow issue in the pdfium library.

- CVE-2016-5153 Atte Kettunen discovered a use-after-destruction issue.

- CVE-2016-5154 A heap overflow issue was discovered in the pdfium library.

- CVE-2016-5155 An address bar spoofing issue was discovered.

- CVE-2016-5156 jinmo123 discovered a use-after-free issue.

- CVE-2016-5157 A heap overflow issue was discovered in the pdfium library.

- CVE-2016-5158 GiWan Go discovered a heap overflow issue in the pdfium library.

- CVE-2016-5159 GiWan Go discovered another heap overflow issue in the pdfium library.

- CVE-2016-5160 @l33terally discovered an extensions resource bypass.

- CVE-2016-5161 A type confusion issue was discovered.

- CVE-2016-5162 Nicolas Golubovic discovered an extensions resource bypass.

- CVE-2016-5163 Rafay Baloch discovered an address bar spoofing issue.

- CVE-2016-5164 A cross-site scripting issue was discovered in the developer tools.

- CVE-2016-5165 Gregory Panakkal discovered a script injection issue in the developer tools.

- CVE-2016-5166 Gregory Panakkal discovered an issue with the Save Page As feature.

- CVE-2016-5167 The chrome development team found and fixed various issues during internal auditing.

Solution

Upgrade the chromium-browser packages.

For the stable distribution (jessie), these problems have been fixed in version 53.0.2785.89-1~deb8u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2016-5147

https://security-tracker.debian.org/tracker/CVE-2016-5148

https://security-tracker.debian.org/tracker/CVE-2016-5149

https://security-tracker.debian.org/tracker/CVE-2016-5150

https://security-tracker.debian.org/tracker/CVE-2016-5151

https://security-tracker.debian.org/tracker/CVE-2016-5152

https://security-tracker.debian.org/tracker/CVE-2016-5153

https://security-tracker.debian.org/tracker/CVE-2016-5154

https://security-tracker.debian.org/tracker/CVE-2016-5155

https://security-tracker.debian.org/tracker/CVE-2016-5156

https://security-tracker.debian.org/tracker/CVE-2016-5157

https://security-tracker.debian.org/tracker/CVE-2016-5158

https://security-tracker.debian.org/tracker/CVE-2016-5159

https://security-tracker.debian.org/tracker/CVE-2016-5160

https://security-tracker.debian.org/tracker/CVE-2016-5161

https://security-tracker.debian.org/tracker/CVE-2016-5162

https://security-tracker.debian.org/tracker/CVE-2016-5163

https://security-tracker.debian.org/tracker/CVE-2016-5164

https://security-tracker.debian.org/tracker/CVE-2016-5165

https://security-tracker.debian.org/tracker/CVE-2016-5166

https://security-tracker.debian.org/tracker/CVE-2016-5167

https://packages.debian.org/source/jessie/chromium-browser

https://www.debian.org/security/2016/dsa-3660

Plugin Details

Severity: High

ID: 93325

File Name: debian_DSA-3660.nasl

Version: 2.12

Type: local

Agent: unix

Published: 9/6/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:chromium-browser, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 9/5/2016

Vulnerability Publication Date: 9/11/2016

Reference Information

CVE: CVE-2016-5147, CVE-2016-5148, CVE-2016-5149, CVE-2016-5150, CVE-2016-5151, CVE-2016-5152, CVE-2016-5153, CVE-2016-5154, CVE-2016-5155, CVE-2016-5156, CVE-2016-5157, CVE-2016-5158, CVE-2016-5159, CVE-2016-5160, CVE-2016-5161, CVE-2016-5162, CVE-2016-5163, CVE-2016-5164, CVE-2016-5165, CVE-2016-5166, CVE-2016-5167

DSA: 3660