Debian Bug report logs -
#987053
chromium: Update to version 90.0.4430.72 (security-fixes)
Reported by: Sedat Dilek <sedat.dilek@gmail.com>
Date: Fri, 16 Apr 2021 13:57:02 UTC
Severity: normal
Tags: security
Found in version chromium/89.0.4389.114-1
Fixed in version chromium/90.0.4430.72-1
Done: Michel Le Bihan <michel@lebihan.pl>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, sedat.dilek@gmail.com, Debian Chromium Team <chromium@packages.debian.org>:
Bug#987053; Package chromium.
(Fri, 16 Apr 2021 13:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Sedat Dilek <sedat.dilek@gmail.com>:
New Bug report received and forwarded. Copy sent to sedat.dilek@gmail.com, Debian Chromium Team <chromium@packages.debian.org>.
(Fri, 16 Apr 2021 13:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: chromium
Version: 89.0.4389.114-1
Severity: normal
X-Debbugs-Cc: sedat.dilek@gmail.com
Dear Maintainer,
Google released chrome web-browser version 90.0.4430.72 with several CVE - some of them with "high" risk.
For details please see [1].
Debian's security tracker lists the following Open issues:
Bug stretch buster bullseye sid Description
CVE-2021-21221 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21220 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21219 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21218 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21217 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21216 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21215 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21214 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21213 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21212 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21211 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21210 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21209 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21208 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21207 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21206 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21205 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21204 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21203 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21202 vulnerable vulnerable vulnerable vulnerable
CVE-2021-21201 vulnerable vulnerable vulnerable vulnerable
Please update chromium to the same version as Google chrome.
Thanks.
Regards,
- Sedat -
[1] https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_14.html
[2] https://security-tracker.debian.org/tracker/source-package/chromium
[3] https://www.heise.de/news/Sicherheitsupdates-Mehrere-gefaehrliche-Luecken-in-Chrome-gestopft-6017779.html (German)
-- System Information:
Debian Release: 11.0
APT prefers testing-security
APT policy: (500, 'testing-security'), (500, 'testing'), (99, 'buildd-unstable'), (99, 'buildd-experimental'), (99, 'experimental'), (99, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.12.0-rc7-3-amd64-clang12-lto (SMP w/4 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages chromium depends on:
ii chromium-common 89.0.4389.114-1
ii libasound2 1.2.4-1.1
ii libatk-bridge2.0-0 2.38.0-1
ii libatk1.0-0 2.36.0-2
ii libatomic1 10.2.1-6
ii libatspi2.0-0 2.38.0-2
ii libavcodec58 7:4.3.2-0+deb11u1
ii libavformat58 7:4.3.2-0+deb11u1
ii libavutil56 7:4.3.2-0+deb11u1
ii libc6 2.31-11
ii libcairo2 1.16.0-5
ii libcups2 2.3.3op2-3
ii libdbus-1-3 1.12.20-2
ii libdrm2 2.4.104-1
ii libevent-2.1-7 2.1.12-stable-1
ii libexpat1 2.2.10-2
ii libflac8 1.3.3-2
ii libfontconfig1 2.13.1-4.2
ii libfreetype6 2.10.4+dfsg-1
ii libgbm1 20.3.5-1
ii libgcc-s1 10.2.1-6
ii libgdk-pixbuf-2.0-0 2.42.2+dfsg-1
ii libglib2.0-0 2.66.8-1
ii libgtk-3-0 3.24.24-3
ii libharfbuzz0b 2.7.4-1
ii libicu67 67.1-6
ii libjpeg62-turbo 1:2.0.6-4
ii libjsoncpp24 1.9.4-4
ii liblcms2-2 2.12~rc1-2
ii libminizip1 1.1-8+b1
ii libnspr4 2:4.29-1
ii libnss3 2:3.63-1
ii libopenjp2-7 2.4.0-3
ii libopus0 1.3.1-0.1
ii libpango-1.0-0 1.46.2-3
ii libpng16-16 1.6.37-3
ii libpulse0 14.2-2
ii libre2-9 20210201+dfsg-1
ii libsnappy1v5 1.1.8-1
ii libstdc++6 10.2.1-6
ii libvpx6 1.9.0-1
ii libwebp6 0.6.1-2+b1
ii libwebpdemux2 0.6.1-2+b1
ii libwebpmux3 0.6.1-2+b1
ii libx11-6 2:1.7.0-2
ii libxcb1 1.14-3
ii libxcomposite1 1:0.4.5-1
ii libxdamage1 1:1.1.5-2
ii libxext6 2:1.3.3-1.1
ii libxfixes3 1:5.0.3-2
ii libxml2 2.9.10+dfsg-6.3+b1
ii libxrandr2 2:1.5.1-1
ii libxshmfence1 1.3-1
ii libxslt1.1 1.1.34-4
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages chromium recommends:
ii chromium-sandbox 89.0.4389.114-1
Versions of packages chromium suggests:
pn chromium-driver <none>
ii chromium-l10n 89.0.4389.114-1
pn chromium-shell <none>
Versions of packages chromium-common depends on:
ii libc6 2.31-11
ii libstdc++6 10.2.1-6
ii libx11-6 2:1.7.0-2
ii libxext6 2:1.3.3-1.1
ii x11-utils 7.7+5
ii xdg-utils 1.1.3-4
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages chromium-common recommends:
ii chromium-sandbox 89.0.4389.114-1
ii fonts-liberation 1:1.07.4-11
ii gnome-shell [notification-daemon] 3.38.4-1
ii libgl1-mesa-dri 20.3.5-1
ii libu2f-udev 1.1.10-3
ii notification-daemon 3.20.0-4
ii plasma-workspace [notification-daemon] 4:5.21.4-1
ii system-config-printer 1.5.14-1
ii upower 0.99.11-2
Versions of packages chromium-sandbox depends on:
ii libc6 2.31-11
-- Configuration Files:
/etc/chromium.d/default-flags changed [not included]
-- no debconf information
Reply sent
to Michel Le Bihan <michel@lebihan.pl>:
You have taken responsibility.
(Tue, 20 Apr 2021 12:39:04 GMT) (full text, mbox, link).
Notification sent
to Sedat Dilek <sedat.dilek@gmail.com>:
Bug acknowledged by developer.
(Tue, 20 Apr 2021 12:39:04 GMT) (full text, mbox, link).
Message #10 received at 987053-close@bugs.debian.org (full text, mbox, reply):
Source: chromium
Source-Version: 90.0.4430.72-1
Done: Michel Le Bihan <michel@lebihan.pl>
We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 987053@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michel Le Bihan <michel@lebihan.pl> (supplier of updated chromium package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 19 Apr 2021 19:13:47 +0200
Source: chromium
Architecture: source
Version: 90.0.4430.72-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Michel Le Bihan <michel@lebihan.pl>
Closes: 987053
Changes:
chromium (90.0.4430.72-1) unstable; urgency=medium
.
* New upstream security release (closes: #987053).
- CVE-2021-21201: Use after free in permissions. Reported by Gengming Liu
and Jianyu Chen when working at Tencent KeenLab
- CVE-2021-21202: Use after free in extensions. Reported by David Erceg
- CVE-2021-21203: Use after free in Blink. Reported by asnine
- CVE-2021-21204: Use after free in Blink. Reported by Chelse Tsai-Simek,
Jeanette Ulloa, and Emily Voigtlander of Seesaw
- CVE-2021-21205: Insufficient policy enforcement in navigation. Reported
by Alison Huffman, Microsoft Browser Vulnerability Research
- CVE-2021-21221: Insufficient validation of untrusted input in Mojo.
Reported by Guang Gong of Alpha Lab, Qihoo 360
- CVE-2021-21207: Use after free in IndexedDB. Reported by koocola
@alo_cook and Nan Wang @eternalsakura13 of 360 Alpha Lab
- CVE-2021-21208: Insufficient data validation in QR scanner. Reported by
Ahmed Elsobky @0xsobky
- CVE-2021-21209: Inappropriate implementation in storage. Reported by Tom
Van Goethem @tomvangoethem
- CVE-2021-21210: Inappropriate implementation in Network. Reported by
@bananabr
- CVE-2021-21211: Inappropriate implementation in Navigation. Reported by
Akash Labade m0ns7er
- CVE-2021-21212: Incorrect security UI in Network Config UI. Reported by
Hugo Hue and Sze Yiu Chau of the Chinese University of Hong Kong
- CVE-2021-21213: Use after free in WebMIDI. Reported by raven
@raid_akame
- CVE-2021-21214: Use after free in Network API. Reported by Anonymous
- CVE-2021-21215: Inappropriate implementation in Autofill. Reported by
Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research
- CVE-2021-21216: Inappropriate implementation in Autofill. Reported by
Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research
- CVE-2021-21217: Uninitialized Use in PDFium. Reported by Zhou Aiting
@zhouat1 of Qihoo 360 Vulcan Team
- CVE-2021-21218: Uninitialized Use in PDFium. Reported by Zhou Aiting
@zhouat1 of Qihoo 360 Vulcan Team
- CVE-2021-21219: Uninitialized Use in PDFium. Reported by Zhou Aiting
@zhouat1 of Qihoo 360 Vulcan Team
Checksums-Sha1:
1306ee2f2f9540e4032229cd365fe757635e39ce 3639 chromium_90.0.4430.72-1.dsc
06bae6a43b77f0edc3078111ac0b8af3cd05a2fc 450807884 chromium_90.0.4430.72.orig.tar.xz
6c0bf6d16db729fc0cd00748babab805d9bd38a3 217160 chromium_90.0.4430.72-1.debian.tar.xz
84c798e7a6976d3a360d8c924e60014ca2eb2a92 14741 chromium_90.0.4430.72-1_source.buildinfo
Checksums-Sha256:
43a89bf70f68f91ddc1b06d859dc4f2a9927a54fedab62b2fdc9579205324383 3639 chromium_90.0.4430.72-1.dsc
6300ae42d40608d253ab8616c2c80ad002ca580e8fe54141b207c024068514bb 450807884 chromium_90.0.4430.72.orig.tar.xz
3aa09c3ba706b18dc5e52329c27e883b0c0f3814d0e5948d9762764b59552e1a 217160 chromium_90.0.4430.72-1.debian.tar.xz
1a105c58506e172e80b9c9f194eef430c2a20304ea25e9c43d2ba2b1d15aac64 14741 chromium_90.0.4430.72-1_source.buildinfo
Files:
0926e3df68edd607b8f72838a93f211f 3639 web optional chromium_90.0.4430.72-1.dsc
435530a5c2dcff41478285cd5269db28 450807884 web optional chromium_90.0.4430.72.orig.tar.xz
47d086d78b8767f8f504921cee66c93e 217160 web optional chromium_90.0.4430.72-1.debian.tar.xz
b299061690bf33fd406fd5c0c6f9b4d7 14741 web optional chromium_90.0.4430.72-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmB+vLMACgkQCBa54Yx2
K61uzQ/+Nl4AI4axr7tfnPWNYfmu+Pm+PQSUVGEHuOjHAFZBwG6nYlOvzgj9tsHI
B3tTA3uwSltUQ2La/c+CEjWbAc4ezAKhM+9OkYVPOUpe1e+6rl92cwQwYYATtcXg
k94T3qPmatIwCb9hqmJIqkS6VZpwF3c777q90aREgkZCD956cNa/6INzBBuDf2Eg
JNw42dZ1gaYL0hhKMAYq3C2ONUnJFtmGCNZNAElLLSi8M45ptabEQj+ow76p8da+
EsMHV4wDq4/3QOhYeDwLj8S/uAEY48cLjm9BEl2cYIZmhBz6bWObOCe7UY0oYDe8
AQLjPrVWFtSbVViCed4dq2Vdav/HHGqwbHv2yv/o44/X1IdyRCUsancEMhU+NrV3
7GbGdSAHiKENqacCxxPqEwiRSjwtsR+HU3JKrD692oxSPWriUKrzxR+4d8MfeyJE
YjCFwArnaRiDI28WKO3ixxzuuzx408x0pGFv7s2pB1aCs4W9kuUrF2nIWFxGiYZ6
jHyMwXJOwEWjnb3b5lo/izUbuyE0SX6u94J22ZgGz+S6YOIscTC7A5asxgM91Atp
lDZv8XjYhcBhIL+LHCV3ou0j7MQGGiFlkMT7+9rBZnoZfoV6yUki6NBCUz0uR+Fs
0V/ueyiQvAjcNQ+xzr5o7jD94cuXrgoGBx9JfuwzHhA0trayiZ8=
=9rC4
-----END PGP SIGNATURE-----
Added tag(s) security.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Tue, 20 Apr 2021 13:30:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Apr 21 08:07:26 2021;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon