Debian Bug report logs -
#980564
chromium: 88.0.4324.96 stable release
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 20 Jan 2021 16:15:01 UTC
Severity: grave
Tags: security, upstream
Found in versions chromium/87.0.4280.141-0.1~deb10u1, chromium/87.0.4280.141-0.1
Fixed in version chromium/88.0.4324.96-0.1
Done: Michel Le Bihan <michel@lebihan.pl>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Chromium Team <chromium@packages.debian.org>:
Bug#980564; Package src:chromium.
(Wed, 20 Jan 2021 16:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Chromium Team <chromium@packages.debian.org>.
(Wed, 20 Jan 2021 16:15:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: chromium
Version: 87.0.4280.141-0.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi
For Details please see
https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop_19.html
covering again a couple of critical and high rated issues.
Regards,
Salvatore
Marked as found in versions chromium/87.0.4280.141-0.1~deb10u1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 20 Jan 2021 16:18:05 GMT) (full text, mbox, link).
Reply sent
to Michel Le Bihan <michel@lebihan.pl>:
You have taken responsibility.
(Thu, 21 Jan 2021 23:39:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Thu, 21 Jan 2021 23:39:05 GMT) (full text, mbox, link).
Message #12 received at 980564-close@bugs.debian.org (full text, mbox, reply):
Source: chromium
Source-Version: 88.0.4324.96-0.1
Done: Michel Le Bihan <michel@lebihan.pl>
We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 980564@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michel Le Bihan <michel@lebihan.pl> (supplier of updated chromium package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 20 Jan 2021 23:23:08 +0100
Source: chromium
Architecture: source
Version: 88.0.4324.96-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Michel Le Bihan <michel@lebihan.pl>
Closes: 980564
Changes:
chromium (88.0.4324.96-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream stable release (closes: 980564).
- CVE-2021-21117: Insufficient policy enforcement in Cryptohome. Reported
by Rory McNamara
- CVE-2021-21118: Insufficient data validation in V8. Reported by Tyler
Nighswander @tylerni7 of Theori
- CVE-2021-21119: Use after free in Media. Reported by Anonymous
- CVE-2021-21120: Use after free in WebSQL. Reported by Nan Wang
@eternalsakura13 and Guang Gong of 360 Alpha Lab
- CVE-2021-21121: Use after free in Omnibox. Reported by Leecraso and Guang
Gong of 360 Alpha Lab
- CVE-2021-21122: Use after free in Blink. Reported by Renata Hodovan
- CVE-2021-21123: Insufficient data validation in File System API. Reported
by Maciej Pulikowski
- CVE-2021-21124: Potential user after free in Speech Recognizer. Reported
by Chaoyang Ding(@V4kst1z) from Codesafe Team of Legendsec at Qi'anxin
Group
- CVE-2021-21125: Insufficient policy enforcement in File System API.
Reported by Ron Masas
- CVE-2020-16044: Use after free in WebRTC. Reported by Ned Williamson of
Project Zero
- CVE-2021-21126: Insufficient policy enforcement in extensions. Reported
by David Erceg
- CVE-2021-21127: Insufficient policy enforcement in extensions. Reported
by Jasminder Pal Singh, Web Services Point WSP, Kotkapura
- CVE-2021-21128: Heap buffer overflow in Blink. Reported by Liang Dong
- CVE-2021-21129: Insufficient policy enforcement in File System API.
Reported by Maciej Pulikowski
- CVE-2021-21130: Insufficient policy enforcement in File System API.
Reported by Maciej Pulikowski
- CVE-2021-21131: Insufficient policy enforcement in File System API.
Reported by Maciej Pulikowski
- CVE-2021-21132: Inappropriate implementation in DevTools. Reported by
David Erceg
- CVE-2021-21133: Insufficient policy enforcement in Downloads. Reported by
wester0x01
- CVE-2021-21134: Incorrect security UI in Page Info. Reported by
wester0x01
- CVE-2021-21135: Inappropriate implementation in Performance API. Reported
by ndevtk
- CVE-2021-21136: Insufficient policy enforcement in WebView. Reported by
Shiv Sahni, Movnavinothan V and Imdad Mohammed
- CVE-2021-21137: Inappropriate implementation in DevTools. Reported by
bobblybear
- CVE-2021-21138: Use after free in DevTools. Reported by Weipeng Jiang
@Krace from Codesafe Team of Legendsec at Qi'anxin Group
- CVE-2021-21139: Inappropriate implementation in iframe sandbox. Reported
by Jun Kokatsu, Microsoft Browser Vulnerability Research
- CVE-2021-21140: Uninitialized Use in USB. Reported by David Manouchehri
- CVE-2021-21141: Insufficient policy enforcement in File System API.
Reported by Maciej Pulikowski
.
[ Jan Luca Naumann ]
* Add watch file.
.
[ Mattia Rizzolo ]
* Change get-orig-source to produce reproducible tarballs.
Checksums-Sha1:
6592da53ebc6f754bcc57ad1447a81d0986acb02 3569 chromium_88.0.4324.96-0.1.dsc
c324a7b157c49e34d64264f469e02004ff2a0e32 393181596 chromium_88.0.4324.96.orig.tar.xz
8966062ec58f45e6a8df96d9a22bf18abbfe44b2 180912 chromium_88.0.4324.96-0.1.debian.tar.xz
Checksums-Sha256:
0ced990e1f388e376e4ccefc288442c1e95d08bb6105db4d9d7d2dcb5383e96e 3569 chromium_88.0.4324.96-0.1.dsc
ac6cce22a59330a16fc491c89140c86667a093a366b402f19d4e4bb9887246b4 393181596 chromium_88.0.4324.96.orig.tar.xz
e7f6fb83a6d27e1e94fe966f30060f5685da943def8f0daf2533c8e82e3db3de 180912 chromium_88.0.4324.96-0.1.debian.tar.xz
Files:
3fcf85af613056200236d37bf8a8cb78 3569 web optional chromium_88.0.4324.96-0.1.dsc
513fa173068f1bd542ec51a67b68cc32 393181596 web optional chromium_88.0.4324.96.orig.tar.xz
f58688b764ca9b280697f41675702ac9 180912 web optional chromium_88.0.4324.96-0.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmAKDFYACgkQCBa54Yx2
K63paw//btIR2hphWyl1N0ltSRdzv36LUdXvYa2VpSt0d+fjjpgecFuBFT4pnhX0
+5cfOBUnSJuDF5DSAlYSJ0PG21MNyVB6YVPTtwQlPWwyXeOPi8hykacPOMWPLBfp
LQacit72REx9Le65QwwG10fKBLQIVAqNk+PMCl4b856jsbLGOIkJ66XCmyES3FxK
XXmR/O2MoVF8mZWZmVECVXW/MGvLXb3WB24bEaqTUQ7Hx+dXSDEtc1w4LbhB8bGf
XiXizSoR0QRplP/ku5G6Quzi75cHAZwk77cbto1RjVopkogNfgdn1rmFT+XnOBEO
1Ww93/IGz1RMj3NeuQTIDydGQ1zlTFf0mxkNflp+HMj1DDrB54raO8S3V7NStKe1
OLo5RkmCpdSTnu82pJzlMin6CdXxPEgVi6WneUmoCHRQNND3iAfUmLDUZuKXFxh/
B8IOmaDVhGVe0xfWACaUxyJ11PsoQEsbGyZ8FRuhnxJnozL8NZcSs5YtRGjCHRoP
1xHeTYnd3FiJ2mDwMgzPTzE2O94OUig89BX65yv4/bgpUkpX7FboEB1qoiJvcuTq
BhZxPhSMbSg4J6dQB0HZqapHjZfTH10MikHSOS5zOnePXD6zHVwkd53tBhdEgSXX
YsFcnsYXHp9SLJOY+QYEqvaLmbacRRYNuQPhVl4ImPlNGr5Id9Y=
=Z4xo
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Mon Jan 25 07:20:11 2021;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon