chromium: Update to version 90.0.4430.85 (security-fixes)

Debian Bug report logs - #987358
chromium: Update to version 90.0.4430.85 (security-fixes)

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Sedat Dilek <sedat.dilek@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: chromium: Update to version 90.0.4430.85 (security-fixes)

Date: Thu, 22 Apr 2021 11:40:38 +0200

Package: chromium
Version: 90.0.4430.72-1
Severity: normal
X-Debbugs-Cc: sedat.dilek@gmail.com

Dear Maintainer,

just today I upgraded Debian's chromium to version 90.0.4430.72-1.
Thanks.

With today's dist-upgrade I also see:

google-chrome-stable (90.0.4430.72-1 => 90.0.4430.85-1)

So, again a new google-chrome-stable with "open issues" according to Debian's security-tracker see [1].

The link in [2] lists the following 5 CVEs with "High" and a brief description:

[$TBD][1194046] High CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-03-30

[$TBD][1195308] High CVE-2021-21223: Integer overflow in Mojo. Reported by Guang Gong of Alpha Lab, Qihoo 360 on 2021-04-02

[$TBD][1195777] High CVE-2021-21224: Type Confusion in V8. Reported by Jose Martinez (tr0y4) from VerSprite Inc. on 2021-04-05

[$TBD][1195977] High CVE-2021-21225: Out of bounds memory access in V8. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-05

[$TBD][1197904] High CVE-2021-21226: Use after free in navigation. Reported by Brendon Tiszka (@btiszka) supporting the EFF on 2021-04-11

Please, upgrade Debian's chromium to version 90.0.4430.85.
Thanks.

Regards,
- Sedat -

[1] https://security-tracker.debian.org/tracker/source-package/chromium
[2] https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_20.html
[3] https://www.heise.de/news/Webbrowser-Chrome-erneut-im-Visier-von-Angreifern-6024209.html (German)

-- System Information:
Debian Release: 11.0
  APT prefers testing-security
  APT policy: (500, 'testing-security'), (500, 'testing'), (99, 'buildd-unstable'), (99, 'buildd-experimental'), (99, 'experimental'), (99, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.12.0-rc8-1-amd64-clang12-lto (SMP w/4 CPU threads)
Kernel taint flags: TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages chromium depends on:
ii  chromium-common     90.0.4430.72-1
ii  libasound2          1.2.4-1.1
ii  libatk-bridge2.0-0  2.38.0-1
ii  libatk1.0-0         2.36.0-2
ii  libatomic1          10.2.1-6
ii  libatspi2.0-0       2.38.0-2
ii  libavcodec58        7:4.3.2-0+deb11u1
ii  libavformat58       7:4.3.2-0+deb11u1
ii  libavutil56         7:4.3.2-0+deb11u1
ii  libc6               2.31-11
ii  libcairo2           1.16.0-5
ii  libcups2            2.3.3op2-3
ii  libdbus-1-3         1.12.20-2
ii  libdrm2             2.4.104-1
ii  libevent-2.1-7      2.1.12-stable-1
ii  libexpat1           2.2.10-2
ii  libflac8            1.3.3-2
ii  libfontconfig1      2.13.1-4.2
ii  libfreetype6        2.10.4+dfsg-1
ii  libgbm1             20.3.5-1
ii  libgcc-s1           10.2.1-6
ii  libglib2.0-0        2.66.8-1
ii  libgtk-3-0          3.24.24-3
ii  libharfbuzz0b       2.7.4-1
ii  libicu67            67.1-6
ii  libjpeg62-turbo     1:2.0.6-4
ii  libjsoncpp24        1.9.4-4
ii  liblcms2-2          2.12~rc1-2
ii  libminizip1         1.1-8+b1
ii  libnspr4            2:4.29-1
ii  libnss3             2:3.63-1
ii  libopenjp2-7        2.4.0-3
ii  libopus0            1.3.1-0.1
ii  libpango-1.0-0      1.46.2-3
ii  libpng16-16         1.6.37-3
ii  libpulse0           14.2-2
ii  libre2-9            20210201+dfsg-1
ii  libsnappy1v5        1.1.8-1
ii  libstdc++6          10.2.1-6
ii  libvpx6             1.9.0-1
ii  libwebp6            0.6.1-2+b1
ii  libwebpdemux2       0.6.1-2+b1
ii  libwebpmux3         0.6.1-2+b1
ii  libx11-6            2:1.7.0-2
ii  libxcb1             1.14-3
ii  libxcomposite1      1:0.4.5-1
ii  libxdamage1         1:1.1.5-2
ii  libxext6            2:1.3.3-1.1
ii  libxfixes3          1:5.0.3-2
ii  libxml2             2.9.10+dfsg-6.3+b1
ii  libxrandr2          2:1.5.1-1
ii  libxshmfence1       1.3-1
ii  libxslt1.1          1.1.34-4
ii  zlib1g              1:1.2.11.dfsg-2

Versions of packages chromium recommends:
ii  chromium-sandbox  90.0.4430.72-1

Versions of packages chromium suggests:
pn  chromium-driver  <none>
ii  chromium-l10n    90.0.4430.72-1
pn  chromium-shell   <none>

Versions of packages chromium-common depends on:
ii  libc6       2.31-11
ii  libstdc++6  10.2.1-6
ii  libx11-6    2:1.7.0-2
ii  libxext6    2:1.3.3-1.1
ii  x11-utils   7.7+5
ii  xdg-utils   1.1.3-4
ii  zlib1g      1:1.2.11.dfsg-2

Versions of packages chromium-common recommends:
ii  chromium-sandbox                        90.0.4430.72-1
ii  fonts-liberation                        1:1.07.4-11
ii  gnome-shell [notification-daemon]       3.38.4-1
ii  libgl1-mesa-dri                         20.3.5-1
ii  libu2f-udev                             1.1.10-3
ii  notification-daemon                     3.20.0-4
ii  plasma-workspace [notification-daemon]  4:5.21.4-1
ii  system-config-printer                   1.5.14-1
ii  upower                                  0.99.11-2

Versions of packages chromium-sandbox depends on:
ii  libc6  2.31-11

-- Configuration Files:
/etc/chromium.d/default-flags changed [not included]

-- no debconf information

Message #10 received at 987358-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

To: 987358-close@bugs.debian.org

Subject: Bug#987358: fixed in chromium 90.0.4430.85-1

Date: Thu, 22 Apr 2021 18:05:03 +0000

Source: chromium
Source-Version: 90.0.4430.85-1
Done: Michel Le Bihan <michel@lebihan.pl>

We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 987358@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michel Le Bihan <michel@lebihan.pl> (supplier of updated chromium package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 22 Apr 2021 13:01:41 +0200
Source: chromium
Architecture: source
Version: 90.0.4430.85-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Michel Le Bihan <michel@lebihan.pl>
Closes: 987358
Changes:
 chromium (90.0.4430.85-1) unstable; urgency=medium
 .
   * New upstream security release (closes: #987358).
     - CVE-2021-21222: Heap buffer overflow in V8. Reported by Guang Gong of
       Alpha Lab, Qihoo 360
     - CVE-2021-21223: Integer overflow in Mojo. Reported by Guang Gong of Alpha
       Lab, Qihoo 360
     - CVE-2021-21224: Type Confusion in V8. Reported by Jose Martinez tr0y4
       from VerSprite Inc.
     - CVE-2021-21225: Out of bounds memory access in V8. Reported by Brendon
       Tiszka @btiszka supporting the EFF
     - CVE-2021-21226: Use after free in navigation. Reported by Brendon Tiszka
       @btiszka supporting the EFF
Checksums-Sha1:
 15428e275ac6aacdff1fc99f954c4514167ed514 3639 chromium_90.0.4430.85-1.dsc
 d55401790837fbc73cd06d06d4bbbb023002a1ca 450625000 chromium_90.0.4430.85.orig.tar.xz
 34010eb5f1ad600620a65ac3c4723dbc0a4571ec 217260 chromium_90.0.4430.85-1.debian.tar.xz
 a07cff9bf432122432fd9a2f5f94b8defe07b3ec 14741 chromium_90.0.4430.85-1_source.buildinfo
Checksums-Sha256:
 199b841748eb5c3ba7e13f85094b023ee267fa94ca5ac39bd9e48983397c574f 3639 chromium_90.0.4430.85-1.dsc
 ef7a2f978ed333bdbd706d0c52353c2558d841a1a235bd4b422f109923e34f0c 450625000 chromium_90.0.4430.85.orig.tar.xz
 a29371f84f155fc9187db9465e23771a8b450d48126b6cb1cd81b9fb88308008 217260 chromium_90.0.4430.85-1.debian.tar.xz
 9c27d89038fbe3438444155f26bc874dd7d6c4ef4bd15173e3652214541d14d5 14741 chromium_90.0.4430.85-1_source.buildinfo
Files:
 2a929c356b10c2a810e7d7db6f5cb3ff 3639 web optional chromium_90.0.4430.85-1.dsc
 6822b626b53198c5ef83b0d997016e9a 450625000 web optional chromium_90.0.4430.85.orig.tar.xz
 222f6043f649e4b40e7f2ec44dc54675 217260 web optional chromium_90.0.4430.85-1.debian.tar.xz
 2c07bda06028f8dca82029809cfee3b7 14741 web optional chromium_90.0.4430.85-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmCBnTEACgkQCBa54Yx2
K62kIxAAqDIKzEIAZCHxTKRcAjOVyS6kPLLMNEdw0NFkROP0DdtaqpO7K1SNOcq3
zi/ssooXCrC8tBfw27UP9y7Bj0tpDv+OUUbtHbZmQROv7HbcIpEuVbUwHqbjtlQQ
YUrShS3bBNFUDmUPoHQCqc83LtTESuKhdGytrXylvsgRIyMvTK4WU0wJjnO5OYv0
8Jmq03VuysvKYpnQhLmTgN81Knl1x9ImYCOkLB0St3wUvQFeBBrRI+LEzOjQclWj
XUDJ1K+BJ7vbG8aZKfXOXUSgBSmqqKs5zGBMSRKRW14uMfT6VPQO5QmPeeKK8t20
daOsKrvWGt1YL8JePqTdzs2oT2a+rtL1LeRUBIM24p8NVPqzaRlkNoXiNHaTRnp4
kjFEdmr1qAEi7c1DMNkKCV7n6Qh7WDa47shYSmLI5ubpfD1HkxiEohK4kGtKKwbY
OOeFATPbZ9tPmiunfSziUtFy7vbG2pPgrbiZB4e+gs4bA2ebLK898CLZ+VBWguzR
jLpLj7MBwDFclwO/NGRujr5SsosQZy9IleN6EcDFyy0sgb75ZrEElwassQw/tTM2
Rn1SD9WwDhNtkvngIl9O/oYG2Oh45jEb3CI3q5qRkHf6Ln7PxM/o5LYEvY6vhfN7
zsyz3rYmgP3KLOqjasw7Uw0ctcZfgpzk4AcvPZxZMwIIIyLRTlQ=
=ncj6
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.