News for package chromium-browser

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 3.0 (quilt)
Source: chromium-browser
Binary: chromium, chromium-l10n, chromium-shell, chromium-widevine, chromium-driver, chromedriver
Architecture: i386 amd64 arm64 armhf all
Version: 66.0.3359.117-1~deb9u1
Maintainer: Debian Chromium Maintainers <pkg-chromium-maint@lists.alioth.debian.org>
Uploaders:  Michael Gilbert <mgilbert@debian.org>, Riku Voipio <riku.voipio@linaro.org>
Homepage: http://www.chromium.org/Home
Standards-Version: 3.9.8
Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-chromium/pkg-chromium.git
Vcs-Git: git://anonscm.debian.org/pkg-chromium/pkg-chromium.git
Build-Depends: debhelper (>= 9), python3, pkg-config, ninja-build, python-jinja2, ca-certificates, wget, flex, yasm, xvfb, wdiff, gperf, bison, valgrind, xz-utils, x11-apps, xfonts-base, libglewmx-dev, libgl1-mesa-dev, libglu1-mesa-dev, libegl1-mesa-dev, libgles2-mesa-dev, mesa-common-dev, libxt-dev, libre2-dev, libgbm-dev, libpng-dev, libxss-dev, libelf-dev, libvpx-dev, libpci-dev, libcap-dev, libdrm-dev, libicu-dev, libffi-dev, libkrb5-dev, libexif-dev, libflac-dev, libudev-dev, libopus-dev, libwebp-dev, libxtst-dev, libsrtp-dev, libjpeg-dev, libxml2-dev, libgtk-3-dev, libgtk2.0-dev, libxslt1-dev, libpulse-dev, libpam0g-dev, libsnappy-dev, libgconf2-dev, libavutil-dev, libavcodec-dev (>= 7:3.0), libavformat-dev, libglib2.0-dev, libasound2-dev, libsqlite3-dev, libjsoncpp-dev, libspeechd-dev (>= 0.8.4), libminizip-dev, libhunspell-dev, libharfbuzz-dev (>= 1.2.7), libusb-1.0-0-dev, libmodpbase64-dev, libgnome-keyring-dev, libnss3-dev (>= 3.12.3), libnspr4-dev (>= 2:4.9), libcups2-dev (>= 1.5.0), libevent-dev (>= 1.4.13), libjs-jquery, libjs-excanvas, libjs-jquery-flot, libgcrypt20-dev, fonts-ipafont-gothic, fonts-ipafont-mincho
Package-List:
 chromedriver deb web optional arch=i386,amd64,arm64,armhf
 chromium deb web optional arch=i386,amd64,arm64,armhf
 chromium-driver deb web optional arch=i386,amd64,arm64,armhf
 chromium-l10n deb localization optional arch=all
 chromium-shell deb web optional arch=i386,amd64,arm64,armhf
 chromium-widevine deb contrib/web optional arch=i386,amd64,arm64,armhf
Checksums-Sha1:
 df0290e15e01e56d209bfbd2d6f47ed15ed21a74 409201024 chromium-browser_66.0.3359.117.orig.tar.xz
 0b438e412430c7c5f9af98952cd65145ea8dfd34 148872 chromium-browser_66.0.3359.117-1~deb9u1.debian.tar.xz
Checksums-Sha256:
 2eec082092a1a6243e57eb3ef832a3d546c98fbc7c1a55447c2d3ee2e65006b1 409201024 chromium-browser_66.0.3359.117.orig.tar.xz
 84a192e118c090ef845c50b2e9aebabfddfc3d150ed320ae7038cb67a2ec914f 148872 chromium-browser_66.0.3359.117-1~deb9u1.debian.tar.xz
Files:
 0af3d1a542e642cf8011ba46ca595a09 409201024 chromium-browser_66.0.3359.117.orig.tar.xz
 8219323bad30990c6414a7bfce499e32 148872 chromium-browser_66.0.3359.117-1~deb9u1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlrjEZQACgkQuNayzQLW
9HOLQx/7BxE1bshLTEoJG01PtLWUPYMR3ZNBRxn3kfAe83p/S+yLZq+3yjbsNdkF
FXGvmn+nFD9oJ++L0rN5EobjNh23TsreyBhPeOgrMLxeK8SP7j3deuY3kf7iOZoB
fjjcLE3Zc3D53i07ITTNb91lnC4N0ZJflvp1ff4W227yFn/k+R+sBHl2uHgP6hUz
jhOE355hh3XHkGbLeOuGHZR9gTSPyE56shDCrROtpUR4jVvCjZ2LhEz4NLCSdBLP
Es2Sa3waX3Tvi86HEGKE6rctUfxgFSq5vpVJuSisgqJAcQFpao9OWPWOI0HjaHE0
9hdUNEu7uUQpCEHJMFFb6px1MPKNKu3Izqkd57kkwv9GRXJerawr9P0QPZv+kdqI
YSFg1+8UhAPgcKqwObUhf6IaYIuvGkIqjn64pUoPUWgnwqpfZc45ZPFVCvqOfJlC
u3yFN2b3rgyvsKEhbvyEOEqTvLCxKn4XShRCyP4L3ZIOCEQ5QpZKyHUexhDg7v0a
qRnpAHbu2hvh/kznoqnP86kTKA2YqqN2UNDzYPAfPHz2oJ4zUJfLZH5sj6mmt+gm
/Kf/SberKb4iYM33rFLGLaPaZCiuwkA9KhvC20UGgf8ZJq261CrfN8GmRNvQvJ0o
ikz4mJBgE9dk/IbVOmZBQlBkwV8YeX0nOmZjh2/apd+qiO1eZ08KdqSeb2ALOSmI
ijuJXb+ncRR2Yfv1srgnyL74bjeyVZ1Ks4YxMy1fGCkZG+J0aJdlfrR4sFFBJG27
ZoZz+LaAm7qSERVvt2d0AjgtvL7Q0j2RzSQCkpY8hMZr1WJ/0OkXnDJa8H50Yumw
nC/seMQzzK1+ZX2+sS6MrjbL/Uq16rcpyfGAEF8VYCSrExpdpfL4Jm3g8K0xZ3qq
5WU8WDs7bsy8czQ+volQTWVSpuDP0pjLloffPvPpZYBMA1cffCrlQaHudtKx0106
klBZj5kYAmjUrDIc1z6yJ5zRx6KeNwZtEEGM+yzbr8MkBmJb7r2kyOeSHCBH2oNF
XvGUWu5Rh8XfVqKs8fM95KbKJzzV1PvVjtWib9eZl7Fm+xxJPC6F+HkVMMD/Z945
sNWfWWYqW9F+3x8Rvz/r3Xv25om+aDj0m/j45cdunTFt0nErMgL5c2hj/THSVmbl
L3o1f51Ofjgk1tiaXYXafH3wSPt1/ZDRutK/jPBAc4DeCVnSWNKDBa2NPSua7LX0
1mhn9FGgVhWh484UjOChJx3i5Yhm+ZE73PvSeCqaYwu7jeB6qIgJ3aQf7vxp7IS4
PcpJZn9yRR+gU62moeze5Ce3fkuFk2m1VBPELm58kR9lFo7TEW/CSxsdgbM7bHE/
ABHqFusko3Ca3Tqj3IMIpgl0qki8BA==
=uxyD
-----END PGP SIGNATURE-----

<span id="changes">Changes:</span>
chromium-browser (66.0.3359.117-1~deb9u1) stretch-security; urgency=medium

  * New upstream stable release.
    - CVE-2018-6056: Incorrect derived class instantiation in V8. Reported by
      lokihardt
    - CVE-2018-6057: Incorrect permissions on shared memory. Reported by Gal
      Beniamini
    - CVE-2018-6060: Use after free in Blink. Reported by Omair
    - CVE-2018-6061: Race condition in V8. Reported by Guang Gong
    - CVE-2018-6062: Heap buffer overflow in Skia. Reported by Anonymous
    - CVE-2018-6063: Incorrect permissions on shared memory. Reported by Gal
      Beniamini
    - CVE-2018-6064: Type confusion in V8. Reported by lokihardt
    - CVE-2018-6065: Integer overflow in V8. Reported by Mark Brand
    - CVE-2018-6066: Same Origin Bypass via canvas. Reported by Masato Kinugawa
    - CVE-2018-6067: Buffer overflow in Skia. Reported by Ned Williamson
    - CVE-2018-6068: Object lifecycle issues in Chrome Custom Tab. Reported by
      Luan Herrera
    - CVE-2018-6069: Stack buffer overflow in Skia. Reported by Wanglu &
      Yangkang
    - CVE-2018-6070: CSP bypass through extensions. Reported by Rob Wu
    - CVE-2018-6071: Heap bufffer overflow in Skia. Reported by Anonymous
    - CVE-2018-6072: Integer overflow in PDFium. Reported by Atte Kettunen
    - CVE-2018-6073: Heap bufffer overflow in WebGL. Reported by Omair
    - CVE-2018-6074: Mark-of-the-Web bypass. Reported by Abdulrahman Alqabandi
    - CVE-2018-6075: Overly permissive cross origin downloads. Reported by Inti
      De Ceukelaire
    - CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink.
      Reported by Mateusz Krzeszowiec
    - CVE-2018-6077: Timing attack using SVG filters. Reported by Khalil Zhani
    - CVE-2018-6078: URL Spoof in OmniBox. Reported by Khalil Zhani
    - CVE-2018-6079: Information disclosure via texture data in WebGL. Reported
      by Ivars Atteka
    - CVE-2018-6080: Information disclosure in IPC call. Reported by Gal
      Beniamini
    - CVE-2018-6081: XSS in interstitials. Reported by Rob Wu
    - CVE-2018-6082: Circumvention of port blocking. Reported by WenXu Wu
    - CVE-2018-6083: Incorrect processing of AppManifests. Reported by Jun
      Kokatsu
    - CVE-2018-6085: Use after free in Disk Cache. Reported by Ned Williamson
    - CVE-2018-6086: Use after free in Disk Cache. Reported by Ned Williamson
    - CVE-2018-6087: Use after free in WebAssembly. Reported by Anonymous
    - CVE-2018-6088: Use after free in PDFium. Reported by Anonymous
    - CVE-2018-6089: Same origin policy bypass in Service Worker. Reported by
      Rob Wu
    - CVE-2018-6090: Heap buffer overflow in Skia. Reported by ZhanJia Song
    - CVE-2018-6091: Incorrect handling of plug-ins by Service Worker.
      Reported by Jun Kokatsu
    - CVE-2018-6092: Integer overflow in WebAssembly. Reported by Natalie
      Silvanovich
    - CVE-2018-6093: Same origin bypass in Service Worker. Reported by Jun
      Kokatsu
    - CVE-2018-6094: Exploit hardening regression in Oilpan. Reported by Chris
      Rohlf
    - CVE-2018-6095: Lack of meaningful user interaction requirement before
      file upload. Reported by Abdulrahman Alqabandi
    - CVE-2018-6096: Fullscreen UI spoof. Reported by WenXu Wu
    - CVE-2018-6097: Fullscreen UI spoof. Reported by xisigr
    - CVE-2018-6098: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6099: CORS bypass in ServiceWorker. Reported by Jun Kokatsu
    - CVE-2018-6100: URL spoof in Omnibox. Reported by Lnyas Zhang
    - CVE-2018-6101: Insufficient protection of remote debugging prototol in
      DevTools . Reported by Rob Wu
    - CVE-2018-6102: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6103: UI spoof in Permissions. Reported by Khalil Zhani
    - CVE-2018-6104: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6105: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6106: Incorrect handling of promises in V8. Reported by
      lokihardt
    - CVE-2018-6107: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6108: URL spoof in Omnibox. Reported by Khalil Zhani
    - CVE-2018-6109: Incorrect handling of files by FileAPI. Reported by
      Dominik Weber
    - CVE-2018-6110: Incorrect handling of plaintext files via file:// .
      Reported by Wenxiang Qian
    - CVE-2018-6111: Heap-use-after-free in DevTools. Reported by Khalil Zhani
    - CVE-2018-6112: Incorrect URL handling in DevTools. Reported by Rob Wu
    - CVE-2018-6113: URL spoof in Navigation. Reported by Khalil Zhani
    - CVE-2018-6114: CSP bypass. Reported by Lnyas Zhang
    - CVE-2018-6115: SmartScreen bypass in downloads. Reported by James Feher
    - CVE-2018-6116: Incorrect low memory handling in WebAssembly. Reported by
      Chengdu Security Response Center
    - CVE-2018-6117: Confusing autofill settings. Reported by Spencer Dailey

 -- Michael Gilbert <mgilbert@debian.org>  Wed, 25 Apr 2018 23:48:58 +0000