Bug 16190 - chromium-browser-stable new security issues fixed in 43.0.2357.130
Summary: chromium-browser-stable new security issues fixed in 43.0.2357.130
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/649372/
Whiteboard: MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2015-06-23 22:28 CEST by David Walser
Modified: 2015-07-05 19:23 CEST (History)
4 users (show)

See Also:
Source RPM: chromium-browser-stable-43.0.2357.65-1.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2015-06-23 22:28:11 CEST
Upstream has released version 43.0.2357.130 on June 23:
http://googlechromereleases.blogspot.com/2015/06/chrome-stable-update.html

This fixes several new security issues.

This is the current version in the stable channel:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

Reproducible: 

Steps to Reproduce:
David Walser 2015-06-23 22:28:42 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

Comment 1 David Walser 2015-06-25 18:07:06 CEST
chromium-browser-stable-43.0.2357.130-1.mga6 uploaded for Cauldron.

Version: Cauldron => 5
Whiteboard: MGA5TOO, MGA4TOO => MGA4TOO

Comment 2 David Walser 2015-06-25 18:07:36 CEST
RedHat has issued an advisory for this today (June 25):
https://rhn.redhat.com/errata/RHSA-2015-1188.html

URL: (none) => http://lwn.net/Vulnerabilities/649372/

Comment 3 Christiaan Welvaart 2015-06-26 04:45:31 CEST
Updated packages are ready for testing:

MGA4
SRPM:
chromium-browser-stable-43.0.2357.130-1.mga4.src.rpm
RPMS:
chromium-browser-stable-43.0.2357.130-1.mga4.i586.rpm
chromium-browser-43.0.2357.130-1.mga4.i586.rpm
chromium-browser-stable-43.0.2357.130-1.mga4.x86_64.rpm
chromium-browser-43.0.2357.130-1.mga4.x86_64.rpm

MGA5
SRPM:
chromium-browser-stable-43.0.2357.130-1.mga5.src.rpm
RPMS:
chromium-browser-stable-43.0.2357.130-1.mga5.i586.rpm
chromium-browser-43.0.2357.130-1.mga5.i586.rpm
chromium-browser-stable-43.0.2357.130-1.mga5.x86_64.rpm
chromium-browser-43.0.2357.130-1.mga5.x86_64.rpm


Proposed advisory:


Chromium-browser 43.0.2357.130 fixes the following security issues:

A scheme validation error in WebUI (CVE-2015-1266).

Two cross-origin bypass issues in Blink (CVE-2015-1267, CVE-2015-1268).

A normalization error in the HSTS/HPKP preload list (CVE-2015-1269).

This update also disables the automatic, silent downloading and installation of "external components" like the hotword extension.


References:
http://googlechromereleases.blogspot.com/2015/06/chrome-stable-update.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1266
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1267
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1268
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1269
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=786909

CC: (none) => cjw
Assignee: cjw => qa-bugs

Comment 4 Shlomi Fish 2015-06-27 15:57:25 CEST
Tested on an MGA5-i586 VM - everything seems fine.

CC: (none) => shlomif
Whiteboard: MGA4TOO => MGA4TOO MGA5-32-OK

Comment 5 Shlomi Fish 2015-06-27 16:03:50 CEST
Tested on an x86-64 MGA4 VM - everything seems fine in the new chromium.

Whiteboard: MGA4TOO MGA5-32-OK => MGA4TOO MGA5-32-OK MGA4-64-OK

Comment 6 Shlomi Fish 2015-06-27 16:09:46 CEST
Add MGA4-32-OK  because tested ok on a Mageia 4 i586 VM.

Whiteboard: MGA4TOO MGA5-32-OK MGA4-64-OK => MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK

Comment 7 Shlomi Fish 2015-06-27 16:16:06 CEST
MGA5-64-OK ing it .

Whiteboard: MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK => MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK

Comment 8 Dave Hodgins 2015-07-01 01:38:31 CEST
Advisory committed to svn.

Someone from the sysadmin team please push 16190.adv to updates for Mageia 4 and 5.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK => MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 9 David Walser 2015-07-01 16:20:50 CEST
Advisory is missing from SVN.

Whiteboard: MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK advisory => MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK

Comment 10 Dave Hodgins 2015-07-01 22:53:42 CEST
Sorry, forgot to run the svn add before the svn ci.

It's there now.

Whiteboard: MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK => MGA4TOO MGA5-32-OK MGA4-64-OK MGA4-32-OK MGA5-64-OK advisory

Comment 11 Mageia Robot 2015-07-05 19:23:40 CEST
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0265.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.