From the www.h-online.com site ... The Stable channel update fixes a total of five "high-risk" bugs: a heap overflow in the Ogg Vorbis decoder, a double free issue in the Theora decoder and a memory corruption regression in VP8 decoding, as well as a use-after-free error and a buffer overflow in shader variable mapping. Two medium-risk out of bounds reads in MKV and Ogg vorbis media handlers, and a low-risk issue that caused JRE7 to fail to ask for permission to run applets have also been fixed. Further details of the vulnerabilities are being withheld until "a majority of users are up-to-date with the fix"
Hi, thanks for reporting this bug. Assigned to the package maintainer.
Keywords: (none) => TriagedAssignee: bugsquad => dmorganec
Just pushed in update_testing. Please test
Thanks reassign to the QA.
CC: (none) => dmorganecAssignee: dmorganec => qa-bugs
No poc for the security bugs, so just testing that the program "works". Testing complete on i586 for the srpm chromium-browser-stable-15.0.874.120-0.1.mga1.src.rpm Testing done with http://www.adobe.com/software/flash/about/ http://javatester.org/version.html youtube.com, and some general browsing.
Still waiting for x86-64 testing. Note that 15.0.874.121 was released today for a high-risk out-of-bounds write vulnerability in the V8 JavaScript engine. http://www.h-online.com/security/news/item/Chrome-15-update-fixes-high-risk-vulnerability-1380555.html Should we skip pushing this update and wait for the 121 version?
i think yes, this will avoid to do a new update in some days. i will take care of this update.
Tested on Mageia release 1 (Official) for x86_64 ,for me it's Ok. Nothing to report, everything seems work very well.
CC: (none) => geiger.david68210
Any news ?
Assignee: qa-bugs => dmorganec
Sorry. Validating the update. Could someone from the sysadmin team push the srpm chromium-browser-stable-15.0.874.120-0.1.mga1.src.rpm from Core Updates Testing to Core Updates Advisory: This security update for chromium-browser fixes a total of five "high-risk" bugs: a heap overflow in the Ogg Vorbis decoder, a double free issue in the Theora decoder and a memory corruption regression in VP8 decoding, as well as a use-after-free error and a buffer overflow in shader variable mapping. Two medium-risk out of bounds reads in MKV and Ogg vorbis media handlers, and a low-risk issue that caused JRE7 to fail to ask for permission to run applets have also been fixed. Further details of the vulnerabilities are being withheld until "a majority of users are up-to-date with the fix" https://bugs.mageia.org/show_bug.cgi?id=3321
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
I was asking for In reply to comment #6) > i think yes, this will avoid to do a new update in some days. > > i will take care of this update. but well let's go for update
Assignee: dmorganec => qa-bugs
Ummm, comment 5 stated that a 15.0.874.121 with a high-risk fix was released, and comment 6 stated it will be done in a few days... but then comment 9 states to push the .120 one... ... confused ...
CC: (none) => tmb
please push .120, i have some stuffs to finish and i will work on 121. I would not like to see this sec update delayed for too long.
Update pushed.
Status: NEW => RESOLVEDResolution: (none) => FIXED