Your message dated Sun, 20 Dec 2020 17:34:39 +0000
with message-id <e1kr2bp-0002pg...@fasolo.debian.org>
and subject line Bug#973848: fixed in chromium 87.0.4280.88-0.1
has caused the Debian Bug report #973848,
regarding chromium: Unsupported version, many security bugs unfixed
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
973848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=973848
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: chromium
Version: 83.0.4103.116-3.1
Severity: important
Dear Maintainer,
Version 83.x of chromium became unsupported in July, with the release of
Chrome 84. Since that time, two more versions of chromium have been
released, 85.x and 86.x, each with 40-50 security bugs fixed. This has
me pretty worried about using chromium for day-to-day work.
Andreas
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500,
'stable-updates'), (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.9.0-1-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages chromium depends on:
ii chromium-common 83.0.4103.116-3.1
ii libasound2 1.2.3.2-1
ii libatk-bridge2.0-0 2.38.0-1
ii libatk1.0-0 2.36.0-2
ii libatspi2.0-0 2.38.0-2
ii libavcodec58 7:4.3.1-5
ii libavformat58 7:4.3.1-5
ii libavutil56 7:4.3.1-5
ii libc6 2.31-4
ii libcairo2 1.16.0-4
ii libcups2 2.3.3-3
ii libdbus-1-3 1.13.12-2
ii libdrm2 2.4.102-1
ii libevent-2.1-7 2.1.12-stable-1
ii libexpat1 2.2.10-1
ii libflac8 1.3.3-1
ii libfontconfig1 2.13.1-4.2
ii libfreetype6 2.10.2+dfsg-4
ii libgbm1 20.2.1-1
ii libgcc-s1 10.2.0-16
ii libgdk-pixbuf2.0-0 2.40.0+dfsg-5
ii libglib2.0-0 2.66.2-1
ii libgtk-3-0 3.24.23-2
ii libharfbuzz0b 2.6.7-1
ii libicu67 67.1-4
ii libjpeg62-turbo 1:2.0.5-1.1
ii libjsoncpp1 1.7.4-3.1
ii liblcms2-2 2.9-4+b1
ii libminizip1 1.1-8+b1
ii libnspr4 2:4.29-1
ii libnss3 2:3.58-1
ii libopenjp2-7 2.3.1-1
ii libopus0 1.3.1-0.1
ii libpango-1.0-0 1.46.2-2
ii libpangocairo-1.0-0 1.46.2-2
ii libpng16-16 1.6.37-3
ii libpulse0 13.0-5
ii libre2-8 20201001+dfsg-1
ii libsnappy1v5 1.1.8-1
ii libstdc++6 10.2.0-16
ii libvpx6 1.8.2-1
ii libwebp6 0.6.1-2+b1
ii libwebpdemux2 0.6.1-2+b1
ii libwebpmux3 0.6.1-2+b1
ii libx11-6 2:1.6.12-1
ii libx11-xcb1 2:1.6.12-1
ii libxcb-dri3-0 1.14-2
ii libxcb1 1.14-2
ii libxcomposite1 1:0.4.5-1
ii libxcursor1 1:1.2.0-2
ii libxdamage1 1:1.1.5-2
ii libxext6 2:1.3.3-1+b2
ii libxfixes3 1:5.0.3-2
ii libxi6 2:1.7.10-1
ii libxml2 2.9.10+dfsg-6.1
ii libxrandr2 2:1.5.1-1
ii libxrender1 1:0.9.10-1
ii libxslt1.1 1.1.34-4
ii libxss1 1:1.2.3-1
ii libxtst6 2:1.2.3-1
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages chromium recommends:
ii chromium-sandbox 83.0.4103.116-3.1
Versions of packages chromium suggests:
ii chromium-driver 83.0.4103.116-3.1
ii chromium-l10n 83.0.4103.116-3.1
pn chromium-shell <none>
Versions of packages chromium-common depends on:
ii x11-utils 7.7+5
ii xdg-utils 1.1.3-2
Versions of packages chromium-common recommends:
ii chromium-sandbox 83.0.4103.116-3.1
ii fonts-liberation 1:1.07.4-11
ii gnome-shell [notification-daemon] 3.38.1-1
ii libgl1-mesa-dri 20.2.1-1
ii libu2f-udev 1.1.10-1.1
ii notification-daemon 3.20.0-4
ii system-config-printer 1.5.12-1
ii upower 0.99.11-2
Versions of packages chromium-driver depends on:
ii libc6 2.31-4
ii libevent-2.1-7 2.1.12-stable-1
ii libglib2.0-0 2.66.2-1
ii libicu67 67.1-4
ii libminizip1 1.1-8+b1
ii libnspr4 2:4.29-1
ii libnss3 2:3.58-1
ii libre2-8 20201001+dfsg-1
ii libstdc++6 10.2.0-16
ii libx11-6 2:1.6.12-1
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages chromium-sandbox depends on:
ii libc6 2.31-4
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: chromium
Source-Version: 87.0.4280.88-0.1
Done: Michel Le Bihan <mic...@lebihan.pl>
We believe that the bug you reported is fixed in the latest version of
chromium, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 973...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michel Le Bihan <mic...@lebihan.pl> (supplier of updated chromium package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 01 Dec 2020 00:00:00 +0000
Source: chromium
Architecture: source
Version: 87.0.4280.88-0.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Chromium Team <chrom...@packages.debian.org>
Changed-By: Michel Le Bihan <mic...@lebihan.pl>
Closes: 973848
Changes:
chromium (87.0.4280.88-0.1) unstable; urgency=medium
.
* Non-maintainer upload.
* New upstream stable release (closes: 973848).
- CVE-2020-16037: Use after free in clipboard. Reported by Ryoya Tsukasaki
- CVE-2020-16038: Use after free in media. Reported by Khalil Zhani
- CVE-2020-16039: Use after free in extensions. Reported by Anonymous
- CVE-2020-16040: Insufficient data validation in V8. Reported by Lucas
Pinheiro, Microsoft Browser Vulnerability Research
- CVE-2020-16041: Out of bounds read in networking. Reported by Sergei
Glazunov and Mark Brand of Google Project Zero
- CVE-2020-16042: Uninitialized Use in V8. Reported by André Bargull
- CVE-2020-16018: Use after free in payments. Reported by Man Yue Mo of
GitHub Security Lab
- CVE-2020-16019: Inappropriate implementation in filesystem. Reported by
Rory McNamara
- CVE-2020-16020: Inappropriate implementation in cryptohome. Reported by
Rory McNamara
- CVE-2020-16021: Race in ImageBurner. Reported by Rory McNamara
- CVE-2020-16022: Insufficient policy enforcement in networking. Reported
by @SamyKamkar
- CVE-2020-16015: Insufficient data validation in WASM. Reported by Rong
Jian and Leecraso of 360 Alpha Lab
- CVE-2020-16014: Use after free in PPAPI. Reported by Rong Jian and
Leecraso of 360 Alpha Lab
- CVE-2020-16023: Use after free in WebCodecs. Reported by Brendon Tiszka
and David Manouchehri supporting the @eff
- CVE-2020-16024: Heap buffer overflow in UI. Reported by Sergei Glazunov
of Google Project Zero
- CVE-2020-16025: Heap buffer overflow in clipboard. Reported by Sergei
Glazunov of Google Project Zero
- CVE-2020-16026: Use after free in WebRTC. Reported by Jong-Gwon Kim
- CVE-2020-16027: Insufficient policy enforcement in developer tools.
Reported by David Erceg
- CVE-2020-16028: Heap buffer overflow in WebRTC. Reported by asnine
- CVE-2020-16029: Inappropriate implementation in PDFium. Reported by
Anonymous
- CVE-2020-16030: Insufficient data validation in Blink. Reported by Michał
Bentkowski of Securitum
- CVE-2019-8075: Insufficient data validation in Flash. Reported by
Nethanel Gelernter, Cyberpion
- CVE-2020-16031: Incorrect security UI in tab preview. Reported by
wester0x01
- CVE-2020-16032: Incorrect security UI in sharing. Reported by wester0x01
- CVE-2020-16033: Incorrect security UI in WebUSB. Reported by Khalil Zhani
- CVE-2020-16034: Inappropriate implementation in WebRTC. Reported by
Benjamin Petermaier
- CVE-2020-16035: Insufficient data validation in cros-disks. Reported by
Rory McNamara
- CVE-2020-16012: Side-channel information leakage in graphics. Reported by
Aleksejs Popovs
- CVE-2020-16036: Inappropriate implementation in cookies. Reported by Jun
Kokatsu @shhnjk
- CVE-2020-16013: Inappropriate implementation in V8. Reported by Anonymous
- CVE-2020-16017: Use after free in site isolation. Reported by Anonymous
- CVE-2020-16016: Inappropriate implementation in base. Reported by Rong
Jian and Leecraso of 360 Alpha Lab
- CVE-2020-16004: Use after free in user interface. Reported by Leecraso
and Guang Gong of 360 Alpha Lab working with 360 BugCloud
- CVE-2020-16005: Insufficient policy enforcement in ANGLE. Reported by
Jaehun Jeong @n3sk of Theori
- CVE-2020-16006: Inappropriate implementation in V8. Reported by Bill
Parks
- CVE-2020-16007: Insufficient data validation in installer. Reported by
Abdelhamid Naceri
- CVE-2020-16008: Stack buffer overflow in WebRTC. Reported by Tolya
Korniltsev
- CVE-2020-16009: Inappropriate implementation in V8. Reported by Clement
Lecigne of Google's Threat Analysis Group and Samuel Groß of Google
Project Zero
- CVE-2020-16011: Heap buffer overflow in UI on Windows. Reported by Sergei
Glazunov of Google Project Zero
- CVE-2020-16000: Inappropriate implementation in Blink. Reported by
amaebi_jp
- CVE-2020-16001: Use after free in media. Reported by Khalil Zhani
- CVE-2020-16002: Use after free in PDFium. Reported by Weipeng Jiang from
Codesafe Team of Legendsec at Qi'anxin Group
- CVE-2020-15999: Heap buffer overflow in Freetype. Reported by Sergei
Glazunov of Google Project Zero
- CVE-2020-16003: Use after free in printing. Reported by Khalil Zhani
- CVE-2020-15967: Use after free in payments. Reported by Man Yue Mo of
GitHub Security Lab
- CVE-2020-15968: Use after free in Blink. Reported by Anonymous
- CVE-2020-15969: Use after free in WebRTC. Reported by Anonymous
- CVE-2020-15970: Use after free in NFC. Reported by Man Yue Mo of GitHub
Security Lab
- CVE-2020-15971: Use after free in printing. Reported by Jun Kokatsu,
Microsoft Browser Vulnerability Research
- CVE-2020-15972: Use after free in audio. Reported by Anonymous
- CVE-2020-15990: Use after free in autofill. Reported by Rong Jian and
Guang Gong of Alpha Lab, Qihoo 360
- CVE-2020-15991: Use after free in password manager. Reported by Rong Jian
and Guang Gong of Alpha Lab, Qihoo 360
- CVE-2020-15973: Insufficient policy enforcement in extensions. Reported
by David Erceg
- CVE-2020-15974: Integer overflow in Blink. Reported by Juno Im of Theori
- CVE-2020-15975: Integer overflow in SwiftShader. Reported by Anonymous
- CVE-2020-15976: Use after free in WebXR. Reported by YoungJoo Lee
@ashuu_lee of Raon Whitehat
- CVE-2020-6557: Inappropriate implementation in networking. Reported by
Matthias Gierlings and Marcus Brinkmann
- CVE-2020-15977: Insufficient data validation in dialogs. Reported by
Narendra Bhati
- CVE-2020-15978: Insufficient data validation in navigation. Reported by
Luan Herrera @lbherrera_
- CVE-2020-15979: Inappropriate implementation in V8. Reported by Avihay
Cohen @ SeraphicAlgorithms
- CVE-2020-15980: Insufficient policy enforcement in Intents. Reported by
Yongke Wang @Rudykewang and Aryb1n @aryb1n of Tencent Security Xuanwu Lab
- CVE-2020-15981: Out of bounds read in audio. Reported by Christoph
Guttandin
- CVE-2020-15982: Side-channel information leakage in cache. Reported by
Luan Herrera @lbherrera_
- CVE-2020-15983: Insufficient data validation in webUI. Reported by Jun
Kokatsu, Microsoft Browser Vulnerability Research
- CVE-2020-15984: Insufficient policy enforcement in Omnibox. Reported by
Rayyan Bijoora
- CVE-2020-15985: Inappropriate implementation in Blink. Reported by
Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research
- CVE-2020-15986: Integer overflow in media. Reported by Mark Brand of
Google Project Zero
- CVE-2020-15987: Use after free in WebRTC. Reported by Philipp Hancke
- CVE-2020-15992: Insufficient policy enforcement in networking. Reported
by Alison Huffman, Microsoft Browser Vulnerability Research
- CVE-2020-15988: Insufficient policy enforcement in downloads. Reported by
Samuel Attard
- CVE-2020-15989: Uninitialized Use in PDFium. Reported by Gareth Evans
- CVE-2020-15960: Out of bounds read in storage. Reported by Anonymous
- CVE-2020-15961: Insufficient policy enforcement in extensions. Reported
by David Erceg
- CVE-2020-15962: Insufficient policy enforcement in serial. Reported by
Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud
- CVE-2020-15963: Insufficient policy enforcement in extensions. Reported
by David Erceg
- CVE-2020-15965: Out of bounds write in V8. Reported by Lucas Pinheiro,
Microsoft Browser Vulnerability Research
- CVE-2020-15966: Insufficient policy enforcement in extensions. Reported
by David Erceg
- CVE-2020-15964: Insufficient data validation in media. Reported by Woojin
Oh @pwn_expoit of STEALIEN
- CVE-2020-6573: Use after free in video. Reported by Leecraso and Guang
Gong of 360 Alpha Lab working with 360 BugCloud
- CVE-2020-6574: Insufficient policy enforcement in installer. Reported by
CodeColorist of Ant-Financial LightYear Labs
- CVE-2020-6575: Race in Mojo. Reported by Microsoft
- CVE-2020-6576: Use after free in offscreen canvas. Reported by Looben
Yang
- CVE-2020-15959: Insufficient policy enforcement in networking. Reported
by Eric Lawrence of Microsoft
- CVE-2020-6558: Insufficient policy enforcement in iOS. Reported by Alison
Huffman, Microsoft Browser Vulnerability Research
- CVE-2020-6559: Use after free in presentation API. Reported by Liu Wei
and Wu Zekai of Tencent Security Xuanwu Lab
- CVE-2020-6560: Insufficient policy enforcement in autofill. Reported by
Nadja Ungethuem from www.unnex.de
- CVE-2020-6561: Inappropriate implementation in Content Security Policy.
Reported by Rob Wu
- CVE-2020-6562: Insufficient policy enforcement in Blink. Reported by
Masato Kinugawa
- CVE-2020-6563: Insufficient policy enforcement in intent handling.
Reported by Pedro Oliveira
- CVE-2020-6564: Incorrect security UI in permissions. Reported by Khalil
Zhani
- CVE-2020-6565: Incorrect security UI in Omnibox. Reported by Khalil Zhani
- CVE-2020-6566: Insufficient policy enforcement in media. Reported by Jun
Kokatsu, Microsoft Browser Vulnerability Research
- CVE-2020-6567: Insufficient validation of untrusted input in command line
handling. Reported by Joshua Graham of TSS
- CVE-2020-6568: Insufficient policy enforcement in intent handling.
Reported by Yongke Wang @Rudykewang and Aryb1n @aryb1n of Tencent
Security Xuanwu Lab
- CVE-2020-6569: Integer overflow in WebUSB. Reported by guaixiaomei
- CVE-2020-6570: Side-channel information leakage in WebRTC. Reported by
Signal/Tenable
- CVE-2020-6571: Incorrect security UI in Omnibox. Reported by Rayyan
Bijoora
- CVE-2020-6556: Heap buffer overflow in SwiftShader. Reported by Alison
Huffman, Microsoft Browser Vulnerability Research
- CVE-2020-6542: Use after free in ANGLE. Reported by Piotr Bania of Cisco
Talos
- CVE-2020-6543: Use after free in task scheduling. Reported by Looben Yang
- CVE-2020-6544: Use after free in media. Reported by Tim Becker of Theori
- CVE-2020-6545: Use after free in audio. Reported by Anonymous
- CVE-2020-6546: Inappropriate implementation in installer. Reported by
Andrew Hess
- CVE-2020-6547: Incorrect security UI in media. Reported by David Albert
- CVE-2020-6548: Heap buffer overflow in Skia. Reported by Choongwoo Han,
Microsoft Browser Vulnerability Research
- CVE-2020-6549: Use after free in media. Reported by Sergei Glazunov of
Google Project Zero
- CVE-2020-6550: Use after free in IndexedDB. Reported by Sergei Glazunov
of Google Project Zero
- CVE-2020-6551: Use after free in WebXR. Reported by Sergei Glazunov of
Google Project Zero
- CVE-2020-6552: Use after free in Blink. Reported by Tim Becker of Theori
- CVE-2020-6553: Use after free in offline mode. Reported by Alison
Huffman, Microsoft Browser Vulnerability Research
- CVE-2020-6554: Use after free in extensions. Reported by Anonymous
- CVE-2020-6555: Out of bounds read in WebGL. Reported by Marcin Towalski
of Cisco Talos
Checksums-Sha1:
3f3db829da10fde27505565d4855926f729f34e4 3585 chromium_87.0.4280.88-0.1.dsc
9c079c481a3d5c5df757b1cb84c9236e4c5c9c8b 393356668
chromium_87.0.4280.88.orig.tar.xz
397fe96b833bfb3419f36fd623f04771fe722684 150648
chromium_87.0.4280.88-0.1.debian.tar.xz
1be66017d8f877c1d54a336902f9bc07a5fcf3f6 14915
chromium_87.0.4280.88-0.1_source.buildinfo
Checksums-Sha256:
e3df0b61a192b7bdfeb400192964dcc3704132ff793b5942a29a8479addbef13 3585
chromium_87.0.4280.88-0.1.dsc
b285589a46b7f7e0375f284e27959fa6da72d4dac47cdf1b090cd8abf71e8c92 393356668
chromium_87.0.4280.88.orig.tar.xz
b40ba011616b75a9cacb7e70f3cc3bbc4d3948730522f29ddb8f9b11afa03077 150648
chromium_87.0.4280.88-0.1.debian.tar.xz
eb573698c7e1f1fe5c86ed939ed5243dc5d87c078b7db0a40d72c09158621fdb 14915
chromium_87.0.4280.88-0.1_source.buildinfo
Files:
8b4927119119f54d959c28e0d4f81363 3585 web optional
chromium_87.0.4280.88-0.1.dsc
dbd764f3ac033e137af4b8bb59597feb 393356668 web optional
chromium_87.0.4280.88.orig.tar.xz
a7a42960247341d671e08195421a12b2 150648 web optional
chromium_87.0.4280.88-0.1.debian.tar.xz
a1bd2ada03ba7dec1d50479862a57cfd 14915 web optional
chromium_87.0.4280.88-0.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAl/fhQEACgkQCBa54Yx2
K612lA//e+hsAoaczLdPwIi+gIIqeoCMhCjDtP9XDrVOcTFRh57KmTgquWPoHcEu
S2VstURviGK67AtaV7UQ+aFNXtkGlz5r7ceXVDxxAytwcwfR6dIa15B7uH7F8K7v
phyFMKQRTs/EUbY8FNNCAHpa9gZ+tfNxII4fwpwyrZlICd6oUOackunHvLMnZZ+5
UVnwS4CcgqaMCwJDnkOaseGNgFUUKm3yx8YTMtANQf9G/tM73yyQUa3YZWiR5RTd
R1nIDnj0aasf/nEgWdNUO9vib1EJaK6Ow+5RXCcY4/XqtxpetYvqptQQ+0NtrWwd
pEBDa1/t3M780v/AOOgJa4GloBf9yQKkpQtJTZMansj5JHSv7D4u+5vnrfHnp9Vl
NAGdm0R2ALNbrgtmfsPx9HIHgzmR7GaiK9jCQoIpoS60be0AFLHp59VWGHna9vA1
bShA1cH7M6gZrgxUovFKjWQbP1xKGV9FceDXjlIgHKoqf9BRnJmwS6+csW1NQSgd
2CwzIGehoBqT45bRSYzDXuuGipBW0N2Aq9NsOhaMRb6ljQpxiBPIYRxcQdghA3b2
gnXAJrBojgTkXjpf7+DrLih6S6KwEa5jvslv+pDPHogRJUHGlieo2DLqFQmIFBvd
/rxJ7UF5XQMSOzEZyFO/kv6KGvED5r9i7Q+W3B/8U5oYT7wPw2c=
=MJZz
-----END PGP SIGNATURE-----
--- End Message ---