Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 26 Jan 2017 17:44:29 +0000 (UTC)
From:      "Carlos J. Puga Medina" <cpm@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r432522 - head/security/vuxml
Message-ID:  <201701261744.v0QHiTJa020355@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: cpm
Date: Thu Jan 26 17:44:29 2017
New Revision: 432522
URL: https://svnweb.freebsd.org/changeset/ports/432522

Log:
  Document new vulnerabilities in www/chromium < 56.0.2924.76
  
  Obtained from:	https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Thu Jan 26 17:42:50 2017	(r432521)
+++ head/security/vuxml/vuln.xml	Thu Jan 26 17:44:29 2017	(r432522)
@@ -58,6 +58,98 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+  <vuln vid="4b9ca994-e3d9-11e6-813d-e8e0b747a45a">
+    <topic>chromium -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>chromium</name>
+	<name>chromium-npapi</name>
+	<name>chromium-pulse</name>
+	<range><lt>56.0.2924.76</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>Google Chrome Releases reports:</p>
+	<blockquote cite="https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html">;
+	  <p>51 security fixes in this release, including:</p>
+	  <ul>
+	    <li>[671102] High CVE-2017-5007: Universal XSS in Blink. Credit to
+	      Mariusz Mlynski</li>
+	    <li>[673170] High CVE-2017-5006: Universal XSS in Blink. Credit to
+	      Mariusz Mlynski</li>
+	    <li>[668552] High CVE-2017-5008: Universal XSS in Blink. Credit to
+	      Mariusz Mlynski</li>
+	    <li>[663476] High CVE-2017-5010: Universal XSS in Blink. Credit to
+	      Mariusz Mlynski</li>
+	    <li>[662859] High CVE-2017-5011: Unauthorised file access in Devtools.
+	      Credit to Khalil Zhani</li>
+	    <li>[667504] High CVE-2017-5009: Out of bounds memory access in WebRTC.
+	      Credit to Sean Stanek and Chip Bradford</li>
+	    <li>[681843] High CVE-2017-5012: Heap overflow in V8. Credit to
+	      Gergely Nagy (Tresorit)</li>
+	    <li>[677716] Medium CVE-2017-5013: Address spoofing in Omnibox.
+	      Credit to Haosheng Wang (@gnehsoah)</li>
+	    <li>[675332] Medium CVE-2017-5014: Heap overflow in Skia. Credit to
+	      sweetchip</li>
+	    <li>[673971] Medium CVE-2017-5015: Address spoofing in Omnibox.
+	      Credit to Armin Razmdjou</li>
+	    <li>[666714] Medium CVE-2017-5019: Use after free in Renderer.
+	      Credit to Wadih Matar</li>
+	    <li>[673163] Medium CVE-2017-5016: UI spoofing in Blink. Credit to
+	      Haosheng Wang (@gnehsoah)</li>
+	    <li>[676975] Medium CVE-2017-5017: Uninitialised memory access in webm video.
+	      Credit to danberm</li>
+	    <li>[668665] Medium CVE-2017-5018: Universal XSS in chrome://apps.
+	      Credit to Rob Wu</li>
+	    <li>[668653] Medium CVE-2017-5020: Universal XSS in chrome://downloads.
+	      Credit to Rob Wu</li>
+	    <li>[663726] Low CVE-2017-5021: Use after free in Extensions. Credit to
+	      Rob Wu</li>
+	    <li>[663620] Low CVE-2017-5022: Bypass of Content Security Policy in Blink.
+	      Credit to Pujun Li of PKAV Team</li>
+	    <li>[651443] Low CVE-2017-5023: Type confunsion in metrics. Credit to the
+	      UK's National Cyber Security Centre (NCSC)</li>
+	    <li>[643951] Low CVE-2017-5024: Heap overflow in FFmpeg. Credit to
+	      Paul Mehta</li>
+	    <li>[643950] Low CVE-2017-5025: Heap overflow in FFmpeg. Credit to
+	      Paul Mehta</li>
+	    <li>[634108] Low CVE-2017-5026: UI spoofing. Credit to Ronni Skansing</li>
+	    <li>[685349] Various fixes from internal audits, fuzzing and other initiatives</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2017-5007</cvename>
+      <cvename>CVE-2017-5006</cvename>
+      <cvename>CVE-2017-5008</cvename>
+      <cvename>CVE-2017-5010</cvename>
+      <cvename>CVE-2017-5011</cvename>
+      <cvename>CVE-2017-5009</cvename>
+      <cvename>CVE-2017-5012</cvename>
+      <cvename>CVE-2017-5013</cvename>
+      <cvename>CVE-2017-5014</cvename>
+      <cvename>CVE-2017-5015</cvename>
+      <cvename>CVE-2017-5019</cvename>
+      <cvename>CVE-2017-5016</cvename>
+      <cvename>CVE-2017-5017</cvename>
+      <cvename>CVE-2017-5018</cvename>
+      <cvename>CVE-2017-2020</cvename>
+      <cvename>CVE-2017-2021</cvename>
+      <cvename>CVE-2017-2022</cvename>
+      <cvename>CVE-2017-2023</cvename>
+      <cvename>CVE-2017-2024</cvename>
+      <cvename>CVE-2017-2025</cvename>
+      <cvename>CVE-2017-2026</cvename>
+      <url>https://chromereleases.googleblog.com/2017/01/stable-channel-update-for-desktop.html</url>;
+    </references>
+    <dates>
+      <discovery>2017-01-25</discovery>
+      <entry>2017-01-26</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="d455708a-e3d3-11e6-9940-b499baebfeaf">
     <topic>OpenSSL -- multiple vulnerabilities</topic>
     <affects>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201701261744.v0QHiTJa020355>