From owner-svn-ports-head@freebsd.org Fri Jul 27 12:34:58 2018 Return-Path: Delivered-To: svn-ports-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 602811049420; Fri, 27 Jul 2018 12:34:58 +0000 (UTC) (envelope-from cpm@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 0C3B972405; Fri, 27 Jul 2018 12:34:58 +0000 (UTC) (envelope-from cpm@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id D96C117F1F; Fri, 27 Jul 2018 12:34:57 +0000 (UTC) (envelope-from cpm@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id w6RCYvR5033564; Fri, 27 Jul 2018 12:34:57 GMT (envelope-from cpm@FreeBSD.org) Received: (from cpm@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id w6RCYv1C033563; Fri, 27 Jul 2018 12:34:57 GMT (envelope-from cpm@FreeBSD.org) Message-Id: <201807271234.w6RCYv1C033563@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: cpm set sender to cpm@FreeBSD.org using -f From: "Carlos J. Puga Medina" Date: Fri, 27 Jul 2018 12:34:57 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r475430 - head/security/vuxml X-SVN-Group: ports-head X-SVN-Commit-Author: cpm X-SVN-Commit-Paths: head/security/vuxml X-SVN-Commit-Revision: 475430 X-SVN-Commit-Repository: ports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-head@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: SVN commit messages for the ports tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Jul 2018 12:34:58 -0000 Author: cpm Date: Fri Jul 27 12:34:57 2018 New Revision: 475430 URL: https://svnweb.freebsd.org/changeset/ports/475430 Log: Document new vulnerabilites in www/chromium < 68.0.3440.75 Obtained from: https://chromereleases.googleblog.com/2018/07/stable-channel-update-for-desktop.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Fri Jul 27 12:24:57 2018 (r475429) +++ head/security/vuxml/vuln.xml Fri Jul 27 12:34:57 2018 (r475430) @@ -58,6 +58,98 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + chromium -- multiple vulnerabilities + + + chromium + 68.0.3440.75 + + + + +

Google Chrome Releases reports:

+
+

42 security fixes in this release, including:

+
    +
  • [850350] High CVE-2018-6153: Stack buffer overflow in Skia. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-06-07
    • +
  • [848914] High CVE-2018-6154: Heap buffer overflow in WebGL. Reported by Omair on 2018-06-01
    • +
  • [842265] High CVE-2018-6155: Use after free in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-11
    • +
  • [841962] High CVE-2018-6156: Heap buffer overflow in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-10
    • +
  • [840536] High CVE-2018-6157: Type confusion in WebRTC. Reported by Natalie Silvanovich of Google Project Zero on 2018-05-07
    • +
  • [812667] Medium CVE-2018-6150: Cross origin information disclosure in Service Workers. Reported by Rob Wu on 2018-02-15
    • +
  • [805905] Medium CVE-2018-6151: Bad cast in DevTools. Reported by Rob Wu on 2018-01-25
    • +
  • [805445] Medium CVE-2018-6152: Local file write in DevTools. Reported by Rob Wu on 2018-01-24
    • +
  • [841280] Medium CVE-2018-6158: Use after free in Blink. Reported by Zhe Jin, Luyao Liu from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-05-09
    • +
  • [837275] Medium CVE-2018-6159: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-04-26
    • +
  • [839822] Medium CVE-2018-6160: URL spoof in Chrome on iOS. Reported by evi1m0 of Bilibili Security Team on 2018-05-04
    • +
  • [826552] Medium CVE-2018-6161: Same origin policy bypass in WebAudio. Reported by Jun Kokatsu (@shhnjk) on 2018-03-27
    • +
  • [804123] Medium CVE-2018-6162: Heap buffer overflow in WebGL. Reported by Omair on 2018-01-21
    • +
  • [849398] Medium CVE-2018-6163: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-06-04
    • +
  • [848786] Medium CVE-2018-6164: Same origin policy bypass in ServiceWorker. Reported by Jun Kokatsu (@shhnjk) on 2018-06-01
    • +
  • [847718] Medium CVE-2018-6165: URL spoof in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-05-30
    • +
  • [835554] Medium CVE-2018-6166: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-21
    • +
  • [833143] Medium CVE-2018-6167: URL spoof in Omnibox. Reported by Lnyas Zhang on 2018-04-15
    • +
  • [828265] Medium CVE-2018-6168: CORS bypass in Blink. Reported by Gunes Acar and Danny Y. Huang of Princeton University, Frank Li of UC Berkeley on 2018-04-03
    • +
  • [394518] Medium CVE-2018-6169: Permissions bypass in extension installation. Reported by Sam P on 2014-07-16
    • +
  • [862059] Medium CVE-2018-6170: Type confusion in PDFium. Reported by Anonymous on 2018-07-10
    • +
  • [851799] Medium CVE-2018-6171: Use after free in WebBluetooth. Reported by amazon@mimetics.ca on 2018-06-12
    • +
  • [847242] Medium CVE-2018-6172: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-05-28
    • +
  • [836885] Medium CVE-2018-6173: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-04-25
    • +
  • [835299] Medium CVE-2018-6174: Integer overflow in SwiftShader. Reported by Mark Brand of Google Project Zero on 2018-04-20
    • +
  • [826019] Medium CVE-2018-6175: URL spoof in Omnibox. Reported by Khalil Zhani on 2018-03-26
    • +
  • [666824] Medium CVE-2018-6176: Local user privilege escalation in Extensions. Reported by Jann Horn of Google Project Zero on 2016-11-18
    • +
  • [826187] Low CVE-2018-6177: Cross origin information leak in Blink. Reported by Ron Masas (Imperva) on 2018-03-27
    • +
  • [823194] Low CVE-2018-6178: UI spoof in Extensions. Reported by Khalil Zhani on 2018-03-19
    • +
  • [816685] Low CVE-2018-6179: Local file information leak in Extensions. Reported by Anonymous on 2018-02-26
    • +
  • [797461] Low CVE-2018-6044: Request privilege escalation in Extensions. Reported by Wob Wu on 2017-12-23
    • +
  • [791324] Low CVE-2018-4117: Cross origin information leak in Blink. Reported by AhsanEjaz - @AhsanEjazA on 2017-12-03
    • +
  • [866821] Various fixes from internal audits, fuzzing and other initiatives
    • +
+
+ + + + CVE-2018-4117 + CVE-2018-6044 + CVE-2018-6150 + CVE-2018-6151 + CVE-2018-6152 + CVE-2018-6153 + CVE-2018-6154 + CVE-2018-6155 + CVE-2018-6156 + CVE-2018-6157 + CVE-2018-6158 + CVE-2018-6159 + CVE-2018-6160 + CVE-2018-6161 + CVE-2018-6162 + CVE-2018-6163 + CVE-2018-6164 + CVE-2018-6165 + CVE-2018-6166 + CVE-2018-6167 + CVE-2018-6168 + CVE-2018-6169 + CVE-2018-6170 + CVE-2018-6171 + CVE-2018-6172 + CVE-2018-6173 + CVE-2018-6174 + CVE-2018-6175 + CVE-2018-6176 + CVE-2018-6177 + CVE-2018-6178 + CVE-2018-6179 + https://chromereleases.googleblog.com/2018/07/stable-channel-update-for-desktop.html + + + 2018-07-24 + 2018-07-27 + + + curl -- SMTP send heap buffer overflow