Date: Sat, 28 May 2016 10:14:12 +0000 (UTC) From: Rene Ladan <rene@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r415981 - head/security/vuxml Message-ID: <201605281014.u4SAECTe046600@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rene Date: Sat May 28 10:14:12 2016 New Revision: 415981 URL: https://svnweb.freebsd.org/changeset/ports/415981 Log: Document vulnerabilities in www/chromium: < 50.0.2661.94 < 50.0.2661.102 < 51.0.2704.63 Obtained from: http://googlechromereleases.blogspot.nl/ Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat May 28 09:47:40 2016 (r415980) +++ head/security/vuxml/vuln.xml Sat May 28 10:14:12 2016 (r415981) @@ -58,6 +58,201 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="1a6bbb95-24b8-11e6-bd31-3065ec8fd3ec"> + <topic>chromium -- multiple vulnerabilities</topic> + <affects> + <package> + <name>chromium</name> + <name>chromium-npapi</name> + <name>chromium-pulse</name> + <range><lt>51.0.2704.63</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Google Chrome Releases reports:</p> + <blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html">; + <p>42 security fixes in this release, including:</p> + <ul> + <li>[590118] High CVE-2016-1672: Cross-origin bypass in extension + bindings. Credit to Mariusz Mlynski.</li> + <li>[597532] High CVE-2016-1673: Cross-origin bypass in Blink. + Credit to Mariusz Mlynski.</li> + <li>[598165] High CVE-2016-1674: Cross-origin bypass in extensions.i + Credit to Mariusz Mlynski.</li> + <li>[600182] High CVE-2016-1675: Cross-origin bypass in Blink. + Credit to Mariusz Mlynski.</li> + <li>[604901] High CVE-2016-1676: Cross-origin bypass in extension + bindings. Credit to Rob Wu.</li> + <li>[602970] Medium CVE-2016-1677: Type confusion in V8. Credit to + Guang Gong of Qihoo 360.</li> + <li>[595259] High CVE-2016-1678: Heap overflow in V8. Credit to + Christian Holler.</li> + <li>[606390] High CVE-2016-1679: Heap use-after-free in V8 + bindings. Credit to Rob Wu.</li> + <li>[589848] High CVE-2016-1680: Heap use-after-free in Skia. + Credit to Atte Kettunen of OUSPG.</li> + <li>[613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to + Aleksandar Nikolic of Cisco Talos.</li> + <li>[579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker. + Credit to KingstonTime.</li> + <li>[583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt. + Credit to Nicolas Gregoire.</li> + <li>[583171] Medium CVE-2016-1684: Integer overflow in libxslt. + Credit to Nicolas Gregoire.</li> + <li>[601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium. + Credit to Ke Liu of Tencent's Xuanwu LAB.</li> + <li>[603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium. + Credit to Ke Liu of Tencent's Xuanwu LAB.</li> + <li>[603748] Medium CVE-2016-1687: Information leak in extensions. + Credit to Rob Wu.</li> + <li>[604897] Medium CVE-2016-1688: Out-of-bounds read in V8. + Credit to Max Korenko.</li> + <li>[606185] Medium CVE-2016-1689: Heap buffer overflow in media. + Credit to Atte Kettunen of OUSPG.</li> + <li>[608100] Medium CVE-2016-1690: Heap use-after-free in Autofill. + Credit to Rob Wu.</li> + <li>[597926] Low CVE-2016-1691: Heap buffer-overflow in Skia. + Credit to Atte Kettunen of OUSPG.</li> + <li>[598077] Low CVE-2016-1692: Limited cross-origin bypass in + ServiceWorker. Credit to Til Jasper Ullrich.</li> + <li>[598752] Low CVE-2016-1693: HTTP Download of Software Removal + Tool. Credit to Khalil Zhani.</li> + <li>[603682] Low CVE-2016-1694: HPKP pins removed on cache + clearance. Credit to Ryan Lester and Bryant Zadegan.</li> + <li>[614767] CVE-2016-1695: Various fixes from internal audits, + fuzzing and other initiatives.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1672</cvename> + <cvename>CVE-2016-1673</cvename> + <cvename>CVE-2016-1674</cvename> + <cvename>CVE-2016-1675</cvename> + <cvename>CVE-2016-1672</cvename> + <cvename>CVE-2016-1677</cvename> + <cvename>CVE-2016-1678</cvename> + <cvename>CVE-2016-1679</cvename> + <cvename>CVE-2016-1680</cvename> + <cvename>CVE-2016-1681</cvename> + <cvename>CVE-2016-1682</cvename> + <cvename>CVE-2016-1683</cvename> + <cvename>CVE-2016-1684</cvename> + <cvename>CVE-2016-1685</cvename> + <cvename>CVE-2016-1686</cvename> + <cvename>CVE-2016-1687</cvename> + <cvename>CVE-2016-1688</cvename> + <cvename>CVE-2016-1689</cvename> + <cvename>CVE-2016-1690</cvename> + <cvename>CVE-2016-1691</cvename> + <cvename>CVE-2016-1692</cvename> + <cvename>CVE-2016-1693</cvename> + <cvename>CVE-2016-1694</cvename> + <cvename>CVE-2016-1695</cvename> + <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html</url>; + </references> + <dates> + <discovery>2016-05-25</discovery> + <entry>2016-05-28</entry> + </dates> + </vuln> + + <vuln vid="4dfafa16-24ba-11e6-bd31-3065ec8fd3ec"> + <topic>chromium -- multiple vulnerabilities</topic> + <affects> + <package> + <name>chromium</name> + <name>chromium-npapi</name> + <name>chromium-pulse</name> + <range><lt>50.0.2661.102</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Google Chrome Releases reports:</p> + <blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html">; + <p>5 security fixes in this release, including:</p> + <ul> + <li>[605766] High CVE-2016-1667: Same origin bypass in DOM. Credit + to Mariusz Mlynski.</li> + <li>[605910] High CVE-2016-1668: Same origin bypass in Blink V8 + bindings. Credit to Mariusz Mlynski.</li> + <li>[606115] High CVE-2016-1669: Buffer overflow in V8. Credit to + Choongwoo Han.</li> + <li>[578882] Medium CVE-2016-1670: Race condition in loader. Credit + to anonymous.</li> + <li>[586657] Medium CVE-2016-1671: Directory traversal using the + file scheme on Android. Credit to Jann Horn.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1667</cvename> + <cvename>CVE-2016-1668</cvename> + <cvename>CVE-2016-1669</cvename> + <cvename>CVE-2016-1670</cvename> + <cvename>CVE-2016-1671</cvename> + <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html</url>; + </references> + <dates> + <discovery>2016-05-11</discovery> + <entry>2016-05-28</entry> + </dates> + </vuln> + + <vuln vid="7da1da96-24bb-11e6-bd31-3065ec8fd3ec"> + <topic>chromium -- multiple vulnerablities</topic> + <affects> + <package> + <name>chromium</name> + <name>chromium-npapi</name> + <name>chromium-pulse</name> + <range><lt>50.0.2661.94</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Google Chrome Releases reports:</p> + <blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html">; + <p>9 security fixes in this release, including:</p> + <ul> + <li>[574802] High CVE-2016-1660: Out-of-bounds write in Blink. + Credit to Atte Kettunen of OUSPG.</li> + <li>[601629] High CVE-2016-1661: Memory corruption in cross-process + frames. Credit to Wadih Matar.</li> + <li>[603732] High CVE-2016-1662: Use-after-free in extensions. + Credit to Rob Wu.</li> + <li>[603987] High CVE-2016-1663: Use-after-free in Blink's V8 + bindings. Credit to anonymous.</li> + <li>[597322] Medium CVE-2016-1664: Address bar spoofing. Credit to + Wadih Matar.</li> + <li>[606181] Medium CVE-2016-1665: Information leak in V8. Credit + to HyungSeok Han.</li> + <li>[607652] CVE-2016-1666: Various fixes from internal audits, + fuzzing and other initiatives.</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2016-1660</cvename> + <cvename>CVE-2016-1661</cvename> + <cvename>CVE-2016-1662</cvename> + <cvename>CVE-2016-1663</cvename> + <cvename>CVE-2016-1664</cvename> + <cvename>CVE-2016-1665</cvename> + <cvename>CVE-2016-1666</cvename> + <url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html</url>; + </references> + <dates> + <discovery>2016-04-28</discovery> + <entry>2016-05-28</entry> + </dates> + </vuln> + <vuln vid="6b110175-246d-11e6-8dd3-002590263bf5"> <topic>php -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605281014.u4SAECTe046600>