From owner-freebsd-chromium@freebsd.org  Wed Sep  2 18:08:23 2015
Return-Path: <owner-freebsd-chromium@freebsd.org>
Delivered-To: freebsd-chromium@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3697C9C9B86
 for <freebsd-chromium@mailman.ysv.freebsd.org>;
 Wed,  2 Sep 2015 18:08:23 +0000 (UTC)
 (envelope-from r.c.ladan@gmail.com)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com
 [IPv6:2a00:1450:400c:c05::232])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id C2CA424C
 for <freebsd-chromium@freebsd.org>; Wed,  2 Sep 2015 18:08:22 +0000 (UTC)
 (envelope-from r.c.ladan@gmail.com)
Received: by wicge5 with SMTP id ge5so49570465wic.0
 for <freebsd-chromium@freebsd.org>; Wed, 02 Sep 2015 11:08:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=sender:subject:to:references:cc:from:message-id:date:user-agent
 :mime-version:in-reply-to:content-type:content-transfer-encoding;
 bh=LiJ7cZCTtSwzzDeeNhIlQepQ1U9reJuchQqPNgfD728=;
 b=GpxCqmsOQ34LwDJFQCNMS2QxrTuTrVRdXx9NmxI5jcpK8g2W+VdQTCSDJq9q+SdqN9
 /2hIYCH1JRXR1ROrg18mcEOFiDzMrKWrxKWUyE8V8ROvpZN0Aa75O7c68TwfqWKdlmFb
 H0uDmL3ML9MyktrQTYUX1HMAowOF408X8rATRxJFCn8SWJdwJcCw/b555xYv4bwNA5Id
 pOM86gW+JmBsZ8loH+iVKYVej+LkQsx1+c3Rop/2XMcRhjO5Ykt7hni38pvkERSILfx3
 JoJfSOpGf1sXSquQQYwEPP6YmAukhRseL/HIojgN7qjhw6kc7nxflEgrgGiqJneVEcm7
 7AXA==
X-Received: by 10.180.106.4 with SMTP id gq4mr6093791wib.42.1441217301108;
 Wed, 02 Sep 2015 11:08:21 -0700 (PDT)
Received: from [192.168.178.21] (a82-161-212-209.adsl.xs4all.nl.
 [82.161.212.209])
 by smtp.googlemail.com with ESMTPSA id lg6sm33593352wjb.10.2015.09.02.11.08.20
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Wed, 02 Sep 2015 11:08:20 -0700 (PDT)
Sender: =?UTF-8?Q?Ren=C3=A9_Ladan?= <r.c.ladan@gmail.com>
Subject: Re: Document new vulnerabilities in www/chromium < 45.0.2454.85
To: Carlos J Puga Medina <cpm@fbsd.es>
References: <1441189302.97726.2.camel@fbsd.es>
Cc: freebsd-chromium@freebsd.org
From: =?UTF-8?Q?Ren=c3=a9_Ladan?= <rene@freebsd.org>
Message-ID: <55E73B13.1080408@freebsd.org>
Date: Wed, 2 Sep 2015 20:08:19 +0200
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:38.0) Gecko/20100101
 Thunderbird/38.1.0
MIME-Version: 1.0
In-Reply-To: <1441189302.97726.2.camel@fbsd.es>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-BeenThere: freebsd-chromium@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: FreeBSD-specific Chromium issues <freebsd-chromium.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-chromium>, 
 <mailto:freebsd-chromium-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-chromium/>
List-Post: <mailto:freebsd-chromium@freebsd.org>
List-Help: <mailto:freebsd-chromium-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-chromium>, 
 <mailto:freebsd-chromium-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Sep 2015 18:08:23 -0000


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 09/02/2015 12:21, Carlos J Puga Medina wrote:
> Current www/chromium is marked as vulnerable on Google Chrome
> website[0].
Committed, with a few line rewraps and addition of variants specific to
PC-BSD.

Thanks,
René
>
> --- vuln.xml.orig    2015-09-02 02:30:55.000000000 +0200
> +++ vuln.xml    2015-09-02 12:18:45.643172000 +0200
> @@ -58,6 +58,66 @@
> 
>  -->
>  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
> +  <vuln vid="a9350df8-5157-11e5-b5c1-e8e0b747a45a">
> +    <topic>chromium -- multiple vulnerabilities</topic>
> +    <affects>
> +      <package>
> +    <name>chromium</name>
> +    <range><lt>45.0.2454.85</lt></range>
> +      </package>
> +    </affects>
> +    <description>
> +      <body xmlns="http://www.w3.org/1999/xhtml">;
> +    <p>Google Chrome Releases reports:</p>
> +    <blockquote cite="http://googlechromereleases.blogspot.nl">;
> +      <p>29 security fixes in this release, including:</p>
> +      <ul>
> +        <li>[516377] High CVE-2015-1291: Cross-origin bypass in
> DOM. Credit
> +          to anonymous.</li>
> +        <li>[522791] High CVE-2015-1292: Cross-origin bypass in
> ServiceWorker. Credit
> +          to Mariusz Mlynski.</li>
> +        <li>[524074] High CVE-2015-1293: Cross-origin bypass in
> DOM. Credit
> +          to Mariusz Mlynski.</li>
> +        <li>[492263] High CVE-2015-1294: Use-after-free in Skia.
> Credit
> +          to cloudfuzzer.</li>
> +        <li>[502562] High CVE-2015-1295: Use-after-free in
> Printing. Credit
> +          to anonymous.</li>
> +        <li>[421332] High CVE-2015-1296: Character spoofing in
> omnibox. Credit
> +          to zcorpan.</li>
> +        <li>[510802] Medium CVE-2015-1297: Permission scoping
> error in Webrequest. Credit
> +          to Alexander Kashev.</li>
> +        <li>[518827] Medium CVE-2015-1298: URL validation error in
> extensions. Credit
> +          to Rob Wu.</li>
> +        <li>[416362] Medium CVE-2015-1299: Use-after-free in
> Blink. Credit
> +          to taro.suzuki.dev.</li>
> +        <li>[511616] Medium CVE-2015-1300: Information leak in
> Blink. Credit
> +          to cgvwzq.</li>
> +        <li>[526825] CVE-2015-1301: Various fixes from internal
> audits, fuzzing and
> +          other initiatives.</li>
> +      </ul>
> +    </blockquote>
> +      </body>
> +    </description>
> +    <references>
> +      <cvename>CVE-2015-1291</cvename>
> +      <cvename>CVE-2015-1292</cvename>
> +      <cvename>CVE-2015-1293</cvename>
> +      <cvename>CVE-2015-1294</cvename>
> +      <cvename>CVE-2015-1295</cvename>
> +      <cvename>CVE-2015-1296</cvename>
> +      <cvename>CVE-2015-1297</cvename>
> +      <cvename>CVE-2015-1298</cvename>
> +      <cvename>CVE-2015-1299</cvename>
> +      <cvename>CVE-2015-1300</cvename>
> +      <cvename>CVE-2015-1301</cvename>
> +      <url>http://googlechromereleases.blogspot.nl</url>;
> +    </references>
> +    <dates>
> +      <discovery>2015-09-01</discovery>
> +      <entry>2015-09-02</entry>
> +    </dates>
> +  </vuln>
> +
>    <vuln vid="fc1f6658-4f53-11e5-934b-002590263bf5">
>      <topic>ghostscript -- denial of service (crash) via crafted
> Postscript files</topic>
>      <affects>
>
> [0] http://googlechromereleases.blogspot.nl/2015/09/stable-channel-upda
> te.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQJ8BAEBCgBmBQJV5zsEXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxMDFBNzE2QjE2MkIwMEU1NUJFREVBMDVB
REJCRjg2MTBBMzc4OUI3AAoJEK27+GEKN4m3xDgP/24c1+7hBU7DT+nQu5gad/Rg
esmRRZwAc8a2OklRGwkRJWjv0zmB/F4fk9FN9RZ9FOtsP1oI4LuNGM1/EWeEeh9l
ESGCZpyPBK263tMb6+aExB6gtifAAc777HPEOIEeqWFmy6mWWe3Wp7eFOoxY/Dtg
2DenHkueGb3Fh70W0/uoSWK/EQLiv0yUQ96bUQPsDt0Ru2hdFqxVvhSC063WJ/R1
2YLN8LM2Ib/LEhzvRLZa4WpvtqheK0muB5jXw84FwAwPkNfCzsE59pSLBXASoZAT
hFcpJSh5HmUpV+qtNsEEFi/15xm9jBeUPMtl/KpMYminkydA1PvEo7snpcQcNKa/
IApJeLLZtOOyiZGkbWT4whSMscu02RuwKqeiO++5cy6mY45aVOFpzuzFvl5TKVu1
LFrN3v2xjUVG4ML34/jYxsB0zYDPXkdryCEX8camjqWnAwhn8xWpUgpeHSEjVYKx
bu5Pea7OxLUOzI04XqEM8HSd2rMrnwu9/hN3Ud/YnpszMCQOZ/Wm9OcZB56oERgA
VPGTaQlXzKLpNlGV834YgE0/UQh2oPxDpCuQhPd+9OsPf6eLdzrW1PJHuE66GF5Z
3oYK/wTrjt8ws4M01zsrpksEE1u0Lko8g0iov8mUMgPyL28AMX1nEIggdaphvmjl
CLWL/uohvUf31Tu1pkpb
=h+29
-----END PGP SIGNATURE-----