Date: Tue, 23 Jan 2018 01:53:49 +0000 (UTC) From: "Carlos J. Puga Medina" <cpm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r459721 - head/security/vuxml Message-ID: <201801230153.w0N1rn66069016@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cpm Date: Tue Jan 23 01:53:49 2018 New Revision: 459721 URL: https://svnweb.freebsd.org/changeset/ports/459721 Log: Document new vulnerabilities in www/chromium < 63.0.3239.84 Obtained from: https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Jan 23 01:11:49 2018 (r459720) +++ head/security/vuxml/vuln.xml Tue Jan 23 01:53:49 2018 (r459721) @@ -58,6 +58,94 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="1d951e85-ffdb-11e7-8b91-e8e0b747a45a"> + <topic>chromium -- multiple vulnerabilities</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>63.0.3239.84</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Google Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html">; + <p>37 security fixes in this release, including:</p> + <ul> + <li>[778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by + Ned Williamson on 2017-10-26</li> + <li>[762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by + Ke Liu of Tencent's Xuanwu LAB on 2017-09-06</li> + <li>[763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by + Anonymous on 2017-09-11</li> + <li>[765921] High CVE-2017-15410: Use after free in PDFium. Reported by + Luat Nguyen of KeenLab, Tencent on 2017-09-16</li> + <li>[770148] High CVE-2017-15411: Use after free in PDFium. Reported by + Luat Nguyen of KeenLab, Tencent on 2017-09-29</li> + <li>[727039] High CVE-2017-15412: Use after free in libXML. Reported by + Nick Wellnhofer on 2017-05-27</li> + <li>[766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by + Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-09-19</li> + <li>[765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call. + Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15</li> + <li>[779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by + Ned Williamson on 2017-10-28</li> + <li>[699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia. + Reported by Max May on 2017-03-07</li> + <li>[765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by + Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15</li> + <li>[780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. + Reported by Jun Kokatsu on 2017-10-31</li> + <li>[777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by + WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23</li> + <li>[774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by + Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13</li> + <li>[780484] Medium CVE-2017-15430: Unsafe navigation in Chromecast Plugin. + Reported by jinmo123 on 2017-01-11</li> + <li>[778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. + Reported by Greg Hudson on 2017-10-25</li> + <li>[756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by + Khalil Zhani on 2017-08-16</li> + <li>[756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by + xisigr of Tencent's Xuanwu Lab on 2017-08-17</li> + <li>[757735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by + WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18</li> + <li>[768910] Low CVE-2017-15427: Insufficient blocking of Javascript in Omnibox. + Reported by Junaid Farhan on 2017-09-26</li> + <li>[792099] Various fixes from internal audits, fuzzing and other initiatives</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2017-15407</cvename> + <cvename>CVE-2017-15408</cvename> + <cvename>CVE-2017-15409</cvename> + <cvename>CVE-2017-15410</cvename> + <cvename>CVE-2017-15411</cvename> + <cvename>CVE-2017-15412</cvename> + <cvename>CVE-2017-15413</cvename> + <cvename>CVE-2017-15415</cvename> + <cvename>CVE-2017-15416</cvename> + <cvename>CVE-2017-15417</cvename> + <cvename>CVE-2017-15418</cvename> + <cvename>CVE-2017-15419</cvename> + <cvename>CVE-2017-15420</cvename> + <cvename>CVE-2017-15422</cvename> + <cvename>CVE-2017-15430</cvename> + <cvename>CVE-2017-15423</cvename> + <cvename>CVE-2017-15424</cvename> + <cvename>CVE-2017-15425</cvename> + <cvename>CVE-2017-15426</cvename> + <cvename>CVE-2017-15427</cvename> + <url>https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html</url>; + </references> + <dates> + <discovery>2017-12-06</discovery> + <entry>2018-01-23</entry> + </dates> + </vuln> + <vuln vid="82894193-ffd4-11e7-8b91-e8e0b747a45a"> <topic>chromium -- out of bounds read</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201801230153.w0N1rn66069016>