Date: Sat, 21 Oct 2017 23:01:18 +0000 (UTC) From: "Carlos J. Puga Medina" <cpm@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r452616 - head/security/vuxml Message-ID: <201710212301.v9LN1Ibt005289@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cpm Date: Sat Oct 21 23:01:18 2017 New Revision: 452616 URL: https://svnweb.freebsd.org/changeset/ports/452616 Log: Document new vulnerabilities in www/chromium < 62.0.3202.62 Obtained from: https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sat Oct 21 21:12:03 2017 (r452615) +++ head/security/vuxml/vuln.xml Sat Oct 21 23:01:18 2017 (r452616) @@ -58,6 +58,94 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="a692bffe-b6ad-11e7-a1c2-e8e0b747a45a"> + <topic>chromium -- multiple vulnerabilities</topic> + <affects> + <package> + <name>chromium</name> + <range><lt>62.0.3202.62</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>Google Chrome Releases reports:</p> + <blockquote cite="https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html"> + <p>35 security fixes in this release, including:</p> + <ul> + <li>[762930] High CVE-2017-5124: UXSS with MHTML. Reported by + Anonymous on 2017-09-07</li> + <li>[749147] High CVE-2017-5125: Heap overflow in Skia. Reported by + Anonymous on 2017-07-26</li> + <li>[760455] High CVE-2017-5126: Use after free in PDFium. Reported by + Luat Nguyen on KeenLab, Tencent on 2017-08-30</li> + <li>[765384] High CVE-2017-5127: Use after free in PDFium. Reported by + Luat Nguyen on KeenLab, Tencent on 2017-09-14</li> + <li>[765469] High CVE-2017-5128: Heap overflow in WebGL. Reported by + Omair on 2017-09-14</li> + <li>[765495] High CVE-2017-5129: Use after free in WebAudio. Reported by + Omair on 2017-09-15</li> + <li>[718858] High CVE-2017-5132: Incorrect stack manipulation in WebAssembly. Reported by + Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-05-05</li> + <li>[722079] High CVE-2017-5130: Heap overflow in libxml2. Reported by + Pranjal Jumde on 2017-05-14</li> + <li>[744109] Medium CVE-2017-5131: Out of bounds write in Skia. Reported by + Anonymous on 2017-07-16</li> + <li>[762106] Medium CVE-2017-5133: Out of bounds write in Skia. Reported by + Aleksandar Nikolic of Cisco Talos on 2017-09-05</li> + <li>[752003] Medium CVE-2017-15386: UI spoofing in Blink. Reported by + WenXu Wu of Tencent's Xuanwu Lab on 2017-08-03</li> + <li>[756040] Medium CVE-2017-15387: Content security bypass. Reported by + Jun Kokatsu on 2017-08-16</li> + <li>[756563] Medium CVE-2017-15388: Out of bounds read in Skia. Reported by + Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-08-17</li> + <li>[739621] Medium CVE-2017-15389: URL spoofing in Omnibox. Reported by + xisigr of Tencent's Xuanwu Lab on 2017-07-06</li> + <li>[750239] Medium CVE-2017-15390: URL spoofing in Omnibox. Reported by + Haosheng Wang on 2017-07-28</li> + <li>[598265] Low CVE-2017-15391: Extension limitation bypass in Extensions. Reported by + Joao Lucas Melo Brasio on 2016-03-28</li> + <li>[714401] Low CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. + Reported by Xiaoyin Liu on 2017-04-22</li> + <li>[732751] Low CVE-2017-15393: Referrer leak in Devtools. Reported by + Svyat Mitin on 2017-06-13</li> + <li>[745580] Low CVE-2017-15394: URL spoofing in extensions UI. Reported by + Sam on 2017-07-18</li> + <li>[759457] Low CVE-2017-15395: Null pointer dereference in ImageCapture. Reported by + Johannes Bergman on 2017-08-28</li> + <li>[775550] Various fixes from internal audits, fuzzing and other initiatives</li> + </ul> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2017-5124</cvename> + <cvename>CVE-2017-5125</cvename> + <cvename>CVE-2017-5126</cvename> + <cvename>CVE-2017-5127</cvename> + <cvename>CVE-2017-5128</cvename> + <cvename>CVE-2017-5129</cvename> + <cvename>CVE-2017-5132</cvename> + <cvename>CVE-2017-5130</cvename> + <cvename>CVE-2017-5131</cvename> + <cvename>CVE-2017-5133</cvename> + <cvename>CVE-2017-15386</cvename> + <cvename>CVE-2017-15387</cvename> + <cvename>CVE-2017-15388</cvename> + <cvename>CVE-2017-15389</cvename> + <cvename>CVE-2017-15390</cvename> + <cvename>CVE-2017-15391</cvename> + <cvename>CVE-2017-15392</cvename> + <cvename>CVE-2017-15393</cvename> + <cvename>CVE-2017-15394</cvename> + <cvename>CVE-2017-15395</cvename> + <url>https://chromereleases.googleblog.com/2017/10/stable-channel-update-for-desktop.html</url> + </references> + <dates> + <discovery>2017-10-17</discovery> + <entry>2017-10-21</entry> + </dates> + </vuln> + <vuln vid="e1cb9dc9-daa9-44db-adde-e94d900e2f7f"> <topic>cacti -- Cross Site Scripting issue</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201710212301.v9LN1Ibt005289>