[IT-SecNots] [SECURITY] [DSA 3486-1] chromium-browser security update

[Michael Gilbert <mgilbert AT debian.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3486-1                   security AT debian.org
https://www.debian.org/security/                          Michael Gilbert
February 21, 2016                     https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : chromium-browser
CVE ID         : CVE-2016-1622 CVE-2016-1623 CVE-2016-1624 CVE-2016-1625
                 CVE-2016-1626 CVE-2016-1627 CVE-2016-1628 CVE-2016-1629

Several vulnerabilities have been discovered in the chromium web browser.

CVE-2016-1622

    It was discovered that a maliciously crafted extension could bypass
    the Same Origin Policy.

CVE-2016-1623

    Mariusz Mlynski discovered a way to bypass the Same Origin Policy.

CVE-2016-1624

    lukezli discovered a buffer overflow issue in the Brotli library.

CVE-2016-1625

    Jann Horn discovered a way to cause the Chrome Instant feature to
    navigate to unintended destinations.

CVE-2016-1626

    An out-of-bounds read issue was discovered in the openjpeg library.

CVE-2016-1627

    It was discovered that the Developer Tools did not validate URLs.

CVE-2016-1628

    An out-of-bounds read issue was discovered in the pdfium library.

CVE-2016-1629

    A way to bypass the Same Origin Policy was discovered in Blink/WebKit,
    along with a way to escape the chromium sandbox.

For the stable distribution (jessie), these problems have been fixed in
version 48.0.2564.116-1~deb8u1.

For the testing distribution (stretch), these problems will be fixed soon.

For the unstable distribution (sid), these problems have been fixed in
version 48.0.2564.116-1.

We recommend that you upgrade your chromium-browser packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce AT lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQQcBAEBCgAGBQJWyjGQAAoJELjWss0C1vRzCOggAIHfWmQnUTLoAnqKYxsfAnLN
xRTduJLr2Fba1JcINXKiiRMcrEsYrWTiN+UdiMYtC0TSU933qKEEFvHnVl6FhZCH
9crXNFGknjpz7ql+OkKG6d4Snw1SuoOEziBtk53AaF7T49g4FwV7vzep16gnK4FS
vzZJQDr9qyz1DeUMXC/Z1kJRRystU0waqV8G94Cv4X3xcB1zcTFQleQyyRrM3NcU
fJkVi35CX7SNnwWrxAqHG0MZvFmDI07Uro/v+erSVxAF2+Pst0Gx6NkawmsPTNcY
qMDnWSpCXLp0r4btFZIsCviH1dhvvf91wolTb9m1AkL7gp0j7KQZbjNqvlmYWNLj
mpdcDbYwJq9vvJd8y/Xjri0nEHftemDXkEjqf/0cjfqJqsJakk4sADQZ6HEydJ0c
+P5K4Xhz1Xef6+5oIFRJxoYl1kWrYDy3By74aiY++IKj/pkzff0wYNQFLHpj0FZ0
mBnOTYHsvB88afGklSyPdfUxChPQ80t+CXp0QdVGJQnS7EG7tLSC+D4Icootnf06
Gmx4WRTtRm4vN6xufY3/wqDyHJNJTAteqN9/sjXGOjs3WjeSpEy7EMHrvOPU73aH
6WTERHwTCkMRub9M39bOCxHIgkFAU0U27Kc1WwuFHnRsh6b44jfYZJjf0BUhC22F
I4Ym+jtmMOt17KrvAlta+qBb6weF89U2Twaxx2MPCO4Z1g1smnTX1FYV3SuK8/+/
5Sltbp9dXRPbnsPtWNdXkf0tlRbjBVz5L+lQF8GM4H4Y61xfcNY4EeCYWHMbBWk3
m6PR8jFViFdsh6woxASE5CYadSsqhYR+5r9FXsZsgmX2rPuv8QysauiWIXQA8AU5
y6YIZPk/JoL5D87BwUKwzE1SHfNBmr+pLxB21TIIsDOSfvwyk/VQgKWMK36tlc77
eXGFJ8ErCIXAzn9VTd27q5lnmbfwQMt/+i6bR09mIoFtFiJz0X0b9Pcw0AjiSkVm
6PsfqJf9b7O1HOEeqYdzGW5nKuWpC34EVo1iTbtxP8LzwaQMgM6J8SPTRmJianep
FaeD3b4z16XehX/p2FGutoWDd/oxgl48TwpET40HKOab4ZNehRGJk7CEUtYH2Z9C
2gHOH1vOQSfrkxPCBcQvkbsjFbtL4ECJ5aktAg4GkXslAIE4ZyxQ9bNFZC5fM/rX
/LoK/O26mHsZLJtdd3JMnqPTrNhYe9gOrdOcYnr73D5En9kyP0nNoUhQ6k4J8eOH
C7iILgXfYhVjscNJ2L8IFEDnBe9naQM8Bh3pgZ2pWNU1PhjJDGiZbN4IN6LqaI/6
dPYLn5Ib0hQZM7gCn50uUnxFD10PqG7EYdZmuWrkNC2CzAO++UxSC2Du94/id6I=
=5OhE
-----END PGP SIGNATURE-----