svn commit: r459721 - head/security/vuxml
Carlos J. Puga Medina
cpm at FreeBSD.org
Tue Jan 23 01:53:50 UTC 2018
Author: cpm
Date: Tue Jan 23 01:53:49 2018
New Revision: 459721
URL: https://svnweb.freebsd.org/changeset/ports/459721
Log:
Document new vulnerabilities in www/chromium < 63.0.3239.84
Obtained from: https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Tue Jan 23 01:11:49 2018 (r459720)
+++ head/security/vuxml/vuln.xml Tue Jan 23 01:53:49 2018 (r459721)
@@ -58,6 +58,94 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="1d951e85-ffdb-11e7-8b91-e8e0b747a45a">
+ <topic>chromium -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>chromium</name>
+ <range><lt>63.0.3239.84</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Google Chrome Releases reports:</p>
+ <blockquote cite="https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html">
+ <p>37 security fixes in this release, including:</p>
+ <ul>
+ <li>[778505] Critical CVE-2017-15407: Out of bounds write in QUIC. Reported by
+ Ned Williamson on 2017-10-26</li>
+ <li>[762374] High CVE-2017-15408: Heap buffer overflow in PDFium. Reported by
+ Ke Liu of Tencent's Xuanwu LAB on 2017-09-06</li>
+ <li>[763972] High CVE-2017-15409: Out of bounds write in Skia. Reported by
+ Anonymous on 2017-09-11</li>
+ <li>[765921] High CVE-2017-15410: Use after free in PDFium. Reported by
+ Luat Nguyen of KeenLab, Tencent on 2017-09-16</li>
+ <li>[770148] High CVE-2017-15411: Use after free in PDFium. Reported by
+ Luat Nguyen of KeenLab, Tencent on 2017-09-29</li>
+ <li>[727039] High CVE-2017-15412: Use after free in libXML. Reported by
+ Nick Wellnhofer on 2017-05-27</li>
+ <li>[766666] High CVE-2017-15413: Type confusion in WebAssembly. Reported by
+ Gaurav Dewan of Adobe Systems India Pvt. Ltd. on 2017-09-19</li>
+ <li>[765512] Medium CVE-2017-15415: Pointer information disclosure in IPC call.
+ Reported by Viktor Brange of Microsoft Offensive Security Research Team on 2017-09-15</li>
+ <li>[779314] Medium CVE-2017-15416: Out of bounds read in Blink. Reported by
+ Ned Williamson on 2017-10-28</li>
+ <li>[699028] Medium CVE-2017-15417: Cross origin information disclosure in Skia.
+ Reported by Max May on 2017-03-07</li>
+ <li>[765858] Medium CVE-2017-15418: Use of uninitialized value in Skia. Reported by
+ Kushal Arvind Shah of Fortinet's FortiGuard Labs on 2017-09-15</li>
+ <li>[780312] Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink.
+ Reported by Jun Kokatsu on 2017-10-31</li>
+ <li>[777419] Medium CVE-2017-15420: URL spoofing in Omnibox. Reported by
+ WenXu Wu of Tencent's Xuanwu Lab on 2017-10-23</li>
+ <li>[774382] Medium CVE-2017-15422: Integer overflow in ICU. Reported by
+ Yuan Deng of Ant-financial Light-Year Security Lab on 2017-10-13</li>
+ <li>[780484] Medium CVE-2017-15430: Unsafe navigation in Chromecast Plugin.
+ Reported by jinmo123 on 2017-01-11</li>
+ <li>[778101] Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL.
+ Reported by Greg Hudson on 2017-10-25</li>
+ <li>[756226] Low CVE-2017-15424: URL Spoof in Omnibox. Reported by
+ Khalil Zhani on 2017-08-16</li>
+ <li>[756456] Low CVE-2017-15425: URL Spoof in Omnibox. Reported by
+ xisigr of Tencent's Xuanwu Lab on 2017-08-17</li>
+ <li>[757735] Low CVE-2017-15426: URL Spoof in Omnibox. Reported by
+ WenXu Wu of Tencent's Xuanwu Lab on 2017-08-18</li>
+ <li>[768910] Low CVE-2017-15427: Insufficient blocking of Javascript in Omnibox.
+ Reported by Junaid Farhan on 2017-09-26</li>
+ <li>[792099] Various fixes from internal audits, fuzzing and other initiatives</li>
+ </ul>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-15407</cvename>
+ <cvename>CVE-2017-15408</cvename>
+ <cvename>CVE-2017-15409</cvename>
+ <cvename>CVE-2017-15410</cvename>
+ <cvename>CVE-2017-15411</cvename>
+ <cvename>CVE-2017-15412</cvename>
+ <cvename>CVE-2017-15413</cvename>
+ <cvename>CVE-2017-15415</cvename>
+ <cvename>CVE-2017-15416</cvename>
+ <cvename>CVE-2017-15417</cvename>
+ <cvename>CVE-2017-15418</cvename>
+ <cvename>CVE-2017-15419</cvename>
+ <cvename>CVE-2017-15420</cvename>
+ <cvename>CVE-2017-15422</cvename>
+ <cvename>CVE-2017-15430</cvename>
+ <cvename>CVE-2017-15423</cvename>
+ <cvename>CVE-2017-15424</cvename>
+ <cvename>CVE-2017-15425</cvename>
+ <cvename>CVE-2017-15426</cvename>
+ <cvename>CVE-2017-15427</cvename>
+ <url>https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html</url>
+ </references>
+ <dates>
+ <discovery>2017-12-06</discovery>
+ <entry>2018-01-23</entry>
+ </dates>
+ </vuln>
+
<vuln vid="82894193-ffd4-11e7-8b91-e8e0b747a45a">
<topic>chromium -- out of bounds read</topic>
<affects>
More information about the svn-ports-all
mailing list