[arch-security] [ASA-201502-5] chromium: multiple issues
Arch Linux Security Advisory ASA-201502-5 ========================================= Severity: High Date : 2015-02-06 CVE-ID : CVE-2015-1209 CVE-2015-1210 CVE-2015-1211 CVE-2015-1212 Package : chromium Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package chromium before version 40.0.2214.111-1 is vulnerable to multiple issues, including but not limited to privilege escalation, cross-origin bypass and arbitrary code execution. Resolution ========== Upgrade to 40.0.2214.111-1. # pacman -Syu "chromium>=40.0.2214.111-1" The problem has been fixed upstream in version 40.0.2214.111. Workaround ========== None. Description =========== - CVE-2015-1209 (use-after-free) Use-after-free in DOM, possibly leading to arbitrary code execution. Credit to Maksymillian Motyl. - CVE-2015-1210 (cross-origin bypass) Cross-origin-bypass in V8 bindings allows an attacker to bypass the same-origin policy. - CVE-2015-1211 (privilege escalation) Privilege escalation using service workers. - CVE-2015-1212 Various fixes from internal audits, fuzzing and other initiatives, fixing unspecified vulnerabilities not disclosed by upstream. Impact ====== A remote attacker is able to bypass the same-origin policy, escalate privileges or execute arbitrary code. References ========== https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1209 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1210 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1211 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1212 http://googlechromereleases.blogspot.fr/2015/02/stable-channel-update.html
participants (1)
-
Remi Gacogne