From ${URL} : The stable channel has been updated to 43.0.2357.130 for Windows, Mac, and Linux. A partial list of changes is available in the log. Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. Below, we highlight 4 fixes that were contributed by external researchers. Please see the Chromium security page for more information. [$5000][464922] High CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous. [TBD][494640] High CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski. [TBD][497507] Medium CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous. [TBD][461481] Medium CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to Mike Ruddy. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Please stabilize: =www-client/chromium-43.0.2357.130
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
New GLSA request filed
CVE-2015-1269 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1269): The DecodeHSTSPreloadRaw function in net/http/transport_security_state.cc in Google Chrome before 43.0.2357.130 does not properly canonicalize DNS hostnames before making comparisons to HSTS or HPKP preload entries, which allows remote attackers to bypass intended access restrictions via a string that (1) ends in a . (dot) character or (2) is not entirely lowercase. CVE-2015-1268 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1268): bindings/scripts/v8_types.py in Blink, as used in Google Chrome before 43.0.2357.130, does not properly select a creation context for a return value's DOM wrapper, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code, as demonstrated by use of a data: URL. CVE-2015-1267 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1267): Blink, as used in Google Chrome before 43.0.2357.130, does not properly restrict the creation context during creation of a DOM wrapper, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that uses a Blink public API, related to WebArrayBufferConverter.cpp, WebBlob.cpp, WebDOMError.cpp, and WebDOMFileSystem.cpp. CVE-2015-1266 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1266): content/browser/webui/content_web_ui_controller_factory.cc in Google Chrome before 43.0.2357.130 does not properly consider the scheme in determining whether a URL is associated with a WebUI SiteInstance, which allows remote attackers to bypass intended access restrictions via a similar URL, as demonstrated by use of http://gpu when there is a WebUI class for handling chrome://gpu requests.
This issue was resolved and addressed in GLSA 201507-18 at https://security.gentoo.org/glsa/201507-18 by GLSA coordinator Mikle Kolyada (Zlogene).