Release notes: http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-update.html
Please test and mark stable =www-client/chromium-17.0.963.78 Sorry for two stabilizations in short time frame. Blame Pwn2Own etc.
I also bumped v8. To the best of my knowledge this was not a security fix, so stabilization of dev-lang/v8-3.7.12.29 is OPTIONAL.
CVE-2011-3046 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3046): The extension subsystem in Google Chrome before 17.0.963.78 does not properly handle history navigation, which allows remote attackers to execute arbitrary code by leveraging a "Universal XSS (UXSS)" issue.
(In reply to comment #1) > Please test and mark stable =www-client/chromium-17.0.963.78 > > Sorry for two stabilizations in short time frame. Blame Pwn2Own etc. no problem, is not your fault. Please keyword both for amd64, I have not cvs access atm.
(In reply to comment #4) > Please keyword both for amd64, I have not cvs access atm. Done.
Archtested on x86: Everything OK. - Compiled www-client/chromium-17.0.963.78 with various use flags successfully. - Package test phase passed. - Ran several additional frontend and backend test cases from: http://www.chromium.org/for-testers - Used www-client/chromium-17.0.963.78 for everyday browsing (and writing this comment). Note: This was with the current stable v8 (dev-lang/v8-3.7.12.28), not with the version mentioned in comment #2.
Thanks for testing, Dan. A new vulnerability has since been discovered. See bug 407755.
Stabilization is now handled in bug #407755 . GLSA draft updated.
This issue was resolved and addressed in GLSA 201203-19 at http://security.gentoo.org/glsa/glsa-201203-19.xml by GLSA coordinator Tim Sammut (underling).
