Comment 1 Agostino Sarubbo 2013-05-23 17:39:30 UTC

Which v8 version we need to stabilize?

Comment 2 Mike Gilbert 2013-05-23 17:50:15 UTC

Lets do v8-3.17.16.2.

Comment 3 Mike Gilbert 2013-05-23 17:57:46 UTC

Actually, phajdan says he is bumping v8, so use what he says.

Comment 4 Paweł Hajdan, Jr. (RETIRED) 2013-05-23 20:19:07 UTC

(In reply to comment #3)
> Actually, phajdan says he is bumping v8, so use what he says.

Thanks for asking and waiting. Please do v8-3.17.6.14 .

It's deliberately lower version number than existing ~arch ebuilds, and that's what omahaproxy.appspot.com says Google used for Chrome 27.0.1453.93 .

Comment 5 Agostino Sarubbo 2013-05-23 21:20:18 UTC

(In reply to comment #4)
> (In reply to comment #3)
> > Actually, phajdan says he is bumping v8, so use what he says.
> 
> Thanks for asking and waiting. Please do v8-3.17.6.14 .
> 
> It's deliberately lower version number than existing ~arch ebuilds, and
> that's what omahaproxy.appspot.com says Google used for Chrome 27.0.1453.93 .

It needs =media-video/ffmpeg-1.0.7 what we should do?

Comment 6 Mike Gilbert 2013-05-23 21:55:59 UTC

(In reply to comment #5)
> It needs =media-video/ffmpeg-1.0.7 what we should do?

Hmm... I wonder why repoman doesn't catch that.

Comment 7 Mike Gilbert 2013-05-23 21:58:49 UTC

Oh, the www-cliennt/chromium[system-ffmpeg] use flag is stable-masked. So no, ffmpeg-1.0.7 is NOT required.

Comment 8 Richard Freeman 2013-05-27 13:08:31 UTC

(In reply to Mike Gilbert from comment #2)
> Lets do v8-3.17.16.2.

That version is no longer in portage.

Comment 9 Mike Gilbert 2013-05-27 16:20:50 UTC

(In reply to Richard Freeman from comment #8)
> That version is no longer in portage.

Please see comment 3 and comment 4. :)

Comment 10 Richard Freeman 2013-05-31 09:39:41 UTC

I didn't see any comment here, but this is stabilized on all platforms.

The security team can wrap this up.

Comment 11 Sergey Popov 2013-08-22 08:29:21 UTC

Thanks for your work

Added to existing GLSA request

Comment 12 GLSAMaker/CVETool Bot 2013-08-27 17:03:56 UTC

CVE-2013-2849 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2849):
  Multiple cross-site scripting (XSS) vulnerabilities in Google Chrome before
  27.0.1453.93 allow user-assisted remote attackers to inject arbitrary web
  script or HTML via vectors involving a (1) drag-and-drop or (2)
  copy-and-paste operation.

CVE-2013-2847 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2847):
  Race condition in the workers implementation in Google Chrome before
  27.0.1453.93 allows remote attackers to cause a denial of service
  (use-after-free and application crash) or possibly have unspecified other
  impact via unknown vectors.

CVE-2013-2846 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2846):
  Use-after-free vulnerability in the media loader in Google Chrome before
  27.0.1453.93 allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via unknown vectors, a different
  vulnerability than CVE-2013-2840.

CVE-2013-2845 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2845):
  The Web Audio implementation in Google Chrome before 27.0.1453.93 allows
  remote attackers to cause a denial of service (memory corruption) or
  possibly have unspecified other impact via unknown vectors.

CVE-2013-2844 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2844):
  Use-after-free vulnerability in the Cascading Style Sheets (CSS)
  implementation in Google Chrome before 27.0.1453.93 allows remote attackers
  to cause a denial of service or possibly have unspecified other impact via
  vectors related to style resolution.

CVE-2013-2843 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2843):
  Use-after-free vulnerability in Google Chrome before 27.0.1453.93 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to the handling of speech data.

CVE-2013-2842 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2842):
  Use-after-free vulnerability in Google Chrome before 27.0.1453.93 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to the handling of widgets.

CVE-2013-2841 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2841):
  Use-after-free vulnerability in Google Chrome before 27.0.1453.93 allows
  remote attackers to cause a denial of service or possibly have unspecified
  other impact via vectors related to the handling of Pepper resources.

CVE-2013-2840 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2840):
  Use-after-free vulnerability in the media loader in Google Chrome before
  27.0.1453.93 allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via unknown vectors, a different
  vulnerability than CVE-2013-2846.

CVE-2013-2839 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2839):
  Google Chrome before 27.0.1453.93 does not properly perform a cast of an
  unspecified variable during handling of clipboard data, which allows remote
  attackers to cause a denial of service or possibly have other impact via
  unknown vectors.

CVE-2013-2838 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2838):
  Google V8, as used in Google Chrome before 27.0.1453.93, allows remote
  attackers to cause a denial of service (out-of-bounds read) via unspecified
  vectors.

CVE-2013-2837 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2837):
  Use-after-free vulnerability in the SVG implementation in Google Chrome
  before 27.0.1453.93 allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via unknown vectors.

CVE-2013-2836 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2836):
  Multiple unspecified vulnerabilities in Google Chrome before 27.0.1453.93
  allow attackers to cause a denial of service or possibly have other impact
  via unknown vectors.

Comment 13 GLSAMaker/CVETool Bot 2013-09-25 00:10:47 UTC

This issue was resolved and addressed in
 GLSA 201309-16 at http://security.gentoo.org/glsa/glsa-201309-16.xml
by GLSA coordinator Sean Amoss (ackle).