Summary: | <www-client/chromium-36.0.1985.125: Multiple Vulnerabilities (CVE-2014-{3160,3162}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | chromium |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/60077/ | ||
Whiteboard: | A2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-07-17 08:42:33 UTC
+*chromium-36.0.1985.125 (18 Jul 2014) + + 18 Jul 2014; Mike Gilbert <floppym@gentoo.org> +chromium-36.0.1985.125.ebuild: + Stable channel bump. + Please go ahead and stabilize it. x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version(s). Added to existing GLSA Request Mike, Setting it back to cleanup. chromium-36.0.1985.67 is still in tree, and it is not masked (only chromium-37* is masked). Since it is vulnerable it would have to be removed as well. If there are reasons why it still needs to be in the tree, please advise. Thank you! I was going by ago's commit message. It looks like he missed it. I'm working on another version bump right now, but I'll clean it up once that's done. CVE-2014-3162 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3162): Multiple unspecified vulnerabilities in Google Chrome before 36.0.1985.125 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. CVE-2014-3160 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3160): The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file. This issue was resolved and addressed in GLSA 201408-16 at http://security.gentoo.org/glsa/glsa-201408-16.xml by GLSA coordinator Kristian Fiskerstrand (K_F). |