Summary: | <www-client/chromium-50.0.2661.94: multiple vulnerabilities {CVE-2016-(1660,1661,1662,1663,1664,1665,1666)} | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | major | CC: | chromium, phmagic |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://googlechromereleases.blogspot.fr/2016/04/stable-channel-update_28.html | ||
Whiteboard: | A2 [glsa cve] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2016-04-29 11:25:38 UTC
I committed 50.0.2661.94. Feel free to stabilize it. (In reply to Mike Gilbert from comment #1) > I committed 50.0.2661.94. Feel free to stabilize it. Either manifest or distfile propagated with errors to mirrors (I tried several before reporting the issue). This is perhaps deserves a separate bug report but I would like to make you aware about the issue. >>> Fetching (1 of 1) www-client/chromium-50.0.2661.94::gentoo >>> Downloading 'http://mirror.yandex.ru/gentoo-distfiles/distfiles/chromium-50.0.2661.94.tar.xz' --2016-05-02 16:51:08-- http://mirror.yandex.ru/gentoo-distfiles/distfiles/chromium-50.0.2661.94.tar.xz Resolving mirror.yandex.ru (mirror.yandex.ru)... 213.180.204.183 Connecting to mirror.yandex.ru (mirror.yandex.ru)|213.180.204.183|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 531491584 (507M) [application/octet-stream] Saving to: ‘/scratch/portage/distfiles/chromium-50.0.2661.94.tar.xz’ /scratch/portage/distfiles/chromium-50.0.2661.94 100%[==========================================================================================================>] 506.87M 6.78MB/s in 86s 2016-05-02 16:52:34 (5.91 MB/s) - ‘/scratch/portage/distfiles/chromium-50.0.2661.94.tar.xz’ saved [531491584/531491584] !!! Fetched file: chromium-50.0.2661.94.tar.xz VERIFY FAILED! !!! Reason: Failed on SHA256 verification !!! Got: 85549f4f044bcb3f67f30c7726cfce4485dfb263651a577791549319ea0a0af2 !!! Expected: 66f0516b076d42b3f00a5fa4ebf31304cb98973179b1cb2fecda8e0b186dba19 and so on. The current Manifest entry is correct, and I had not problem downloading the file from distfiles.gentoo.org. Adding archs. the targeted version is stable. Do we need to do something? I had not problem too to download from distfiles.gentoo.org. (In reply to Agostino Sarubbo from comment #5) > the targeted version is stable. Do we need to do something? > > I had not problem too to download from distfiles.gentoo.org. Someone created bug #581924 after my comment #2 here. There is (or was) error in propagating the distfile across mirrors, and the corruption seems to be different across different distfiles mirrors. I downloaded the distfile from google and it passed checksum checks. Any mirrors I tried yesterday (quite many) returned broken files. (In reply to Agostino Sarubbo from comment #5) > the targeted version is stable. Do we need to do something? There was no comment on the bug, so I did not realize you had stabilized it. Cleanup is done. Arches and Maintainer(s), Thank you for your work. This issue was resolved and addressed in GLSA 201605-02 at https://security.gentoo.org/glsa/201605-02 by GLSA coordinator Yury German (BlueKnight). |