Release notes: http://googlechromereleases.blogspot.com/2012/03/chrome-stable-channel-update.html
Please test and mark stable =www-client/chromium-17.0.963.78
Sorry for two stabilizations in short time frame. Blame Pwn2Own etc.
I also bumped v8.
To the best of my knowledge this was not a security fix, so stabilization of dev-lang/v8-220.127.116.11 is OPTIONAL.
The extension subsystem in Google Chrome before 17.0.963.78 does not
properly handle history navigation, which allows remote attackers to execute
arbitrary code by leveraging a "Universal XSS (UXSS)" issue.
(In reply to comment #1)
> Please test and mark stable =www-client/chromium-17.0.963.78
> Sorry for two stabilizations in short time frame. Blame Pwn2Own etc.
no problem, is not your fault.
Please keyword both for amd64, I have not cvs access atm.
(In reply to comment #4)
> Please keyword both for amd64, I have not cvs access atm.
Archtested on x86: Everything OK.
- Compiled www-client/chromium-17.0.963.78 with various use flags successfully.
- Package test phase passed.
- Ran several additional frontend and backend test cases from:
- Used www-client/chromium-17.0.963.78 for everyday browsing (and writing this comment).
Note: This was with the current stable v8 (dev-lang/v8-18.104.22.168), not with the version mentioned in comment #2.
Thanks for testing, Dan.
A new vulnerability has since been discovered. See bug 407755.
Stabilization is now handled in bug #407755 . GLSA draft updated.
This issue was resolved and addressed in
GLSA 201203-19 at http://security.gentoo.org/glsa/glsa-201203-19.xml
by GLSA coordinator Tim Sammut (underling).