Comment 1 Mike Gilbert 2013-03-27 02:17:37 UTC

The following packages will need to be stabilized as dependencies.

=dev-lang/v8-3.16.14.9-r1
dev-libs/jsoncpp
dev-libs/re2
>=sci-geosciences/gpsd-3.7
>=media-libs/mesa-9.1

Comment 2 Mike Gilbert 2013-03-27 02:39:52 UTC

Ok, ebuild is in the tree. I'm not sure how to update the whiteboard while we are waiting for the dependencies to be stabilized.

Comment 3 Agostino Sarubbo 2013-03-27 10:54:17 UTC

Arches, please test and mark stable:
=www-client/chromium-26.0.1410.43
=dev-lang/v8-3.16.14.9-r1
=dev-libs/jsoncpp-0.5.0-r1
=dev-libs/re2-0_p20130115
Target keywords : "amd64 x86"

Comment 4 Mike Gilbert 2013-03-27 19:02:15 UTC

I have stable-masked www-client/chromium[gps] due to a regression in sci-geosciences/gpsd-3.7 that may cause a delay in stabilization.

Comment 5 Agostino Sarubbo 2013-04-01 13:22:55 UTC

(In reply to comment #4)
> I have stable-masked www-client/chromium[gps] due to a regression in
> sci-geosciences/gpsd-3.7 that may cause a delay in stabilization.

+  01 Apr 2013; Agostino Sarubbo <ago@gentoo.org> package.use.stable.mask:                                                                                                          
+  Revert www-client/chromium[gps] stable mask since now                                                                                                                            
+  =sci-geosciences/gpsd-3.7 is stable

Comment 6 Paweł Hajdan, Jr. (RETIRED) 2013-04-03 16:29:01 UTC

(In reply to comment #3)
> Arches, please test and mark stable:
> =www-client/chromium-26.0.1410.43
> =dev-lang/v8-3.16.14.9-r1
> =dev-libs/jsoncpp-0.5.0-r1
> =dev-libs/re2-0_p20130115
> Target keywords : "amd64 x86"

Let's go ahead with this. I removed dependency on mesa for chromium-26.x so we can do this security stabilization.

  03 Apr 2013; Pawel Hajdan jr
  -chromium-26.0.1410.33.ebuild, -chromium-26.0.1410.33-r1.ebuild,
  chromium-26.0.1410.43.ebuild:
  Remove dependency on mesa, bug #463430 . Remove old.

Comment 7 Agostino Sarubbo 2013-04-04 20:25:50 UTC

amd64 and x86 stable. Security, go ahead with the glsa

Comment 8 Sean Amoss (RETIRED) 2013-04-06 20:34:13 UTC

Added to - and updated - existing GLSA draft.

Comment 9 GLSAMaker/CVETool Bot 2013-04-11 16:51:05 UTC

CVE-2013-0926 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0926):
  Google Chrome before 26.0.1410.43 does not properly handle active content in
  an EMBED element during a copy-and-paste operation, which allows
  user-assisted remote attackers to have an unspecified impact via a crafted
  web site.

CVE-2013-0925 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0925):
  Google Chrome before 26.0.1410.43 does not ensure that an extension has the
  tabs (aka APIPermission::kTab) permission before providing a URL to this
  extension, which has unspecified impact and remote attack vectors.

CVE-2013-0924 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0924):
  The extension functionality in Google Chrome before 26.0.1410.43 does not
  verify that use of the permissions API is consistent with file permissions,
  which has unspecified impact and attack vectors.

CVE-2013-0923 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0923):
  The USB Apps API in Google Chrome before 26.0.1410.43 allows remote
  attackers to cause a denial of service (memory corruption) via unspecified
  vectors.

CVE-2013-0922 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0922):
  Google Chrome before 26.0.1410.43 does not properly restrict brute-force
  access attempts against web sites that require HTTP Basic Authentication,
  which has unspecified impact and attack vectors.

CVE-2013-0921 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0921):
  The Isolated Sites feature in Google Chrome before 26.0.1410.43 does not
  properly enforce the use of separate processes, which makes it easier for
  remote attackers to bypass intended access restrictions via a crafted web
  site.

CVE-2013-0920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0920):
  Use-after-free vulnerability in the extension bookmarks API in Google Chrome
  before 26.0.1410.43 allows remote attackers to cause a denial of service or
  possibly have unspecified other impact via unknown vectors.

CVE-2013-0919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0919):
  Use-after-free vulnerability in Google Chrome before 26.0.1410.43 on Linux
  allows remote attackers to cause a denial of service or possibly have
  unspecified other impact by leveraging the presence of an extension that
  creates a pop-up window.

CVE-2013-0918 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0918):
  Google Chrome before 26.0.1410.43 does not prevent navigation to developer
  tools in response to a drag-and-drop operation, which allows user-assisted
  remote attackers to have an unspecified impact via a crafted web site.

CVE-2013-0917 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0917):
  The URL loader in Google Chrome before 26.0.1410.43 allows remote attackers
  to cause a denial of service (out-of-bounds read) via unspecified vectors.

CVE-2013-0916 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0916):
  Use-after-free vulnerability in the Web Audio implementation in Google
  Chrome before 26.0.1410.43 allows remote attackers to cause a denial of
  service or possibly have unspecified other impact via unknown vectors.

Comment 10 GLSAMaker/CVETool Bot 2013-09-25 00:10:45 UTC

This issue was resolved and addressed in
 GLSA 201309-16 at http://security.gentoo.org/glsa/glsa-201309-16.xml
by GLSA coordinator Sean Amoss (ackle).