From ${URL} : The stable channel has been updated to 50.0.2661.94 for Windows, Mac, and Linux. Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. This update includes 9 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information. [$3000][574802] High CVE-2016-1660: Out-of-bounds write in Blink. Credit to Atte Kettunen of OUSPG. [$3000][601629] High CVE-2016-1661: Memory corruption in cross-process frames. Credit to Wadih Matar. [$3000][603732] High CVE-2016-1662: Use-after-free in extensions. Credit to Rob Wu. [$3000][603987] High CVE-2016-1663: Use-after-free in Blink’s V8 bindings. Credit to anonymous. [$1000][597322] Medium CVE-2016-1664: Address bar spoofing. Credit to Wadih Matar. [$1000][606181] Medium CVE-2016-1665: Information leak in V8. Credit to gksgudtjr456. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. As usual, our ongoing internal security work was responsible for a wide range of fixes: [607652] CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives. @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
I committed 50.0.2661.94. Feel free to stabilize it.
(In reply to Mike Gilbert from comment #1) > I committed 50.0.2661.94. Feel free to stabilize it. Either manifest or distfile propagated with errors to mirrors (I tried several before reporting the issue). This is perhaps deserves a separate bug report but I would like to make you aware about the issue. >>> Fetching (1 of 1) www-client/chromium-50.0.2661.94::gentoo >>> Downloading 'http://mirror.yandex.ru/gentoo-distfiles/distfiles/chromium-50.0.2661.94.tar.xz' --2016-05-02 16:51:08-- http://mirror.yandex.ru/gentoo-distfiles/distfiles/chromium-50.0.2661.94.tar.xz Resolving mirror.yandex.ru (mirror.yandex.ru)... 213.180.204.183 Connecting to mirror.yandex.ru (mirror.yandex.ru)|213.180.204.183|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 531491584 (507M) [application/octet-stream] Saving to: ‘/scratch/portage/distfiles/chromium-50.0.2661.94.tar.xz’ /scratch/portage/distfiles/chromium-50.0.2661.94 100%[==========================================================================================================>] 506.87M 6.78MB/s in 86s 2016-05-02 16:52:34 (5.91 MB/s) - ‘/scratch/portage/distfiles/chromium-50.0.2661.94.tar.xz’ saved [531491584/531491584] !!! Fetched file: chromium-50.0.2661.94.tar.xz VERIFY FAILED! !!! Reason: Failed on SHA256 verification !!! Got: 85549f4f044bcb3f67f30c7726cfce4485dfb263651a577791549319ea0a0af2 !!! Expected: 66f0516b076d42b3f00a5fa4ebf31304cb98973179b1cb2fecda8e0b186dba19 and so on.
The current Manifest entry is correct, and I had not problem downloading the file from distfiles.gentoo.org.
Adding archs.
the targeted version is stable. Do we need to do something? I had not problem too to download from distfiles.gentoo.org.
(In reply to Agostino Sarubbo from comment #5) > the targeted version is stable. Do we need to do something? > > I had not problem too to download from distfiles.gentoo.org. Someone created bug #581924 after my comment #2 here. There is (or was) error in propagating the distfile across mirrors, and the corruption seems to be different across different distfiles mirrors. I downloaded the distfile from google and it passed checksum checks. Any mirrors I tried yesterday (quite many) returned broken files.
(In reply to Agostino Sarubbo from comment #5) > the targeted version is stable. Do we need to do something? There was no comment on the bug, so I did not realize you had stabilized it.
Cleanup is done.
Arches and Maintainer(s), Thank you for your work.
This issue was resolved and addressed in GLSA 201605-02 at https://security.gentoo.org/glsa/201605-02 by GLSA coordinator Yury German (BlueKnight).