Debian DSA-3238-1 : chromium-browser - security update

high Nessus Plugin ID 83120

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities were discovered in the chromium web browser.

- CVE-2015-1235 A Same Origin Policy bypass issue was discovered in the HTML parser.

- CVE-2015-1236 Amitay Dobo discovered a Same Origin Policy bypass in the Web Audio API.

- CVE-2015-1237 Khalil Zhani discovered a use-after-free issue in IPC.

- CVE-2015-1238 'cloudfuzzer' discovered an out-of-bounds write in the skia library.

- CVE-2015-1240 'w3bd3vil' discovered an out-of-bounds read in the WebGL implementation.

- CVE-2015-1241 Phillip Moon and Matt Weston discovered a way to trigger local user interface actions remotely via a crafted website.

- CVE-2015-1242 A type confusion issue was discovered in the v8 JavaScript library.

- CVE-2015-1244 Mike Ruddy discovered a way to bypass the HTTP Strict Transport Security policy.

- CVE-2015-1245 Khalil Zhani discovered a use-after-free issue in the pdfium library.

- CVE-2015-1246 Atte Kettunen discovered an out-of-bounds read issue in webkit/blink.

- CVE-2015-1247 Jann Horn discovered that 'file:' URLs in OpenSearch documents were not sanitized, which could allow local files to be read remotely when using the OpenSearch feature from a crafted website.

- CVE-2015-1248 Vittorio Gambaletta discovered a way to bypass the SafeBrowsing feature, which could allow the remote execution of a downloaded executable file.

- CVE-2015-1249 The chrome 41 development team found various issues from internal fuzzing, audits, and other studies.

- CVE-2015-3333 Multiple issues were discovered and fixed in v8 4.2.7.14.

- CVE-2015-3334 It was discovered that remote websites could capture video data from attached web cameras without permission.

- CVE-2015-3336 It was discovered that remote websites could cause user interface disruptions like window fullscreening and mouse pointer locking.

Solution

Upgrade the chromium-browser packages.

For the stable distribution (jessie), these problems have been fixed in version 42.0.2311.90-1~deb8u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2015-1235

https://security-tracker.debian.org/tracker/CVE-2015-1236

https://security-tracker.debian.org/tracker/CVE-2015-1237

https://security-tracker.debian.org/tracker/CVE-2015-1238

https://security-tracker.debian.org/tracker/CVE-2015-1240

https://security-tracker.debian.org/tracker/CVE-2015-1241

https://security-tracker.debian.org/tracker/CVE-2015-1242

https://security-tracker.debian.org/tracker/CVE-2015-1244

https://security-tracker.debian.org/tracker/CVE-2015-1245

https://security-tracker.debian.org/tracker/CVE-2015-1246

https://security-tracker.debian.org/tracker/CVE-2015-1247

https://security-tracker.debian.org/tracker/CVE-2015-1248

https://security-tracker.debian.org/tracker/CVE-2015-1249

https://security-tracker.debian.org/tracker/CVE-2015-3333

https://security-tracker.debian.org/tracker/CVE-2015-3334

https://security-tracker.debian.org/tracker/CVE-2015-3336

https://packages.debian.org/source/jessie/chromium-browser

https://www.debian.org/security/2015/dsa-3238

Plugin Details

Severity: High

ID: 83120

File Name: debian_DSA-3238.nasl

Version: 2.14

Type: local

Agent: unix

Published: 4/29/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:chromium-browser

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 4/26/2015

Vulnerability Publication Date: 4/19/2015

Reference Information

CVE: CVE-2015-1235, CVE-2015-1236, CVE-2015-1237, CVE-2015-1238, CVE-2015-1240, CVE-2015-1241, CVE-2015-1242, CVE-2015-1244, CVE-2015-1245, CVE-2015-1246, CVE-2015-1247, CVE-2015-1248, CVE-2015-1249, CVE-2015-3333, CVE-2015-3334, CVE-2015-3336

BID: 74165, 74167, 74221, 74225, 74227

DSA: 3238