Document vulnerabilities in www/chromium:

< 50.0.2661.94 < 50.0.2661.102 < 51.0.2704.63 Obtained from: http://googlechromereleases.blogspot.nl/
author: rene <rene@FreeBSD.org> 2016-05-28 18:14:12 +0800
committer: rene <rene@FreeBSD.org> 2016-05-28 18:14:12 +0800
commit: 07f25904174602ca949a072cd25d6854dc3e3db7 (patch)
tree: 086bcdc10712045b1f6ccaabb05afe58f5b0b55a /security
parent: b89bf1f623cef4db839798678495e1a292787add (diff)
download: freebsd-ports-gnome-07f25904174602ca949a072cd25d6854dc3e3db7.tar.gz
freebsd-ports-gnome-07f25904174602ca949a072cd25d6854dc3e3db7.tar.zst
freebsd-ports-gnome-07f25904174602ca949a072cd25d6854dc3e3db7.zip
1 files changed, 195 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index ed032298eeb9..705039fd4eb7 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -58,6 +58,201 @@ Notes:
   * Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="1a6bbb95-24b8-11e6-bd31-3065ec8fd3ec">
+    <topic>chromium -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>chromium</name>
+	<name>chromium-npapi</name>
+	<name>chromium-pulse</name>
+	<range><lt>51.0.2704.63</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Google Chrome Releases reports:</p>
+	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html">
+	  <p>42 security fixes in this release, including:</p>
+	  <ul>
+	    <li>[590118] High CVE-2016-1672: Cross-origin bypass in extension
+	      bindings. Credit to Mariusz Mlynski.</li>
+	    <li>[597532] High CVE-2016-1673: Cross-origin bypass in Blink.
+	      Credit to Mariusz Mlynski.</li>
+	    <li>[598165] High CVE-2016-1674: Cross-origin bypass in extensions.i
+	      Credit to Mariusz Mlynski.</li>
+	    <li>[600182] High CVE-2016-1675: Cross-origin bypass in Blink.
+	      Credit to Mariusz Mlynski.</li>
+	    <li>[604901] High CVE-2016-1676: Cross-origin bypass in extension
+	      bindings. Credit to Rob Wu.</li>
+	    <li>[602970] Medium CVE-2016-1677: Type confusion in V8. Credit to
+	      Guang Gong of Qihoo 360.</li>
+	    <li>[595259] High CVE-2016-1678: Heap overflow in V8. Credit to
+	      Christian Holler.</li>
+	    <li>[606390] High CVE-2016-1679: Heap use-after-free in V8
+	      bindings. Credit to Rob Wu.</li>
+	    <li>[589848] High CVE-2016-1680: Heap use-after-free in Skia.
+	      Credit to Atte Kettunen of OUSPG.</li>
+	    <li>[613160] High CVE-2016-1681: Heap overflow in PDFium. Credit to
+	      Aleksandar Nikolic of Cisco Talos.</li>
+	    <li>[579801] Medium CVE-2016-1682: CSP bypass for ServiceWorker.
+	      Credit to KingstonTime.</li>
+	    <li>[583156] Medium CVE-2016-1683: Out-of-bounds access in libxslt.
+	      Credit to Nicolas Gregoire.</li>
+	    <li>[583171] Medium CVE-2016-1684: Integer overflow in libxslt.
+	      Credit to Nicolas Gregoire.</li>
+	    <li>[601362] Medium CVE-2016-1685: Out-of-bounds read in PDFium.
+	      Credit to Ke Liu of Tencent's Xuanwu LAB.</li>
+	    <li>[603518] Medium CVE-2016-1686: Out-of-bounds read in PDFium.
+	      Credit to Ke Liu of Tencent's Xuanwu LAB.</li>
+	    <li>[603748] Medium CVE-2016-1687: Information leak in extensions.
+	      Credit to Rob Wu.</li>
+	    <li>[604897] Medium CVE-2016-1688: Out-of-bounds read in V8.
+	      Credit to Max Korenko.</li>
+	    <li>[606185] Medium CVE-2016-1689: Heap buffer overflow in media.
+	      Credit to Atte Kettunen of OUSPG.</li>
+	    <li>[608100] Medium CVE-2016-1690: Heap use-after-free in Autofill.
+	      Credit to Rob Wu.</li>
+	    <li>[597926] Low CVE-2016-1691: Heap buffer-overflow in Skia.
+	      Credit to Atte Kettunen of OUSPG.</li>
+	    <li>[598077] Low CVE-2016-1692: Limited cross-origin bypass in
+	      ServiceWorker. Credit to Til Jasper Ullrich.</li>
+	    <li>[598752] Low CVE-2016-1693: HTTP Download of Software Removal
+	      Tool. Credit to Khalil Zhani.</li>
+	    <li>[603682] Low CVE-2016-1694: HPKP pins removed on cache
+	      clearance. Credit to Ryan Lester and Bryant Zadegan.</li>
+	    <li>[614767] CVE-2016-1695: Various fixes from internal audits,
+	      fuzzing and other initiatives.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-1672</cvename>
+      <cvename>CVE-2016-1673</cvename>
+      <cvename>CVE-2016-1674</cvename>
+      <cvename>CVE-2016-1675</cvename>
+      <cvename>CVE-2016-1672</cvename>
+      <cvename>CVE-2016-1677</cvename>
+      <cvename>CVE-2016-1678</cvename>
+      <cvename>CVE-2016-1679</cvename>
+      <cvename>CVE-2016-1680</cvename>
+      <cvename>CVE-2016-1681</cvename>
+      <cvename>CVE-2016-1682</cvename>
+      <cvename>CVE-2016-1683</cvename>
+      <cvename>CVE-2016-1684</cvename>
+      <cvename>CVE-2016-1685</cvename>
+      <cvename>CVE-2016-1686</cvename>
+      <cvename>CVE-2016-1687</cvename>
+      <cvename>CVE-2016-1688</cvename>
+      <cvename>CVE-2016-1689</cvename>
+      <cvename>CVE-2016-1690</cvename>
+      <cvename>CVE-2016-1691</cvename>
+      <cvename>CVE-2016-1692</cvename>
+      <cvename>CVE-2016-1693</cvename>
+      <cvename>CVE-2016-1694</cvename>
+      <cvename>CVE-2016-1695</cvename>
+      <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update_25.html</url>
+    </references>
+    <dates>
+      <discovery>2016-05-25</discovery>
+      <entry>2016-05-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="4dfafa16-24ba-11e6-bd31-3065ec8fd3ec">
+    <topic>chromium -- multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>chromium</name>
+	<name>chromium-npapi</name>
+	<name>chromium-pulse</name>
+	<range><lt>50.0.2661.102</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Google Chrome Releases reports:</p>
+	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html">
+	  <p>5 security fixes in this release, including:</p>
+	  <ul>
+	    <li>[605766] High CVE-2016-1667: Same origin bypass in DOM. Credit
+	      to Mariusz Mlynski.</li>
+	    <li>[605910] High CVE-2016-1668: Same origin bypass in Blink V8
+	      bindings. Credit to Mariusz Mlynski.</li>
+	    <li>[606115] High CVE-2016-1669: Buffer overflow in V8. Credit to
+	      Choongwoo Han.</li>
+	    <li>[578882] Medium CVE-2016-1670: Race condition in loader. Credit
+	      to anonymous.</li>
+	    <li>[586657] Medium CVE-2016-1671: Directory traversal using the
+	      file scheme on Android. Credit to Jann Horn.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-1667</cvename>
+      <cvename>CVE-2016-1668</cvename>
+      <cvename>CVE-2016-1669</cvename>
+      <cvename>CVE-2016-1670</cvename>
+      <cvename>CVE-2016-1671</cvename>
+      <url>http://googlechromereleases.blogspot.nl/2016/05/stable-channel-update.html</url>
+    </references>
+    <dates>
+      <discovery>2016-05-11</discovery>
+      <entry>2016-05-28</entry>
+    </dates>
+  </vuln>
+
+  <vuln vid="7da1da96-24bb-11e6-bd31-3065ec8fd3ec">
+    <topic>chromium -- multiple vulnerablities</topic>
+    <affects>
+      <package>
+	<name>chromium</name>
+	<name>chromium-npapi</name>
+	<name>chromium-pulse</name>
+	<range><lt>50.0.2661.94</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Google Chrome Releases reports:</p>
+	<blockquote cite="http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html">
+	  <p>9 security fixes in this release, including:</p>
+	  <ul>
+	    <li>[574802] High CVE-2016-1660: Out-of-bounds write in Blink.
+	     Credit to Atte Kettunen of OUSPG.</li>
+	    <li>[601629] High CVE-2016-1661: Memory corruption in cross-process
+	     frames. Credit to Wadih Matar.</li>
+	    <li>[603732] High CVE-2016-1662: Use-after-free in extensions.
+	     Credit to Rob Wu.</li>
+	    <li>[603987] High CVE-2016-1663: Use-after-free in Blink's V8
+	     bindings. Credit to anonymous.</li>
+	    <li>[597322] Medium CVE-2016-1664: Address bar spoofing. Credit to
+	     Wadih Matar.</li>
+	    <li>[606181] Medium CVE-2016-1665: Information leak in V8. Credit
+	     to HyungSeok Han.</li>
+	    <li>[607652] CVE-2016-1666: Various fixes from internal audits,
+	     fuzzing and other initiatives.</li>
+	  </ul>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <cvename>CVE-2016-1660</cvename>
+      <cvename>CVE-2016-1661</cvename>
+      <cvename>CVE-2016-1662</cvename>
+      <cvename>CVE-2016-1663</cvename>
+      <cvename>CVE-2016-1664</cvename>
+      <cvename>CVE-2016-1665</cvename>
+      <cvename>CVE-2016-1666</cvename>
+      <url>http://googlechromereleases.blogspot.nl/2016/04/stable-channel-update_28.html</url>
+    </references>
+    <dates>
+      <discovery>2016-04-28</discovery>
+      <entry>2016-05-28</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="6b110175-246d-11e6-8dd3-002590263bf5">
     <topic>php -- multiple vulnerabilities</topic>
     <affects>
author	rene <rene@FreeBSD.org>	2016-05-28 18:14:12 +0800
committer	rene <rene@FreeBSD.org>	2016-05-28 18:14:12 +0800
commit	07f25904174602ca949a072cd25d6854dc3e3db7 (patch)
tree	086bcdc10712045b1f6ccaabb05afe58f5b0b55a /security
parent	b89bf1f623cef4db839798678495e1a292787add (diff)
download	freebsd-ports-gnome-07f25904174602ca949a072cd25d6854dc3e3db7.tar.gz freebsd-ports-gnome-07f25904174602ca949a072cd25d6854dc3e3db7.tar.zst freebsd-ports-gnome-07f25904174602ca949a072cd25d6854dc3e3db7.zip