Security April 2019

security@lists.puri.sm

1 participants
1 discussions

Re: [Security] [Fwd: [SECURITY] [DSA 4404-1] chromium security update]
by Matthias Klumpp 03 Apr '19

03 Apr '19

Am Mi., 3. Apr. 2019 um 20:59 Uhr schrieb Jeremiah C. Foster <jeremiah.foster(a)puri.sm>: > > This security message from Debian I'm forwarding affects PureOS. I can > see in our repos that we have the fixed (and compromised) version. > https://repo.pureos.net/pureos/pool/main/c/chromium/ > > @Matthias -- is there some action we should take to remove the old > version? apt-cache policy is still saying the old, compromised version > of chromium will be installed; > > apt-cache policy chromium > chromium: > Installed: (none) > Candidate: 72.0.3626.109-1 > Version table: > 72.0.3626.109-1 500 > 500 https://repo.puri.sm/pureos green/main amd64 Packages > $ dak ls chromium chromium | 73.0.3683.75-1 | green | source, amd64, arm64 chromium | 73.0.3683.75-1 | landing | source, amd64, arm64 chromium | 73.0.3683.75-1 | purple | source, amd64, arm64 So, according to our archive (*the* authoritative source for questions of which package version is where) this is fixed in PureOS, and for about 1-2 days already. It is a bit odd that apt-policy doesn't seem to reflect that - did you run an apt update before? Maybe there was some other kind of lag somewhere? (actually hard to tell now) >From a new debspawn chroot: root@sirius-green-amd64-yzj3:/srv# apt-cache policy chromium chromium: Installed: (none) Candidate: 73.0.3683.75-1 Version table: 73.0.3683.75-1 500 500 https://repo.pureos.net/pureos green/main amd64 Packages Cheers, Matthias > > ---------- Forwarded message ---------- > From: Michael Gilbert <mgilbert(a)debian.org> > To: debian-security-announce(a)lists.debian.org > Cc: > Bcc: > Date: Sat, 9 Mar 2019 23:14:35 -0500 > Subject: [SECURITY] [DSA 4404-1] chromium security update > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > - ------------------------------------------------------------------------- > Debian Security Advisory DSA-4404-1 security(a)debian.org > https://www.debian.org/security/ Michael Gilbert > March 09, 2019 https://www.debian.org/security/faq > - ------------------------------------------------------------------------- > > Package : chromium > CVE ID : CVE-2019-5786 > > Clement Lecigne discovered a use-after-free issue in chromium's file > reader implementation. A maliciously crafted file could be used to > remotely execute arbitrary code because of this problem. > > This update also fixes a regression introduced in a previous update. The > browser would always crash when launched in remote debugging mode. > > For the stable distribution (stretch), this problem has been fixed in > version 72.0.3626.122-1~deb9u1. > > We recommend that you upgrade your chromium packages. > > For the detailed security status of chromium please refer to > its security tracker page at: > https://security-tracker.debian.org/tracker/chromium > > Further information about Debian Security Advisories, how to apply > these updates to your system and frequently asked questions can be > found at: https://www.debian.org/security/ > > Mailing list: debian-security-announce(a)lists.debian.org > -----BEGIN PGP SIGNATURE----- > > iQQzBAEBCgAdFiEEluhy7ASCBulP9FUWuNayzQLW9HMFAlyEjvYACgkQuNayzQLW > 9HPz2R//TxP9/mMURq2yCcS9lIXFM42c+YdBZSJK+hA5uRH4UKpycqOyJnpSvCqL > WfsApfLCKGrMyUmke0ZvV0iIe87WOHU9SpS8Hs6jdRTa2LEhn+2lmU28F3EpqXAB > 4yipvbAwpoN8j6Ab+hr8T1qBYZfqhTC8iK4tpe6D7JoT4xBf+471CIXhmmWTbOqt > TpFhjOhOiBT0ZUNR7BcePRhTOUiy/0Nu38fvBPbAnbcVR+M+6QfdbWMbBUyLU1bJ > 3c3upOLSic/CsuMhH1FXbw8R1Tj+mgNUqO6Sca7EpmuN10Xh8TUft56kClffYl6Q > Z7dt+TwyyFvvxR5bR7Q/fIw+oV/YgITtSWC7SokyN7so31Kh9DOnHYRzjY9OmhUx > febodihqFMJ91KLSGMt2KtmdDsYlIp/LuKmmcrKhq4a7k9LfYI50hRCR87bh5frg > 9ZcO2sdhI3H8Z8ejdbc/IO39aJ/BgG/LxZyx9smQTxK7SO5wt73SN2MtHXlmeqz3 > ReSk4oIZd06kHVk0OsKhwO2lennDWxc+g2UOGYz40k2E3mMdDBN9bD5KXSAmnsxW > +vOv+tznqLrjgJwCFz+gd14iP65CIQ9qL6zr6yxKFWozSQarZ8qeCbgND0gKBLH3 > O2Epo5kMX8zxZEhR2dmiCefmIf76E+90E1XXv+F32X6rJ41S4ibONF4KKufv26NJ > ehhPUUFJ03YZdA4cEeL/7T67Bt3dlBY53xhQuVosaMYqwo3Eyv2I6dmUxigjE2wx > b6q/kJsbYnPjkZ74Pd12JqSTBkvP3enQ4jAj28gpy0pnAQcjtPrygUDNfYV3S++a > 1LaZx78yoJ9w2jse0erB14SChFpbOvmdGZSe0kr7mchYmr+eik22SpFuwIb/f//X > 2dbqIKT5OP6QOnT7rsaycIIyIM0D7VhVCRkD4DPx6uimcLTHQjyEJCl1Q0V3Fnif > OYcl3mM5HYnR0tRefppaWdfhdLe/lPXGTE+ADeGtMORNMuarT0oYsKi7nevtsk/v > SEW40t1Ed65jZz2kyjJzBqLUiPpj0piL8eIcu+/sVOuPmBKVCVm3gjYGtestTyTf > 9fWTFc3w2pHFyDDAYDZYyAnweHxzUbOCF2wa8sULpurlLLk53sO39e8YRbJeqeWt > 1ajic6+3C6DXzqi/rCBJIBK/vgnqNaEJhB2yR4dj0HZuzd8C5kkElEELnbD8KCkd > ElsvOWikocbDoV0qxCm01KXCnQEpVe79PGJeh/Rkrk3tgftyja0wdzY/TAsTVbLc > MM/e19sg1o2pvTzydF0YjImhD8pbeSVlzXAtsv3JIf3oxd2yuJP5S+sfyKPPOdS1 > mDynXcm1ch/pLwS65mgSt980E07e9g== > =sUh4 > -----END PGP SIGNATURE----- >

1 0

2024

2023

2022

2021

2020

2019

2018

Security April 2019