21-july-2015 security fixes not available

Bug #1477662 reported by peterzay on 2015-07-23
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
chromium-browser (Ubuntu)
High
Chad Miller

Bug Description

On July 21, 2015, security fixes were made available in a new release 44.0.2403.89 of the browser.

My browser is at 43.0.2357.130 for Ubuntu 14.04 despite repeated updates.

Since the security fixes are urgent, could you please make them available immediately?

More info here:

http://googlechromereleases.blogspot.ca/search/label/Stable%20updates

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: chromium-browser 43.0.2357.130-0ubuntu0.14.04.1.1092
ProcVersionSignature: Ubuntu 3.13.0-58.97-generic 3.13.11-ckt22
Uname: Linux 3.13.0-58-generic i686
ApportVersion: 2.14.1-0ubuntu3.11
Architecture: i386
CurrentDesktop: Unity
CurrentDmesg: Error: command ['sh', '-c', 'dmesg | comm -13 --nocheck-order /var/log/dmesg -'] failed with exit code 1: comm: /var/log/dmesg: Permission denied
Date: Thu Jul 23 11:53:12 2015
Desktop-Session:
 'ubuntu'
 '/etc/xdg/xdg-ubuntu:/usr/share/upstart/xdg:/etc/xdg'
 '/usr/share/ubuntu:/usr/share/gnome:/usr/local/share/:/usr/share/'
DetectedPlugins:

EcryptfsInUse: Yes
Env:
 'None'
 'None'
InstallationDate: Installed on 2014-04-29 (449 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release i386 (20140417)
Load-Avg-1min: 0.22
Load-Processes-Running-Percent: 0.2%
MachineType: Dell Inc. Inspiron 660
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-58-generic root=UUID=8cf458ab-4ff9-4505-9a16-27da1ea7ec10 ro quiet splash vt.handoff=7
SourcePackage: chromium-browser
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 10/14/2013
dmi.bios.vendor: Dell Inc.
dmi.bios.version: A11
dmi.board.name: 0XR1GT
dmi.board.vendor: Dell Inc.
dmi.board.version: A00
dmi.chassis.type: 3
dmi.chassis.vendor: Dell Inc.
dmi.modalias: dmi:bvnDellInc.:bvrA11:bd10/14/2013:svnDellInc.:pnInspiron660:pvr:rvnDellInc.:rn0XR1GT:rvrA00:cvnDellInc.:ct3:cvr:
dmi.product.name: Inspiron 660
dmi.sys.vendor: Dell Inc.
gconf-keys: /desktop/gnome/applications/browser/exec = b'/usr/bin/chromium-browser\n'/desktop/gnome/url-handlers/https/command = b'/usr/bin/chromium-browser %s\n'/desktop/gnome/url-handlers/https/enabled = b'true\n'/desktop/gnome/url-handlers/http/command = b'/usr/bin/chromium-browser %s\n'/desktop/gnome/url-handlers/http/enabled = b'true\n'/desktop/gnome/session/required_components/windowmanager = b''/apps/metacity/general/compositing_manager = b''/desktop/gnome/interface/icon_theme = b''/desktop/gnome/interface/gtk_theme = b''
modified.conffile..etc.chromium.browser.default: [modified]
modified.conffile..etc.default.chromium.browser: [deleted]
mtime.conffile..etc.chromium.browser.default: 2014-04-29T13:58:11.849470

peterzay (peterzay) wrote :
Chad Miller (cmiller) on 2015-07-23
Changed in chromium-browser (Ubuntu):
status: New → In Progress
assignee: nobody → Chad Miller (cmiller)
Changed in chromium-browser (Ubuntu):
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 44.0.2403.89-0ubuntu0.15.04.1.1177

---------------
chromium-browser (44.0.2403.89-0ubuntu0.15.04.1.1177) vivid-security; urgency=medium

  * Upstream release 44.0.2403.89: (LP: #1477662)
    - CVE-2015-1271: Heap-buffer-overflow in pdfium.
    - CVE-2015-1273: Heap-buffer-overflow in pdfium.
    - CVE-2015-1274: Settings allowed executable files to run immediately
      after download.
    - CVE-2015-1275: UXSS in Chrome for Android.
    - CVE-2015-1276: Use-after-free in IndexedDB.
    - CVE-2015-1279: Heap-buffer-overflow in pdfium.
    - CVE-2015-1280: Memory corruption in skia.
    - CVE-2015-1281: CSP bypass.
    - CVE-2015-1282: Use-after-free in pdfium.
    - CVE-2015-1283: Heap-buffer-overflow in expat.
    - CVE-2015-1284: Use-after-free in blink.
    - CVE-2015-1286: UXSS in blink.
    - CVE-2015-1287: SOP bypass with CSS.
    - CVE-2015-1270: Uninitialized memory read in ICU.
    - CVE-2015-1272: Use-after-free related to unexpected GPU process
      termination.
    - CVE-2015-1277: Use-after-free in accessibility.
    - CVE-2015-1278: URL spoofing using pdf files.
    - CVE-2015-1285: Information leak in XSS auditor.
    - CVE-2015-1288: Spell checking dictionaries fetched over HTTP.
    - CVE-2015-1289: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules, debian/chromium-codecs-ffmpeg{,-extra}.install: ffmpeg is a
    first-class component library now, not a special snowflake. Still, build
    it differently, but build flags are different.
  * debian/tests/smoketest-actual: Remove some innocuous mentions of "error"
    before testing for actual errors.
  * debian/control: codec library packages replace the libffmpeg.so that
    was in chromium packages before now.
  * debian/control: codec packages can't reasonably be updated separately
    than chromium. Depend with version specification also.

 -- Chad MILLER <email address hidden> Tue, 28 Jul 2015 11:19:11 -0400

Changed in chromium-browser (Ubuntu):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package chromium-browser - 44.0.2403.89-0ubuntu0.14.04.1.1095

---------------
chromium-browser (44.0.2403.89-0ubuntu0.14.04.1.1095) trusty-security; urgency=medium

  * Upstream release 44.0.2403.89: (LP: #1477662)
    - CVE-2015-1271: Heap-buffer-overflow in pdfium.
    - CVE-2015-1273: Heap-buffer-overflow in pdfium.
    - CVE-2015-1274: Settings allowed executable files to run immediately
      after download.
    - CVE-2015-1275: UXSS in Chrome for Android.
    - CVE-2015-1276: Use-after-free in IndexedDB.
    - CVE-2015-1279: Heap-buffer-overflow in pdfium.
    - CVE-2015-1280: Memory corruption in skia.
    - CVE-2015-1281: CSP bypass.
    - CVE-2015-1282: Use-after-free in pdfium.
    - CVE-2015-1283: Heap-buffer-overflow in expat.
    - CVE-2015-1284: Use-after-free in blink.
    - CVE-2015-1286: UXSS in blink.
    - CVE-2015-1287: SOP bypass with CSS.
    - CVE-2015-1270: Uninitialized memory read in ICU.
    - CVE-2015-1272: Use-after-free related to unexpected GPU process
      termination.
    - CVE-2015-1277: Use-after-free in accessibility.
    - CVE-2015-1278: URL spoofing using pdf files.
    - CVE-2015-1285: Information leak in XSS auditor.
    - CVE-2015-1288: Spell checking dictionaries fetched over HTTP.
    - CVE-2015-1289: Various fixes from internal audits, fuzzing and other
      initiatives.
  * debian/rules, debian/chromium-codecs-ffmpeg{,-extra}.install: ffmpeg is a
    first-class component library now, not a special snowflake. Still, build
    it differently, but build flags are different.
  * debian/tests/smoketest-actual: Remove some innocuous mentions of "error"
    before testing for actual errors.
  * debian/control: codec library packages replace the libffmpeg.so that
    was in chromium packages before now.
  * debian/control: codec packages can't reasonably be updated separately
    than chromium. Depend with version specification also.

 -- Chad MILLER <email address hidden> Tue, 28 Jul 2015 11:19:11 -0400

Changed in chromium-browser (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers