Changelog
chromium-browser (44.0.2403.89-1~deb8u1) jessie-security; urgency=high
* New upstream security release:
- CVE-2015-1266: Scheme validation error in WebUI. Credit to anonymous.
- CVE-2015-1268: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
- CVE-2015-1267: Cross-origin bypass in Blink. Credit to anonymous.
- CVE-2015-1269: Normalization error in HSTS/HPKP preload list. Credit to
Mike Ruddy.
- CVE-2015-1270: Uninitialized memory read in ICU. Credit to Atte Kettunen.
- CVE-2015-1271: Heap-buffer-overflow in pdfium. Credit to cloudfuzzer.
- CVE-2015-1272: Use-after-free related to unexpected GPU process
termination. Credit to Chamal de Silva.
- CVE-2015-1273: Heap-buffer-overflow in pdfium. Credit to makosoft.
- CVE-2015-1274: Settings allowed executable files to run immediately after
download. Credit to andrewm.bpi.
- CVE-2015-1275: UXSS in Chrome for Android. Credit to WangTao(neobyte).
- CVE-2015-1276: Use-after-free in IndexedDB. Credit to Collin Payne.
- CVE-2015-1277: Use-after-free in accessibility. Credit to SkyLined.
- CVE-2015-1278: URL spoofing using pdf files. Credit to Chamal de Silva.
- CVE-2015-1279: Heap-buffer-overflow in pdfium. Credit to mlafon.
- CVE-2015-1280: Memory corruption in skia. Credit to cloudfuzzer.
- CVE-2015-1281: CSP bypass. Credit to Masato Kinugawa.
- CVE-2015-1282: Use-after-free in pdfium. Credit to Chamal de Silva.
- CVE-2015-1283: Heap-buffer-overflow in expat. Credit to Huzaifa
Sidhpurwala.
- CVE-2015-1284: Use-after-free in blink. Credit to Atte Kettunen.
- CVE-2015-1285: Information leak in XSS auditor. Credit to gazheyes.
- CVE-2015-1286: UXSS in blink. Credit to anonymous.
- CVE-2015-1287: SOP bypass with CSS. Credit to filedescriptor.
- CVE-2015-1288: Spell checking dictionaries fetched over HTTP. Credit to
Mike Ruddy.
- CVE-2015-1289: Various fixes from internal audits, fuzzing and other
initiatives.
- Hotword extension disabled by default (closes: #786909).
-- Michael Gilbert <email address hidden> Wed, 22 Jul 2015 02:58:38 +0000