1032
|
|
|
Giovanni Santini |
7 years ago
|
|
|
1031
|
|
|
Chad MILLER |
7 years ago
|
|
|
1030
|
|
|
Chad MILLER |
7 years ago
|
|
|
1029
|
|
|
Chad MILLER |
7 years ago
|
|
|
1028
|
|
|
Chad MILLER |
7 years ago
|
|
|
1027
|
|
[Chad Miller] * debian/rules, debian/control: Use gcc/g++ 4.8 to build. * Upstream release of 55.0.2883.75: - CVE-2016-9651: Private property access in V8. - CVE-2016-5208: Universal XSS in Blink. - CVE-2016-5207: Universal XSS in Blink. - CVE-2016-5206: Same-origin bypass in PDFium. - CVE-2016-5205: Universal XSS in Blink. - CVE-2016-5204: Universal XSS in Blink. - CVE-2016-5209: Out of bounds write in Blink. - CVE-2016-5203: Use after free in PDFium. - CVE-2016-5210: Out of bounds write in PDFium. - CVE-2016-5212: Local file disclosure in DevTools. - CVE-2016-5211: Use after free in PDFium. - CVE-2016-5213: Use after free in V8. - CVE-2016-5214: File download protection bypass. - CVE-2016-5216: Use after free in PDFium. - CVE-2016-5215: Use after free in Webaudio. - CVE-2016-5217: Use of unvalidated data in PDFium. - CVE-2016-5218: Address spoofing in Omnibox. - CVE-2016-5219: Use after free in V8. - CVE-2016-5221: Integer overflow in ANGLE. - CVE-2016-5220: Local file access in PDFium. - CVE-2016-5222: Address spoofing in Omnibox. - CVE-2016-9650: CSP Referrer disclosure. - CVE-2016-5223: Integer overflow in PDFium. - CVE-2016-5226: Limited XSS in Blink. - CVE-2016-5225: CSP bypass in Blink. - CVE-2016-5224: Same-origin bypass in SVG - CVE-2016-9652: Various fixes from internal audits, fuzzing and other initiatives * Upstream release of 54.0.2840.100: - CVE-2016-5199: Heap corruption in FFmpeg. - CVE-2016-5200: Out of bounds memory access in V8. - CVE-2016-5201: Info leak in extensions. - CVE-2016-5202: Various fixes from internal audits, fuzzing and other initiatives * Move to using GN to build chromium. - debian/known_gn_gen_args - debian/rules patches * debian/rules, lintians, installs, script: Move component libs out of libs/, to /usr/lib/chromium-browser/ only. * debian/patches/do-not-use-bundled-clang: Use clang from path. * debian/control: Express that binary packages could be on "any" architecture. * debian/control: additionally build-dep on libgtk-3-dev * debian/patches/arm64-support: Fail nicer if aarch64/arm64 mismatch. * Upstrem release of 54.0.2840.59: - CVE-2016-5181: Universal XSS in Blink. - CVE-2016-5182: Heap overflow in Blink. - CVE-2016-5183: Use after free in PDFium. - CVE-2016-5184: Use after free in PDFium. - CVE-2016-5185: Use after free in Blink. - CVE-2016-5187: URL spoofing. - CVE-2016-5188: UI spoofing. - CVE-2016-5192: Cross-origin bypass in Blink. - CVE-2016-5189: URL spoofing. - CVE-2016-5186: Out of bounds read in DevTools. - CVE-2016-5191: Universal XSS in Bookmarks. - CVE-2016-5190: Use after free in Internals. - CVE-2016-5193: Scheme bypass. - CVE-2016-5194: Various fixes from internal audits, fuzzing and other initiatives * debian/patches/allow-component-build: Hard-code, override release -> no component logic. * debian/known_gyp_flags: Remove old GYP known-flags list. * debian/default-allocator: Insist on not using tcmalloc allocator. * debian/rules: Set LDFLAGS to limit memory usage. * debian/control: Remove extraneous dependencies. * debian/patches/defang-ct-timebomb: backport TLS cert invalidity based on build-time. (LP: #1641380) * Upstream release 53.0.2785.143: - CVE-2016-5177: Use after free in V8. - CVE-2016-5178: Various fixes from internal audits, fuzzing and other initiatives. * Upstream release 53.0.2785.113: - CVE-2016-5170: Use after free in Blink. - CVE-2016-5171: Use after free in Blink. - CVE-2016-5172: Arbitrary Memory Read in v8. - CVE-2016-5173: Extension resource access. - CVE-2016-5174: Popup not correctly suppressed. - CVE-2016-5175: Various fixes from internal audits, fuzzing and other initiatives. * debian/rules: Use gold ld to link. * debian/rules: Kill delete-null-pointer-checks. In the javascript engine, we can not assume a memory access to address zero always results in a trap. * debian/patches/gsettings-display-scaling, debian/patches/display-scaling-default-value, reenable DPI scaling taken from dconf. * debian/rules: explicitly set target arch for arm64. * debian/control, debian/rules: re-add -dbg transitional packages. * Upstream release 53.0.2785.89: - CVE-2016-5147: Universal XSS in Blink. - CVE-2016-5148: Universal XSS in Blink. - CVE-2016-5149: Script injection in extensions. - CVE-2016-5150: Use after free in Blink. - CVE-2016-5151: Use after free in PDFium. - CVE-2016-5152: Heap overflow in PDFium. - CVE-2016-5153: Use after destruction in Blink. - CVE-2016-5154: Heap overflow in PDFium. - CVE-2016-5155: Address bar spoofing. - CVE-2016-5156: Use after free in event bindings. - CVE-2016-5157: Heap overflow in PDFium. - CVE-2016-5158: Heap overflow in PDFium. - CVE-2016-5159: Heap overflow in PDFium. - CVE-2016-5161: Type confusion in Blink. - CVE-2016-5162: Extensions web accessible resources bypass. - CVE-2016-5163: Address bar spoofing. - CVE-2016-5164: Universal XSS using DevTools. - CVE-2016-5165: Script injection in DevTools. - CVE-2016-5166: SMB Relay Attack via Save Page As. - CVE-2016-5160: Extensions web accessible resources bypass. - CVE-2016-5167: Various fixes from internal audits, fuzzing and other initiatives. * debian/patches/cups-include-deprecated-ppd, debian/rules: include cups functions. * Use system libraries for expat, speex, zlib, opus, png, jpeg. * Also build for arm64 architecture. * Don't compile in cups support by default on all architectures. * debian/control: remvove build-dep on clang. * debian/patches/linux45-madvfree: If MADV_FREE is not defined, do not allow it in sandbox filter. Also, undefine it so we don't use MADV_FREE and thereby depend on it at runtime. * debian/rules: Use gold ld to link. * debian/rules: Kill delete-null-pointer-checks. In the javascript engine, we can not assume a memory access to address zero always results in a trap. * debian/patches/series, debian/rules: Re-enable widevine component. * debian/patches/expat-config: Avoid "memmove does not exist".
|
Chad MILLER |
7 years ago
|
|
|
1026
|
|
|
Chad MILLER |
7 years ago
|
|
|
1025
|
|
|
Chad MILLER |
7 years ago
|
|
|
1024
|
|
|
Chad MILLER |
7 years ago
|
|
|
1023
|
|
|
Chad MILLER |
7 years ago
|
|
|
1022
|
|
|
Chad MILLER |
7 years ago
|
|
|
1021
|
|
|
Chad MILLER |
7 years ago
|
|
|
1020
|
|
|
Chad MILLER |
7 years ago
|
|
|
1019
|
|
|
Chad MILLER |
7 years ago
|
|
|
1018
|
|
|
Chad MILLER |
7 years ago
|
|
|
1017
|
|
* Upstream release 53.0.2785.89: - CVE-2016-5147: Universal XSS in Blink. - CVE-2016-5148: Universal XSS in Blink. - CVE-2016-5149: Script injection in extensions. - CVE-2016-5150: Use after free in Blink. - CVE-2016-5151: Use after free in PDFium. - CVE-2016-5152: Heap overflow in PDFium. - CVE-2016-5153: Use after destruction in Blink. - CVE-2016-5154: Heap overflow in PDFium. - CVE-2016-5155: Address bar spoofing. - CVE-2016-5156: Use after free in event bindings. - CVE-2016-5157: Heap overflow in PDFium. - CVE-2016-5158: Heap overflow in PDFium. - CVE-2016-5159: Heap overflow in PDFium. - CVE-2016-5161: Type confusion in Blink. - CVE-2016-5162: Extensions web accessible resources bypass. - CVE-2016-5163: Address bar spoofing. - CVE-2016-5164: Universal XSS using DevTools. - CVE-2016-5165: Script injection in DevTools. - CVE-2016-5166: SMB Relay Attack via Save Page As. - CVE-2016-5160: Extensions web accessible resources bypass. - CVE-2016-5167: Various fixes from internal audits, fuzzing and other initiatives. * debian/patches/cups-include-deprecated-ppd, debian/rules: include cups functions. * debian/rules, debian/control: Force using gcc-5 compiler. * Use system libraries for expat, speex, zlib, opus, png, jpeg. * Also build for arm64 architecture. * Don't compile in cups support by default on all architectures. * debian/control: remvove build-dep on clang. * debian/patches/linux45-madvfree: If MADV_FREE is not defined, do not allow it in sandbox filter. * debian/rules: Use gold ld to link. * debian/rules: Kill delete-null-pointer-checks. In the javascript engine, we can not assume a memory access to address zero always results in a trap.
|
Chad MILLER |
7 years ago
|
|
|
1016
|
|
|
Chad MILLER |
7 years ago
|
|
|
1015
|
|
|
Chad MILLER |
7 years ago
|
|
|
1014
|
|
|
Chad MILLER |
7 years ago
|
|
|
1013
|
|
* Upstream release 52.0.2743.116: - CVE-2016-5141 Address bar spoofing. - CVE-2016-5142 Use-after-free in Blink. - CVE-2016-5139 Heap overflow in pdfium. - CVE-2016-5140 Heap overflow in pdfium. - CVE-2016-5145 Same origin bypass for images in Blink. - CVE-2016-5143 Parameter sanitization failure in DevTools. - CVE-2016-5144 Parameter sanitization failure in DevTools. - CVE-2016-5146: Various fixes from internal audits, fuzzing and other initiatives. * Exclude harfbuzz from system-library use. * Upstream release 52.0.2743.82: - CVE-2016-1706: Sandbox escape in PPAPI. - CVE-2016-1707: URL spoofing on iOS. - CVE-2016-1708: Use-after-free in Extensions. - CVE-2016-1709: Heap-buffer-overflow in sfntly. - CVE-2016-1710: Same-origin bypass in Blink. - CVE-2016-1711: Same-origin bypass in Blink. - CVE-2016-5127: Use-after-free in Blink. - CVE-2016-5128: Same-origin bypass in V8. - CVE-2016-5129: Memory corruption in V8. - CVE-2016-5130: URL spoofing. - CVE-2016-5131: Use-after-free in libxml. - CVE-2016-5132: Limited same-origin bypass in Service Workers. - CVE-2016-5133: Origin confusion in proxy authentication. - CVE-2016-5134: URL leakage via PAC script. - CVE-2016-5135: Content-Security-Policy bypass. - CVE-2016-5136: Use after free in extensions. - CVE-2016-5137: History sniffing with HSTS and CSP. - CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives * Upstream release 51.0.2704.106 * Upstream release 51.0.2704.103: - CVE-2016-1704: Various fixes from internal audits, fuzzing and other initiatives. * debian/control: remvove build-dep on clang. * Sync many things from debian: - No longer build remoting, or install its locale files. - Use many system libraries, adding build-dep on - libre2-dev, - yasm, - libopus-dev, - zlib1g-dev, - libspeex-dev, - libspeechd-dev, - libexpat1-dev, - libpng-dev, - libxml2-dev, - libjpeg-dev, - libwebp-dev, - libxslt-dev, - libsrtp-dev, - libjsoncpp-dev, - libevent-dev, - Clean up many parts of debian/rules, wrt variable names - Set hardening on. - Use gold linker. - Disable Google Now. Creepy. Might mean downloads of opaque programs too. - Disable Wallet service. * debian/compat: Use dh version 9. * debian/rules: Improve "cd;foo" logic. * debian/rules: Remove files in tar-copy pipelines, to conserve space. Fixes build failures in servers. * debian/rules: Move check steps into install steps. No need to be separate, and simplifies target names. * debian/rules: Make en-us locale files less magical, and simplify install. * debian/rules: Work around change to tar command param order with --exclude. * debian/rules: Don't use tcmalloc on armhf. * debian/rules: Remove precise-specific conditions. More simple. * debian/rules: In install-validation, don't use mktemp. Hard-code destination. * debian/patches/gsettings-display-scaling: Disable because code moved and needs refactoring. * debian/patches/display-scaling-default-value: Disable because probbly not needed any more. * debian/rules: widevine cdm is not really available in this source. No longer lie about that. * Set new GOOG keys to bisect service overuse problem.
|
Chad MILLER |
7 years ago
|
|
|