Alerts This Week
Warning Icon 1 666
Alerts This Week
Warning Icon 1 666

Arch Linux 201509-1 High Severity: Chromium Cross-Origin Bypass

Calendar Sep 02, 2015 User Avatar LinuxSecurity Advisories
1 - 2 min read
Archlinux Large Esm H500
Topics%20covered

Topics Covered

security advisory high severity multiple issues arch linux chromium
The package chromium before version 45.0.2454.85-1 is vulnerable to multiple issues including cross-origin bypass, use-after-free, character spoofing and information leak. 
Arch Linux Security Advisory ASA-201509-1
========================================
Severity: High
Date    : 2015-09-02
CVE-ID  : CVE-2015-1291 CVE-2015-1292 CVE-2015-1293 CVE-2015-1294
CVE-2015-1295 CVE-2015-1296 CVE-2015-1297 CVE-2015-1298 CVE-2015-1299
CVE-2015-1300 CVE-2015-1301
Package : chromium
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package chromium before version 45.0.2454.85-1 is vulnerable to
multiple issues including cross-origin bypass, use-after-free, character
spoofing and information leak.

Resolution
=========
Upgrade to 45.0.2454.85-1.

# pacman -Syu "chromium>=45.0.2454.85-1"

The problem has been fixed upstream in version 45.0.2454.85.

Workaround
=========
None.

Description
==========
- CVE-2015-1291, CVE-2015-1293:

Cross-origin bypass in DOM.

- CVE-2015-1292:

Cross-origin bypass in ServiceWorker.

- CVE-2015-1294:

Use-after-free in Skia.

- CVE-2015-1295:

Use-after-free in Printing.

- CVE-2015-1296:

Character spoofing in omnibox.

- CVE-2015-1297:

Permission scoping error in WebRequest.

- CVE-2015-1298:

URL validation error in extensions.

- CVE-2015-1299:

Use-after-free in Blink.

- CVE-2015-1300:

Information leak in Blink.

- CVE-2015-1301:

Various fixes from internal audits, fuzzing and other initiatives.

Impact
=====
A remote attacker can bypass the Same-Origin Policy of a website, spoof
character in omnibox to trick the user, leak information, cause a denial
of service or have other unspecified impact.

References
=========
https://chromereleases.googleblog.com/2015/09/stable-channel-update.html
https://access.redhat.com/security/cve/CVE-2015-1291
https://access.redhat.com/security/cve/CVE-2015-1292
https://access.redhat.com/security/cve/CVE-2015-1293
https://access.redhat.com/security/cve/CVE-2015-1294
https://access.redhat.com/security/cve/CVE-2015-1295
https://access.redhat.com/security/cve/CVE-2015-1296
https://access.redhat.com/security/cve/CVE-2015-1297
https://access.redhat.com/security/cve/CVE-2015-1298
https://access.redhat.com/security/cve/CVE-2015-1299
https://access.redhat.com/security/cve/CVE-2015-1300
https://access.redhat.com/security/cve/CVE-2015-1301

Related News

Your message here