- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 201203-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Chromium, V8: Multiple vulnerabilities Date: March 30, 2012 Bugs: #410045 ID: 201203-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been reported in Chromium and V8, some of which may allow execution of arbitrary code. Background ========== Chromium is an open source web browser project. V8 is Google's open source JavaScript engine. SPDY is an experimental networking protocol. Affected packages ================= ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-client/chromium < 18.0.1025.142 >= 18.0.1025.142 2 dev-lang/v8 < 3.8.9.16 >= 3.8.9.16 ------------------------------------------------------------------- 2 affected packages Description =========== Multiple vulnerabilities have been discovered in Chromium and V8. Please review the CVE identifiers and release notes referenced below for details. Impact ====== A context-dependent attacker could entice a user to open a specially crafted web site or JavaScript program using Chromium or V8, possibly resulting in the execution of arbitrary code with the privileges of the process, or a Denial of Service condition. The attacker could also entice a user to open a specially crafted web site using Chromium, possibly resulting in cross-site scripting (XSS), or an unspecified SPDY certificate checking error. Workaround ========== There is no known workaround at this time. Resolution ========== All Chromium users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-client/chromium-18.0.1025.142" All V8 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-lang/v8-3.8.9.16" References ========== [ 1 ] CVE-2011-3057 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3057 [ 2 ] CVE-2011-3058 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3058 [ 3 ] CVE-2011-3059 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3059 [ 4 ] CVE-2011-3060 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3060 [ 5 ] CVE-2011-3061 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3061 [ 6 ] CVE-2011-3062 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3062 [ 7 ] CVE-2011-3063 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3063 [ 8 ] CVE-2011-3064 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3064 [ 9 ] CVE-2011-3065 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3065 [ 10 ] Release Notes 18.0.1025.142 http://googlechromereleases.blogspot.com/2012/03/stable-channel-release-a= nd-beta-channel.html Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-201203-24.xml Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2012 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5