Debian Security Advisory DSA 3039-1 (chromium-browser - security update)

Published: 2014-10-01 11:28:59
CVE Author: NIST National Vulnerability Database

CVSS Base Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Affected Versions:
chromium-browser on Debian Linux

Recommendations:
For the stable distribution (wheezy), these problems have been fixed in version 37.0.2062.120-1~deb7u1. For the testing (jessie) and unstable (sid) distributions, these problems have been fixed in version 37.0.2062.120-1. We recommend that you upgrade your chromium-browser Linux Distribution Packages.

Summary:
Several vulnerabilities were discovered in the chromium web browser. CVE-2014-3160 Christian Schneider discovered a same origin bypass issue in SVG file resource fetching. CVE-2014-3162 The Google Chrome development team addressed multiple issues with potential security impact for chromium 36.0.1985.125. CVE-2014-3165 Colin Payne discovered a use-after-free issue in the Web Sockets implementation. CVE-2014-3166 Antoine Delignat-Lavaud discovered an information leak in the SPDY protocol implementation. CVE-2014-3167 The Google Chrome development team addressed multiple issues with potential security impact for chromium 36.0.1985.143. CVE-2014-3168 cloudfuzzer discovered a use-after-free issue in SVG image file handling. CVE-2014-3169 Andrzej Dyjak discovered a use-after-free issue in the Webkit/Blink Document Object Model implementation. CVE-2014-3170 Rob Wu discovered a way to spoof the url of chromium extensions. CVE-2014-3171 cloudfuzzer discovered a use-after-free issue in chromium's v8 bindings. CVE-2014-3172 Eli Grey discovered a way to bypass access restrictions using chromium's Debugger extension API. CVE-2014-3173 jmuizelaar discovered an uninitialized read issue in WebGL. CVE-2014-3174 Atte Kettunen discovered an uninitialized read issue in Web Audio. CVE-2014-3175 The Google Chrome development team addressed multiple issues with potential security impact for chromium 37.0.2062.94. CVE-2014-3176 lokihardt@asrt discovered a combination of flaws that can lead to remote code execution outside of chromium's sandbox. CVE-2014-3177 lokihardt@asrt discovered a combination of flaws that can lead to remote code execution outside of chromium's sandbox. CVE-2014-3178 miaubiz discovered a use-after-free issue in the Document Object Model implementation in Blink/Webkit. CVE-2014-3179 The Google Chrome development team addressed multiple issues with potential security impact for chromium 37.0.2062.120.

Detection Method:
This check tests the installed software version using the apt Linux Distribution Package manager.

Detection Type:
Linux Distribution Package

Solution Type:
Vendor Patch

NIST (National Institute of Standards and Technology) NVD (National Vulnerability Database)

https://nvd.nist.gov/vuln/detail/CVE-2014-3160
https://nvd.nist.gov/vuln/detail/CVE-2014-3162
https://nvd.nist.gov/vuln/detail/CVE-2014-3165
https://nvd.nist.gov/vuln/detail/CVE-2014-3166
https://nvd.nist.gov/vuln/detail/CVE-2014-3167
https://nvd.nist.gov/vuln/detail/CVE-2014-3168
https://nvd.nist.gov/vuln/detail/CVE-2014-3169
https://nvd.nist.gov/vuln/detail/CVE-2014-3170
https://nvd.nist.gov/vuln/detail/CVE-2014-3171
https://nvd.nist.gov/vuln/detail/CVE-2014-3172
https://nvd.nist.gov/vuln/detail/CVE-2014-3173
https://nvd.nist.gov/vuln/detail/CVE-2014-3174
https://nvd.nist.gov/vuln/detail/CVE-2014-3175
https://nvd.nist.gov/vuln/detail/CVE-2014-3176
https://nvd.nist.gov/vuln/detail/CVE-2014-3177
https://nvd.nist.gov/vuln/detail/CVE-2014-3178
https://nvd.nist.gov/vuln/detail/CVE-2014-3179

References:

http://www.debian.org/security/2014/dsa-3039.html

Severity
High
CVSS Score
10.0
Published
2014-10-01
Modified
2019-03-19
Category
Debian Local Security Checks

Free Vulnerability Scanning, Assessment and Management

Mageni's Platform is packed with all the features you need to scan, assess and manage vulnerabilities like this - it is free, open source, lightning fast, reliable and scalable.

Router
Servers
Laptop
Database
Group
Cloud

Frequently Asked Questions

No, you can scan concurrently as many assets as you want. Please note that you must be aware of the hardware requeriments of the platform to ensure a good performance.

No, you can add as many assest as you want. It doesn't matters if you have millions of assets, we won't charge you for that.

No. The software is completely free. We have no intention to charge you to use the software, in fact - it completely goes against our beliefs and business model.

A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005)

We generate revenue by providing support and other services for customers that require a subscription so they get guaranteed support and enterprise services. To use Mageni's Platform is completely free, with no limits at all.

Yes. Mageni understands that there are professionals and businesses that need commercial support so Mageni provides an active support subscription with everything needed to run Mageni's Platform reliably and securely. More than software, it's access to security experts, knowledge resources, security updates, and support tools you can't get anywhere else. The subscription includes:

  • Ongoing delivery
    • Patches
    • Bug fixes
    • Updates
    • Upgrades
  • Technical support
    • 24/7 availability
    • Unlimited Incidents
    • Specialty-based routing
    • Multi-Channel
  • Commitments
    • Software certifications
    • Software assurance
    • SLA

No, we don't store the information of your vulnerabilities in our servers.

Vulnerability management is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization. The term vulnerability management is often confused with vulnerability scanning. Despite the fact both are related, there is an important difference between the two. Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation etc. Source: "Implementing a Vulnerability Management Process". SANS Institute.

I am ready to start scanning for vulnerabilities