Antoine Beaupré
2011-May-12 04:14 UTC
[Secure-testing-team] Bug#626445: multiple (89!) security issues in chromium
Package: chromium-browser Version: 6.0.472.63~r59945-5+squeeze4 Severity: grave Tags: security squeeze sid The PTS mentions there are 89 security issues in this package, most of which affect stable, which is stuck at the prehistoric Chromium 6 release. But even the version in sid seems to be vulnerable to serious security issues, including remote code execution, like this one: http://security-tracker.debian.org/tracker/CVE-2011-1344 Plenty more here: http://security-tracker.debian.org/tracker/source-package/chromium-browser A lot of those would just need a simple classification to mark which ones are fixed in sid. But the version in stable is a much more serious issue. I do not think there is the possbility of maintaining that branch all by ourselves here, and I would recommend either dropping the package from stable and rely on backports, or simply ship the next squeeze release with the 10.x version. Right now, I have the feeling that a lot of people are using Google Chrome''s Debian package instead of the chromium package. People like me that stick with the Debian package are actually left in the cold with an outdated version that is actually very vulnerable. This situation seems rather problematic and should be resolved. -- System Information: Debian Release: 6.0.1 APT prefers stable-updates APT policy: (500, ''stable-updates''), (500, ''stable'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CA.utf8, LC_CTYPE=fr_CA.utf8 (charmap=UTF-8) (ignored: LC_ALL set to fr_CA.UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages chromium-browser depends on: ii chromium-br 6.0.472.63~r59945-5+squeeze4 page inspector for the chromium-br ii libasound2 1.0.23-2.1 shared library for ALSA applicatio ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib ii libcairo2 1.8.10-6 The Cairo 2D vector graphics libra ii libcups2 1.4.4-7 Common UNIX Printing System(tm) - ii libdbus-1-3 1.2.24-4 simple interprocess messaging syst ii libdbus-gli 0.88-2.1 simple interprocess messaging syst ii libevent-1. 1.4.13-stable-1 An asynchronous event notification ii libexpat1 2.0.1-7 XML parsing C library - runtime li ii libfontconf 2.8.0-2.1 generic font configuration library ii libfreetype 2.4.2-2.1 FreeType 2 font engine, shared lib ii libgcc1 1:4.4.5-8 GCC support library ii libgconf2-4 2.28.1-6 GNOME configuration database syste ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr ii libgl1-mesa 7.7.1-4 A free implementation of the OpenG ii libglewmx1. 1.5.4-1 The OpenGL Extension Wrangler - ru ii libglib2.0- 2.24.2-1 The GLib library of C routines ii libgtk2.0-0 2.20.1-2 The GTK+ graphical user interface ii libicu44 4.4.1-7 International Components for Unico ii libjpeg62 6b1-1 The Independent JPEG Group''s JPEG ii libnspr4-0d 4.8.6-1 NetScape Portable Runtime Library ii libnss3-1d 3.12.8-1+squeeze1 Network Security Service libraries ii libpango1.0 1.28.3-1+squeeze2 Layout and rendering of internatio ii libpng12-0 1.2.44-1 PNG library - runtime ii libstdc++6 4.4.5-8 The GNU Standard C++ Library v3 ii libv8-2.2.2 2.2.24-6 V8 JavaScript Engine ii libvpx0 0.9.1-2 VP8 video codec (shared library) ii libx11-6 2:1.3.3-4 X11 client-side library ii libxext6 2:1.1.2-1 X11 miscellaneous extension librar ii libxml2 2.7.8.dfsg-2 GNOME XML library ii libxrender1 1:0.9.6-1 X Rendering Extension client libra ii libxslt1.1 1.1.26-6 XSLT 1.0 processing library - runt ii libxss1 1:1.2.0-2 X11 Screen Saver extension library ii xdg-utils 1.0.2+cvs20100307-2 desktop integration utilities from ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime chromium-browser recommends no packages. Versions of packages chromium-browser suggests: pn chromium-browser-l10n <none> (no description available) -- no debconf information