Google updated the stable branch of the Chromium browser to a new major version number: “51”. An overview of the changes since the previous “50” release are found in Google’s git. Updated packages for Slackware 14.1 and -current are now available from my repository, for the download URLs see below.
The announcement on the Google Chrome Releases blog mentions a list of vulnerabilities that were addressed with this release. Here are the ones that got a CVE rating… it sure pays off to be a security researcher and find Google Chrome vulnerabilities:
- [$7500] High CVE-2016-1672: Cross-origin bypass in extension bindings. Credit to Mariusz Mlynski.
- [$7500] High CVE-2016-1673: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
- [$7500] High CVE-2016-1674: Cross-origin bypass in extensions. Credit to Mariusz Mlynski.
- [$7500] High CVE-2016-1675: Cross-origin bypass in Blink. Credit to Mariusz Mlynski.
- [$7500] High CVE-2016-1676: Cross-origin bypass in extension bindings. Credit to Rob Wu.
- [$4000] Medium CVE-2016-1677: Type confusion in V8. Credit to Guang Gong of Qihoo 360.
- [$3500] High CVE-2016-1678: Heap overflow in V8. Credit to Christian Holler.
- [$3500] High CVE-2016-1679: Heap use-after-free in V8 bindings. Credit to Rob Wu.
- [$3000] High CVE-2016-1680: Heap use-after-free in Skia. Credit to Atte Kettunen of OUSPG.
- [$3000] High CVE-2016-1681: Heap overflow in PDFium. Credit to Aleksandar Nikolic of Cisco Talos.
- [$1000] Medium CVE-2016-1682: CSP bypass for ServiceWorker. Credit to KingstonTime.
- [$1000] Medium CVE-2016-1683: Out-of-bounds access in libxslt. Credit to Nicolas Gregoire.
- [$1000] Medium CVE-2016-1684: Integer overflow in libxslt. Credit to Nicolas Gregoire.
- [$1000] Medium CVE-2016-1685: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
- [$1000] Medium CVE-2016-1686: Out-of-bounds read in PDFium. Credit to Ke Liu of Tencent’s Xuanwu LAB.
- [$1000] Medium CVE-2016-1687: Information leak in extensions. Credit to Rob Wu.
- [$1000] Medium CVE-2016-1688: Out-of-bounds read in V8. Credit to Max Korenko.
- [$1000] Medium CVE-2016-1689: Heap buffer overflow in media. Credit to Atte Kettunen of OUSPG.
- [$1000] Medium CVE-2016-1690: Heap use-after-free in Autofill. Credit to Rob Wu.
- [$500] Low CVE-2016-1691: Heap buffer-overflow in Skia. Credit to Atte Kettunen of OUSPG.
- [$500] Low CVE-2016-1692: Limited cross-origin bypass in ServiceWorker. Credit to Til Jasper Ullrich.
- [$500] Low CVE-2016-1693: HTTP Download of Software Removal Tool. Credit to Khalil Zhani.
- [$500] Low CVE-2016-1694: HPKP pins removed on cache clearance. Credit to Ryan Lester and Bryant Zadegan
 CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives.
As always, it is strongly advised to upgrade to this new version of Chromium. Get my chromium packages in one of the usual locations:
- http://slackware.com/~alien/slackbuilds/ (primary server)
- http://bear.alienbase.nl/mirrors/people/alien/slackbuilds/ (my own fast mirror)
- http://slackware.uk/people/alien/slackbuilds/ (UK mirror – fast & preferred, also has rsync access)
- http://alien.slackbook.org/slackbuilds/ (US mirror)
The widevine and pepperflash plugin packagess for chromium can be found in the same repository. The 64bit version of the Widevine plugin was updated with new libraries extracted from the official Google Chrome for Linux; the new Chrome does not contain a newer PepperFlash than what I already have in my repository.
Remember, even though I can still provide a 32bit Chromium browser, Google has ceased providing a 32bit version of their own Chrome browser – which means, no more updates to the 32bit PepperFlash and Widevine plugins.
Have fun! Eric