Security update for Chromium 48
Google released an update for Chrome/Chromium – their version 48 of the browser is now at “48.0.2564.109“. The chromium sources are still not available six days after the announcement, even though the official Chrome binary distributions were available right from the start. I think that this is inexcusable for a big company like Google, but this is not the first time that their autobots falter and no one cares enough to fix the release process. Notwithstanding some complaints by fellow application packagers.
So for this release I switched to the “chromium source tarball” git repository https://github.com/zcbenz/chromium-source-tarball/releases to get a tarball and compile some Slackware packages.
This chromium release addresses a couple of security issues with the following CVE numbers:
[$7500] High CVE-2016-1622: Same-origin bypass in Extensions. Credit to anonymous.
[$7500] High CVE-2016-1623: Same-origin bypass in DOM. Credit to Mariusz Mlynski.
[$TBD] High CVE-2016-1624: Buffer overflow in Brotli. Credit to lukezli.
[$1000] Medium CVE-2016-1625: Navigation bypass in Chrome Instant. Credit to Jann Horn.
 Medium CVE-2016-1626: Out-of-bounds read in PDFium. Credit to anonymous, working with HP’s Zero Day Initiative.
 CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives.
Get my chromium packages in one of the usual locations:
- http://slackware.com/~alien/slackbuilds/ (primary server)
- http://taper.alienbase.nl/mirrors/people/alien/slackbuilds/ (my own US mirror)
- http://alien.slackbook.org/slackbuilds/ (US)
- http://slackware.org.uk/people/alien/slackbuilds/ (UK)
The widevine and pepperflash plugin packagess for chromium can be found in the same repository.
Have fun! Eric