Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:gmbr3:Chromium
chromium
chromium.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File chromium.changes of Package chromium
------------------------------------------------------------------- Tue Jul 9 10:09:56 UTC 2024 - Callum Farmer <gmbr3@opensuse.org> - Finalize 126 - Removed patches: * chromium-125-debian-bad-font-gc2.patch * chromium-125-debian-bad-font-gc3.patch - Added patches: * chromium-126-RealTimeReportingBindings-missing-decl.patch * chromium-126-no-format.patch ------------------------------------------------------------------- Mon Jul 1 14:09:50 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 126.0.6478.114 (boo#1226504, boo#1226205, boo#1226933) * CVE-2024-6290: Use after free in Dawn * CVE-2024-6291: Use after free in Swiftshader * CVE-2024-6292: Use after free in Dawn * CVE-2024-6293: Use after free in Dawn * CVE-2024-6100: Type Confusion in V8 * CVE-2024-6101: Inappropriate implementation in WebAssembly * CVE-2024-6102: Out of bounds memory access in Dawn * CVE-2024-6103: Use after free in Dawn * CVE-2024-5830: Type Confusion in V8 * CVE-2024-5831: Use after free in Dawn * CVE-2024-5832: Use after free in Dawn * CVE-2024-5833: Type Confusion in V8 * CVE-2024-5834: Inappropriate implementation in Dawn * CVE-2024-5835: Heap buffer overflow in Tab Groups * CVE-2024-5836: Inappropriate Implementation in DevTools * CVE-2024-5837: Type Confusion in V8 * CVE-2024-5838: Type Confusion in V8 * CVE-2024-5839: Inappropriate Implementation in Memory Allocator * CVE-2024-5840: Policy Bypass in CORS * CVE-2024-5841: Use after free in V8 * CVE-2024-5842: Use after free in Browser UI * CVE-2024-5843: Inappropriate implementation in Downloads * CVE-2024-5844: Heap buffer overflow in Tab Strip * CVE-2024-5845: Use after free in Audio * CVE-2024-5846: Use after free in PDFium * CVE-2024-5847: Use after free in PDFium - drop patches: * chromium-disable-parallel-gold.patch * chromium-125-appservice-include.patch * chromium-125-lens-include.patch * chromium-125-mojo-bindings-include.patch * chromium-125-no-vector-consts.patch * chromium-125-vulkan-include.patch * chromium-125-ninja.patch * chromium-125-no_matching_constructor.patch * chromium-125-missing-header-files.patch - add patches: * chromium-126-missing-header-files.patch * chromium-126-quiche-interator.patch * chromium-126-no_matching_constructor.patch ------------------------------------------------------------------- Wed Jun 12 13:00:59 UTC 2024 - Callum Farmer <gmbr3@opensuse.org> - Amend fix_building_widevinecdm_with_chromium.patch to allow Widevine on ARM64 (bsc#1226170) ------------------------------------------------------------------- Fri May 31 07:29:22 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 125.0.6422.141 (boo#1225690) * CVE-2024-5493: Heap buffer overflow in WebRTC * CVE-2024-5494: Use after free in Dawn * CVE-2024-5495: Use after free in Dawn * CVE-2024-5496: Use after free in Media Session * CVE-2024-5497: Out of bounds memory access in Keyboard Inputs * CVE-2024-5498: Use after free in Presentation API * CVE-2024-5499: Out of bounds write in Streams API ------------------------------------------------------------------- Fri May 24 04:24:22 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 125.0.6422.112 * CVE-2024-5274: Type Confusion in V8 (boo#1225199) ------------------------------------------------------------------- Tue May 21 20:47:44 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 125.0.6422.76 (boo#1224818) * CVE-2024-5157: Use after free in Scheduling * CVE-2024-5158: Type Confusion in V8 * CVE-2024-5159: Heap buffer overflow in ANGLE * CVE-2024-5160: Heap buffer overflow in Dawn * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Thu May 16 16:57:33 CEST 2024 - ro@suse.de - Chromium 125.0.6422.60 (boo#1224341) * CVE-2024-4947: Type Confusion in V8 * CVE-2024-4948: Use after free in Dawn * CVE-2024-4949: Use after free in V8 * CVE-2024-4950: Inappropriate implementation in Downloads - Chromium 125.0.6422.41 * New upstream (early) stable release. - drop upstreamed patches: * chromium-124-uint-includes.patch * chromium-124-fps-optional.patch * chromium-124-span-optional.patch * chromium-124-extractor-bitset.patch * chromium-124-atomic.patch * chromium-124-webgpu-optional.patch * chromium-124-angle-powf.patch - add debian upstream patches added for 125: * chromium-125-appservice-include.patch * chromium-125-lens-include.patch * chromium-125-mojo-bindings-include.patch * chromium-125-no-vector-consts.patch * chromium-125-vulkan-include.patch * chromium-125-tabstrip-include.patch * chromium-125-ninja.patch - add debian fixes patches to fix font gc crashes: * chromium-125-debian-bad-font-gc0000.patch * chromium-125-debian-bad-font-gc000.patch * chromium-125-debian-bad-font-gc00.patch * chromium-125-debian-bad-font-gc0.patch * chromium-125-debian-bad-font-gc11.patch * chromium-125-debian-bad-font-gc1.patch * chromium-125-debian-bad-font-gc2.patch * chromium-125-debian-bad-font-gc3.patch - add from fedora (reverse applied for older ffmpeg): * chromium-125-ffmpeg-5.x-reordered_opaque.patch - re-diff and rename: * from chromium-110-compiler.patch to chromium-125-compiler.patch * from chromium-120-emplace-struct.patch to chromium-125-emplace-struct.patch * from chromium-disable-FFmpegAllowLists.patch to chromium-125-disable-FFmpegAllowLists.patch * from chromium-122-missing-header-files.patch to chromium-125-missing-header-files.patch * from chromium-122-no_matching_constructor.patch to chromium-125-no_matching_constructor.patch * from chromium-122-lp155-typename.patch to chromium-125-lp155-typename.patch - third_party/zstd added to keeplibs for third_party/blink/renderer/platform:platform - third_party/tflite/src/third_party/xla/xla/tsl/util added to keeplibs for third_party/tflite/tflite - third_party/lens_server_proto added to keeplibs for gen/third_party/lens_server_proto ------------------------------------------------------------------- Tue May 14 05:03:09 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 124.0.6367.207 (boo#1224294) * CVE-2024-4761: Out of bounds write in V8 ------------------------------------------------------------------- Fri May 10 12:16:29 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 124.0.6367.201 (boo#1224208) * CVE-2024-4671: Use after free in Visuals - Chromium 124.0.6367.155 (boo#1224045) * CVE-2024-4558: Use after free in ANGLE * CVE-2024-4559: Heap buffer overflow in WebAudio ------------------------------------------------------------------- Fri May 3 11:10:19 CEST 2024 - ro@suse.de - drop patches: * chromium-123-WebUI-static_assert.patch ------------------------------------------------------------------- Thu May 2 19:41:37 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 124.0.6367.118 (boo#1223846) * CVE-2024-4331: Use after free in Picture In Picture * CVE-2024-4368: Use after free in Dawn ------------------------------------------------------------------- Wed May 1 11:29:39 UTC 2024 - Callum Farmer <gmbr3@opensuse.org> - Add patches: * chromium-123-missing-QtGui.patch - Restore libxml 2.12 check for chromium-124-system-libxml.patch which replaced chromium-121-blink-libxml-const.patch ------------------------------------------------------------------- Fri Apr 26 14:56:40 CEST 2024 - ro@suse.de - Chromium 124.0.6367.78 (boo#1223845) * CVE-2024-4058: Type Confusion in ANGLE * CVE-2024-4059: Out of bounds read in V8 API * CVE-2024-4060: Use after free in Dawn ------------------------------------------------------------------- Wed Apr 17 17:38:12 CEST 2024 - ro@suse.de - Chromium 124.0.6367.60 (boo#1222958) * CVE-2024-3832: Object corruption in V8. * CVE-2024-3833: Object corruption in WebAssembly. * CVE-2024-3834: Use after free in Downloads. Reported by ChaobinZhang * CVE-2024-3837: Use after free in QUIC. * CVE-2024-3838: Inappropriate implementation in Autofill. * CVE-2024-3839: Out of bounds read in Fonts. * CVE-2024-3840: Insufficient policy enforcement in Site Isolation. * CVE-2024-3841: Insufficient data validation in Browser Switcher. * CVE-2024-3843: Insufficient data validation in Downloads. * CVE-2024-3844: Inappropriate implementation in Extensions. * CVE-2024-3845: Inappropriate implementation in Network. * CVE-2024-3846: Inappropriate implementation in Prompts. * CVE-2024-3847: Insufficient policy enforcement in WebUI. - drop patches: * chromium-123-optional2.patch * chromium-122-avoid-SFINAE-TypeConverter.patch * chromium-123-PA-InternalAllocator.patch - rediff patches: * chromium-110-compiler.patch * chromium-120-emplace.patch * chromium-122-no_matching_constructor.patch * chromium-122-lp155-typename.patch - add patches: from debian/fixes * chromium-123-stats-collector.patch - add patches: from debian/upstream * chromium-124-angle-powf.patch * chromium-124-atomic.patch * chromium-124-extractor-bitset.patch * chromium-124-fps-optional.patch * chromium-124-span-optional.patch * chromium-124-uint-includes.patch * chromium-124-webgpu-optional.patch - add patches: * chromium-123-WebUI-static_assert.patch workaround for compile issue in webui_contents_wrapper.h * chromium-124-system-libxml.patch (from fedora) ------------------------------------------------------------------- Sun Apr 14 11:06:41 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 123.0.6312.122 (boo#1222707) * CVE-2024-3157: Out of bounds write in Compositing * CVE-2024-3516: Heap buffer overflow in ANGLE * CVE-2024-3515: Use after free in Dawn - Chromium 123.0.6312.105 (boo#1222260) * CVE-2024-3156: Inappropriate implementation in V8 * CVE-2024-3158: Use after free in Bookmarks * CVE-2024-3159: Out of bounds memory access in V8 - Chromium 123.0.6312.86 (boo#1222035) * CVE-2024-2883: Use after free in ANGLE * CVE-2024-2885: Use after free in Dawn * CVE-2024-2886: Use after free in WebCodecs * CVE-2024-2887: Type Confusion in WebAssembly - Chromium 123.0.6312.58 (boo#1221732) * CVE-2024-2625: Object lifecycle issue in V8 * CVE-2024-2626: Out of bounds read in Swiftshader * CVE-2024-2627: Use after free in Canvas * CVE-2024-2628: Inappropriate implementation in Downloads - drop patches: * chromium-117-blink-BUILD-mnemonic.patch * chromium-121-blink-libxml-const.patch * chromium-122-BookmarkNode-missing-operator.patch * chromium-122-WebUI-static_assert.patch * chromium-122-PA-undo-internal-alloc.patch ------------------------------------------------------------------- Mon Mar 18 13:13:01 UTC 2024 - Callum Farmer <gmbr3@opensuse.org> - Use Python 3.11 on Leap - Rename chromium-122-skip_bubble_contents_wrapper_static_assert.patch to chromium-122-WebUI-static_assert.patch - Rename chromium-122-disable-FFmpegAllowLists.patch to chromium-disable-FFmpegAllowLists.patch - Rename chromium-122-static-assert.patch to chromium-122-BookmarkNode-missing-operator.patch - Rename chromium-122-undo-internal-alloc.patch to chromium-122-PA-undo-internal-alloc.patch - Rename chromium-122-typename.patch to chromium-122-lp155-typename.patch - Removed patches: * chromium-121-v8-c++20-p1.patch * chromium-121-v8-c++20.patch * chromium-122-unique_ptr.patch * chromium-122-python3-assignment-expressions.patch * chromium-122-el8-support-64kpage.patch * chromium-122-el7-inline-function.patch * chromium-122-el7-extra-operator.patch * chromium-122-el7-default-constructor-involving-anonymous-union.patch * chromium-122-constexpr.patch * chromium-122-clang-build-flags.patch * chromium-122-clang16-disable-auto-upgrade-debug-info.patch * chromium-122-clang16-buildflags.patch * chromium-122-arm64-memory_tagging.patch * chromium-121-el7-clang-version-warning.patch * chromium-116-lp155-url_load_stats-size-t.patch * chromium-icu72-2.patch * chromium-122-debian-upstream-mojo.patch - Patches merged into other patches: * chromium-122-debian-upstream-bitset.patch * chromium-122-debian-upstream-optional.patch * chromium-122-debian-upstream-uniqptr.patch * chromium-122-debian-fixes-optional.patch * chromium-122-norar.patch - Restore time clamper change to chromium-122-missing-header-files.patch - Fix missing/invalid casting in chromium-122-no_matching_constructor.patch ------------------------------------------------------------------- Wed Mar 13 05:35:05 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 122.0.6261.128 (boo#1221335) * CVE-2024-2400: Use after free in Performance Manager ------------------------------------------------------------------- Fri Mar 8 16:14:39 CET 2024 - ro@suse.de - Chromium 122.0.6261.111 (boo#1220131,boo#1220604,boo#1221105) * New upstream security release. * CVE-2024-2173: Out of bounds memory access in V8. * CVE-2024-2174: Inappropriate implementation in V8. * CVE-2024-2176: Use after free in FedCM. - Chromium 122.0.6261.94 * CVE-2024-1669: Out of bounds memory access in Blink. * CVE-2024-1670: Use after free in Mojo. * CVE-2024-1671: Inappropriate implementation in Site Isolation. * CVE-2024-1672: Inappropriate implementation in Content Security Policy. * CVE-2024-1673: Use after free in Accessibility. * CVE-2024-1674: Inappropriate implementation in Navigation. * CVE-2024-1675: Insufficient policy enforcement in Download. * CVE-2024-1676: Inappropriate implementation in Navigation. * Type Confusion in V8 * rediff chromium-disable-GlobalMediaControlsCastStartStop.patch * drop chromium-114-lld-argument.patch replaced by chromium-122-clang16-disable-auto-upgrade-debug-info.patch * drop chromium-121-no_matching_constructor.patch replaced by chromium-122-no_matching_constructor.patch * drop chromium-113-webview-namespace.patch (obsolete) * reduce chromium-norar.patch by the hunks in chromium-122-norar.patch * drop chromium-114-revert-av1enc-lp154.patch replaced by chromium-122-revert-av1enc-el9.patch * drop chromium-115-lp155-typename.patch chromium-116-lp155-typenames.patch chromium-117-lp155-typename.patch chromium-120-lp155-typename.patch replaced by chromium-122-typename.patch * drop chromium-121-missing-header-files.patch replaced by chromium-122-missing-header-files.patch * drop chromium-121-workaround_clang_bug-structured_binding.patch replaced by chromium-122-workaround_clang_bug-structured_binding.patch * drop chromium-121-no_matching_constructor.patch replaced by chromium-122-no_matching_constructor.patch * drop chromium-121-python3-invalid-escape-sequence.patch (upstream) * drop chromium-disable-FFmpegAllowLists.patch replaced by chromium-122-disable-FFmpegAllowLists.patch * drop chromium-121-avoid-SFINAE-TypeConverter.patch replaced by chromium-122-avoid-SFINAE-TypeConverter.patch * add buildrequires for rust * add patches from fedora package for 121 and 122 * chromium-121-el7-clang-version-warning.patch * chromium-121-v8-c++20-p1.patch * chromium-121-v8-c++20.patch * chromium-122-arm64-memory_tagging.patch * chromium-122-clang16-buildflags.patch * chromium-122-clang16-disable-auto-upgrade-debug-info.patch * chromium-122-clang-build-flags.patch * chromium-122-constexpr.patch * chromium-122-disable-FFmpegAllowLists.patch * chromium-122-el7-default-constructor-involving-anonymous-union.patch * chromium-122-el7-extra-operator.patch * chromium-122-el7-inline-function.patch * chromium-122-el8-support-64kpage.patch * chromium-122-missing-header-files.patch * chromium-122-no_matching_constructor.patch * chromium-122-norar.patch * chromium-122-python3-assignment-expressions.patch * chromium-122-revert-av1enc-el9.patch * chromium-122-static-assert.patch * chromium-122-typename.patch * chromium-122-unique_ptr.patch * chromium-122-workaround_clang_bug-structured_binding.patch * from debian add * chromium-122-undo-internal-alloc.patch * chromium-122-debian-upstream-bitset.patch * chromium-122-debian-upstream-mojo.patch * chromium-122-debian-upstream-optional.patch * chromium-122-debian-upstream-uniqptr.patch * chromium-122-debian-fixes-optional.patch * added compile fix needed on code15 chromium-122-skip_bubble_contents_wrapper_static_assert.patch to prevent "static assertion expression is not an integral constant expression" "in call to 'operator+(&"."[0], ShoppingInsightsSidePanelUI::GetWebUIName())'" in bubble_contents_wrapper.h:153 - replace Cr121-ffmpeg-new-channel-layout.patch by Cr122-ffmpeg-new-channel-layout.patch (rediff against 122) - drop chromium-121-system-old-ffmpeg.patch ------------------------------------------------------------------- Fri Mar 8 13:16:51 UTC 2024 - Callum Farmer <gmbr3@opensuse.org> - Add Cr121-ffmpeg-new-channel-layout.patch to rollback more FFmpeg changes so that FFmpeg 4 will work on Leap - Prepare for libxml 2.12 ------------------------------------------------------------------- Sat Mar 2 12:39:17 UTC 2024 - Callum Farmer <gmbr3@opensuse.org> - Chromium 121.0.6167.184 (boo#1219118, boo#1219387, boo#1219661) * CVE-2024-1284: Use after free in Mojo * CVE-2024-1283: Heap buffer overflow in Skia * CVE-2024-1060: Use after free in Canvas * CVE-2024-1059: Use after free in WebRTC * CVE-2024-1077: Use after free in Network * CVE-2024-0807: Use after free in WebAudio * CVE-2024-0812: Inappropriate implementation in Accessibility * CVE-2024-0808: Integer underflow in WebUI * CVE-2024-0810: Insufficient policy enforcement in DevTools * CVE-2024-0814: Incorrect security UI in Payments * CVE-2024-0813: Use after free in Reading Mode * CVE-2024-0806: Use after free in Passwords * CVE-2024-0805: Inappropriate implementation in Downloads * CVE-2024-0804: Insufficient policy enforcement in iOS Security UI * CVE-2024-0811: Inappropriate implementation in Extensions API * CVE-2024-0809: Inappropriate implementation in Autofill - Removed patches: * chromium-117-includes.patch * chromium-118-includes.patch * chromium-119-dont-redefine-ATSPI-version-macros.patch * chromium-120-missing-header-files.patch * chromium-120-no_matching_constructor.patch * chromium-120-nullptr_t-without-namespace-std.patch * chromium-120-workaround_clang_bug-structured_binding.patch * gcc13-fix.patch * chromium-113-webauth-include-variant.patch * chromium-110-system-libffi.patch - Added patches: * chromium-121-no_matching_constructor.patch * chromium-121-nullptr_t-without-namespace-std.patch * chromium-121-workaround_clang_bug-structured_binding.patch * chromium-121-missing-header-files.patch * chromium-121-rust-clang_lib.patch * chromium-121-python3-invalid-escape-sequence.patch * chromium-121-rust-clang_lib.patch * chromium-121-avoid-SFINAE-TypeConverter.patch * chromium-121-blink-libxml-const.patch - Add patch chromium-disable-FFmpegAllowLists.patch: disable codec checker this will always fail (bsc#1219070) ------------------------------------------------------------------- Wed Jan 17 08:54:07 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 120.0.6099.224 (boo#1218892) * CVE-2024-0517: Out of bounds write in V8 * CVE-2024-0518: Type Confusion in V8 * CVE-2024-0519: Out of bounds memory access in V8 * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Sun Jan 14 10:07:12 UTC 2024 - Callum Farmer <gmbr3@opensuse.org> - Replace chromium-120-lp155-revert-clang-build-failure.patch with chromium-120-make_unique-struct.patch - which avoids reverting changes and instead provides a stub constructor to fix build on Leap ------------------------------------------------------------------- Sat Jan 13 08:29:26 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 120.0.6099.216 (boo#1217839, boo#1218048, boo#1218302, boo#1218533, boo#1218719) * CVE-2024-0333: Insufficient data validation in Extensions * CVE-2024-0222: Use after free in ANGLE * CVE-2024-0223: Heap buffer overflow in ANGLE * CVE-2024-0224: Use after free in WebAudio * CVE-2024-0225: Use after free in WebGPU * CVE-2023-7024: Heap buffer overflow in WebRTC * CVE-2023-6702: Type Confusion in V8 * CVE-2023-6703: Use after free in Blink * CVE-2023-6704: Use after free in libavif (boo#1218303) * CVE-2023-6705: Use after free in WebRTC * CVE-2023-6706: Use after free in FedCM * CVE-2023-6707: Use after free in CSS * CVE-2023-6508: Use after free in Media Stream * CVE-2023-6509: Use after free in Side Panel Search * CVE-2023-6510: Use after free in Media Capture * CVE-2023-6511: Inappropriate implementation in Autofill * CVE-2023-6512: Inappropriate implementation in Web Browser UI - drop patches: * chromium-system-libusb.patch * chromium-119-nullptr_t-without-namespace-std.patch * chromium-119-no_matching_constructor.patch * chromium-117-workaround_clang_bug-structured_binding.patch - add patches: * chromium-120-nullptr_t-without-namespace-std.patch * chromium-120-emplace.patch * chromium-120-lp155-typename.patch * chromium-120-no_matching_constructor.patch * chromium-120-missing-header-files.patch * chromium-120-emplace-struct.patch * chromium-120-workaround_clang_bug-structured_binding.patch - add patches for Leap that revert braking changes: * chromium-120-lp155-revert-clang-build-failure.patch ------------------------------------------------------------------- Wed Nov 29 06:26:02 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 119.0.6045.199 (boo#1217616) * CVE-2023-6348: Type Confusion in Spellcheck * CVE-2023-6347: Use after free in Mojo * CVE-2023-6346: Use after free in WebAudio * CVE-2023-6350: Out of bounds memory access in libavif (boo#1217614) * CVE-2023-6351: Use after free in libavif (boo#1217615) * CVE-2023-6345: Integer overflow in Skia * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Wed Nov 15 06:18:42 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 119.0.6045.159 (boo#1217142) * CVE-2023-5997: Use after free in Garbage Collection * CVE-2023-6112: Use after free in Navigation * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Fri Nov 10 18:50:48 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 119.0.6045.123 (boo#1216978) * CVE-2023-5996: Use after free in WebAudio - Chromium 119.0.6045.105 (boo#1216783) * CVE-2023-5480: Inappropriate implementation in Payments * CVE-2023-5482: Insufficient data validation in USB * CVE-2023-5849: Integer overflow in USB * CVE-2023-5850: Incorrect security UI in Downloads * CVE-2023-5851: Inappropriate implementation in Downloads * CVE-2023-5852: Use after free in Printing * CVE-2023-5853: Incorrect security UI in Downloads * CVE-2023-5854: Use after free in Profiles * CVE-2023-5855: Use after free in Reading Mode * CVE-2023-5856: Use after free in Side Panel * CVE-2023-5857: Inappropriate implementation in Downloads * CVE-2023-5858: Inappropriate implementation in WebApp Provider * CVE-2023-5859: Incorrect security UI in Picture In Picture - dropped patches: * chromium-98-gtk4-build.patch * chromium-118-system-freetype.patch * chromium-118-no_matching_constructor.patch - added patches: * chromium-119-no_matching_constructor.patch * chromium-119-dont-redefine-ATSPI-version-macros.patch * chromium-119-nullptr_t-without-namespace-std.patch * chromium-119-assert.patch ------------------------------------------------------------------- Tue Oct 24 21:20:15 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 118.0.5993.117 (boo#1216549) * CVE-2023-5472: Use after free in Profiles * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Wed Oct 18 20:39:57 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 118.0.5993.88: * unspecified security fix (boo#1216392) ------------------------------------------------------------------- Wed Oct 11 18:56:28 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - refresh chromium-117-emplace_back_on_vector-c++20.patch and chromium-117-lp155-constructors.patch to chromium-118-no_matching_constructor.patch ------------------------------------------------------------------- Tue Oct 10 20:18:54 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 118.0.5993.70 (boo#1216111) * CVE-2023-5218: Use after free in Site Isolation * CVE-2023-5487: Inappropriate implementation in Fullscreen * CVE-2023-5484: Inappropriate implementation in Navigation * CVE-2023-5475: Inappropriate implementation in DevTools * CVE-2023-5483: Inappropriate implementation in Intents * CVE-2023-5481: Inappropriate implementation in Downloads * CVE-2023-5476: Use after free in Blink History * CVE-2023-5474: Heap buffer overflow in PDF * CVE-2023-5479: Inappropriate implementation in Extensions API * CVE-2023-5485: Inappropriate implementation in Autofill * CVE-2023-5478: Inappropriate implementation in Autofill * CVE-2023-5477: Inappropriate implementation in Installer * CVE-2023-5486: Inappropriate implementation in Input * CVE-2023-5473: Use after free in Cast - Build with system freetype (again), and zstd - add patches: * chromium-118-system-freetype.patch * chromium-117-system-zstd.patch ------------------------------------------------------------------- Sat Oct 7 15:32:52 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 118.0.5993.54 - add patches: * chromium-118-includes.patch ------------------------------------------------------------------- Wed Oct 4 05:22:08 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 117.0.5938.149: * CVE-2023-5346: Type Confusion in V8 (boo#1215924) ------------------------------------------------------------------- Wed Sep 27 21:39:34 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 117.0.5938.132 (boo#1215776): * CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx (boo#1215778) * CVE-2023-5186: Use after free in Passwords * CVE-2023-5187: Use after free in Extensions ------------------------------------------------------------------- Fri Sep 22 06:27:24 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 117.0.5938.92: * stability improvements ------------------------------------------------------------------- Wed Sep 20 13:59:22 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Add explicit build dependency on libepoxy for Tumbleweed ------------------------------------------------------------------- Sun Sep 17 11:47:10 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 117.0.5938.88 (boo#1215279) * CVE-2023-4900: Inappropriate implementation in Custom Tabs * CVE-2023-4901: Inappropriate implementation in Prompts * CVE-2023-4902: Inappropriate implementation in Input * CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs * CVE-2023-4904: Insufficient policy enforcement in Downloads * CVE-2023-4905: Inappropriate implementation in Prompts * CVE-2023-4906: Insufficient policy enforcement in Autofill * CVE-2023-4907: Inappropriate implementation in Intents * CVE-2023-4908: Inappropriate implementation in Picture in Picture * CVE-2023-4909: Inappropriate implementation in Interstitials - drop patches: * chromium-100-InMilliseconds-constexpr.patch * chromium-115-Qt-moc-version.patch * chromium-116-profile-view-utils-vector-include.patch * chromium-116-blink-variant-include.patch * chromium-116-abseil-limits-include.patch * chromium-116-lp155-constuctors.patch * chromium-115-workaround_clang_bug-structured_binding.patch * chromium-115-emplace_back_on_vector-c++20.patch - add patches: * chromium-117-blink-BUILD-mnemonic.patch * chromium-117-includes.patch * chromium-117-lp155-constructors.patch * chromium-117-string-convert.patch * chromium-117-lp155-typename.patch * chromium-117-workaround_clang_bug-structured_binding.patch * chromium-117-emplace_back_on_vector-c++20.patch ------------------------------------------------------------------- Wed Sep 13 20:04:46 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - CVE-2023-4863: build with the bundled library on Leap (boo#1215231) ------------------------------------------------------------------- Tue Sep 12 06:18:00 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 116.0.5845.187 (boo#1215231): * CVE-2023-4863: Heap buffer overflow in WebP ------------------------------------------------------------------- Wed Sep 6 05:08:13 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 116.0.5845.179 (boo#1215023): * CVE-2023-4761: Out of bounds memory access in FedCM * CVE-2023-4762: Type Confusion in V8 * CVE-2023-4763: Use after free in Networks * CVE-2023-4764: Incorrect security UI in BFCache ------------------------------------------------------------------- Wed Aug 30 00:57:21 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 116.0.5845.140 (boo#1214758): * CVE-2023-4572: Use after free in MediaStream ------------------------------------------------------------------- Wed Aug 23 06:09:03 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 116.0.5845.110 (boo#1214487): * CVE-2023-4427: Out of bounds memory access in V8 * CVE-2023-4428: Out of bounds memory access in CSS * CVE-2023-4429: Use after free in Loader * CVE-2023-4430: Use after free in Vulkan * CVE-2023-4431: Out of bounds memory access in Fonts ------------------------------------------------------------------- Mon Aug 14 19:17:09 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 116.0.5845.96 * New CSS features: Motion Path, and "display" and "content-visibility" animations * Web APIs: AbortSignal.any(), BYOB support for Fetch, Back/ forward cache NotRestoredReason API, Document Picture-in- Picture, Expanded Wildcards in Permissions Policy Origins, FedCM bundle: Login Hint API, User Info API, and RP Context API, Non-composed Mouse and Pointer enter/leave events, Remove document.open sandbox inheritance, Report Critical-CH caused restart in NavigationTiming - fix a number of security issues (boo#1214301): * CVE-2023-2312: Use after free in Offline * CVE-2023-4349: Use after free in Device Trust Connectors * CVE-2023-4350: Inappropriate implementation in Fullscreen * CVE-2023-4351: Use after free in Network * CVE-2023-4352: Type Confusion in V8 * CVE-2023-4353: Heap buffer overflow in ANGLE * CVE-2023-4354: Heap buffer overflow in Skia * CVE-2023-4355: Out of bounds memory access in V8 * CVE-2023-4356: Use after free in Audio * CVE-2023-4357: Insufficient validation of untrusted input in XML * CVE-2023-4358: Use after free in DNS * CVE-2023-4359: Inappropriate implementation in App Launcher * CVE-2023-4360: Inappropriate implementation in Color * CVE-2023-4361: Inappropriate implementation in Autofill * CVE-2023-4362: Heap buffer overflow in Mojom IDL * CVE-2023-4363: Inappropriate implementation in WebShare * CVE-2023-4364: Inappropriate implementation in Permission Prompts * CVE-2023-4365: Inappropriate implementation in Fullscreen * CVE-2023-4366: Use after free in Extensions * CVE-2023-4367: Insufficient policy enforcement in Extensions API * CVE-2023-4368: Insufficient policy enforcement in Extensions API - drop patches: * chromium-115-add_BoundSessionRefreshCookieFetcher::Result.patch * chromium-115-verify_name_match-include.patch * chromium-86-fix-vaapi-on-intel.patch * chromium-115-skia-include.patch * chromium-115-dont-pass-nullptr-to-construct-re2-StringPiece.patch - add patches: * chromium-116-profile-view-utils-vector-include.patch * chromium-116-blink-variant-include.patch * chromium-116-lp155-url_load_stats-size-t.patch * chromium-116-abseil-limits-include.patch * chromium-116-lp155-typenames.patch * chromium-116-lp155-constuctors.patch - Build with bundled re2 on Leap ------------------------------------------------------------------- Wed Aug 9 17:24:31 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Fix crash with extensions (boo#1214003) chromium-115-dont-pass-nullptr-to-construct-re2-StringPiece.patch ------------------------------------------------------------------- Thu Aug 3 06:00:39 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 115.0.5790.170 (boo#1213920) * CVE-2023-4068: Type Confusion in V8 * CVE-2023-4069: Type Confusion in V8 * CVE-2023-4070: Type Confusion in V8 * CVE-2023-4071: Heap buffer overflow in Visuals * CVE-2023-4072: Out of bounds read and write in WebGL * CVE-2023-4073: Out of bounds memory access in ANGLE * CVE-2023-4074: Use after free in Blink Task Scheduling * CVE-2023-4075: Use after free in Cast * CVE-2023-4076: Use after free in WebRTC * CVE-2023-4077: Insufficient data validation in Extensions * CVE-2023-4078: Inappropriate implementation in Extensions ------------------------------------------------------------------- Fri Jul 28 22:01:46 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Specify re2 build dependency in a way that makes Leap packages build in devel project and in Maintenance ------------------------------------------------------------------- Sun Jul 23 11:55:15 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 115.0.5790.102: * stability fix - Add build fixes on Leap: * chromium-115-emplace_back_on_vector-c++20.patch * chromium-115-compiler-SkColor4f.patch * chromium-115-workaround_clang_bug-structured_binding.patch * chromium-115-add_BoundSessionRefreshCookieFetcher::Result.patch - adjust chromium-115-lp155-typename.patch - drop chromium-114-workaround_clang_bug-structured_binding.patch ------------------------------------------------------------------- Wed Jul 19 09:23:32 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 115.0.5790.98 * Security: The Storage, Service Worker, and Communication APIs are now partitioned in third-party contexts to prevent certain types of side-channel cross-site tracking * HTTPS: Automatically and optimistically upgrade all main-frame navigations to HTTPS, with fast fallback to HTTP. * CSS: accept multiple values of the display property * CSS: support boolean context style container queries * CSS: support scroll-driven animations * Increase the maximum size of a WebAssembly.Module() on the main thread to 8 MB * FedCM: Support credential management mediation requirements for auto re-authentication * Deprecate the document.domain setter * Deprecate mutation events * Security fixes (boo#1213462): CVE-2023-3727: Use after free in WebRTC CVE-2023-3728: Use after free in WebRTC CVE-2023-3730: Use after free in Tab Groups CVE-2023-3732: Out of bounds memory access in Mojo CVE-2023-3733: Inappropriate implementation in WebApp Installs CVE-2023-3734: Inappropriate implementation in Picture In Picture CVE-2023-3735: Inappropriate implementation in Web API Permission Prompts CVE-2023-3736: Inappropriate implementation in Custom Tabs CVE-2023-3737: Inappropriate implementation in Notifications CVE-2023-3738: Inappropriate implementation in Autofill CVE-2023-3740: Insufficient validation of untrusted input in Themes Various fixes from internal audits, fuzzing and other initiatives - drop chromium-113-typename.patch - add chromium-115-skia-include.patch - add chromium-115-verify_name_match-include.patch - add chromium-115-lp155-typename.patch - Add chromium-115-Qt-moc-version.patch: support Qt5 & Qt6 without built-in copy of shim ------------------------------------------------------------------- Tue Jun 27 07:39:29 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 114.0.5735.198 (boo#1212755): * CVE-2023-3420: Type Confusion in V8 * CVE-2023-3421: Use after free in Media * CVE-2023-3422: Use after free in Guest View ------------------------------------------------------------------- Sun Jun 25 09:54:37 UTC 2023 - Callum Farmer <gmbr3@opensuse.org> - Install Qt5 library & prepare for Qt6 in 115 ------------------------------------------------------------------- Wed Jun 14 05:23:16 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 114.0.5735.133 (boo#1212302): * CVE-2023-3214: Use after free in Autofill payments * CVE-2023-3215: Use after free in WebRTC * CVE-2023-3216: Type Confusion in V8 * CVE-2023-3217: Use after free in WebXR * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Wed Jun 7 18:13:06 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> - Fix Leap 15.4 build - chromium-114-revert-av1enc-lp154.patch ------------------------------------------------------------------- Tue Jun 6 05:34:13 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 114.0.5735.106 (boo#1212044): * CVE-2023-3079: Type Confusion in V8 ------------------------------------------------------------------- Sun Jun 4 18:52:01 UTC 2023 - Callum Farmer <gmbr3@opensuse.org> - Chromium 114.0.5735.90 (boo#1211843): * CSS text-wrap: balance is available * Cookies partitioned by top level site (CHIPS) * New Popover API - Security fixes: * CVE-2023-2929: Out of bounds write in Swiftshader * CVE-2023-2930: Use after free in Extensions * CVE-2023-2931: Use after free in PDF * CVE-2023-2932: Use after free in PDF * CVE-2023-2933: Use after free in PDF * CVE-2023-2934: Out of bounds memory access in Mojo * CVE-2023-2935: Type Confusion in V8 * CVE-2023-2936: Type Confusion in V8 * CVE-2023-2937: Inappropriate implementation in Picture In Picture * CVE-2023-2938: Inappropriate implementation in Picture In Picture * CVE-2023-2939: Insufficient data validation in Installer * CVE-2023-2940: Inappropriate implementation in Downloads * CVE-2023-2941: Inappropriate implementation in Extensions API - Drop patches: * chromium-103-VirtualCursor-std-layout.patch * chromium-113-system-zlib.patch * chromium-113-workaround_clang_bug-structured_binding.patch - Add patches * chromium-114-workaround_clang_bug-structured_binding.patch * chromium-114-lld-argument.patch ------------------------------------------------------------------- Tue May 30 21:53:45 UTC 2023 - Callum Farmer <gmbr3@opensuse.org> - Un-bundle zlib again - Remove un-needed patches: * chromium-112-default-comparison-operators.patch * chromium-109-clang-lp154.patch * chromium-clang-nomerge.patch * chromium-ffmpeg-lp152.patch * chromium-lp151-old-drm.patch - Added patches: * chromium-113-system-zlib.patch ------------------------------------------------------------------- Sun May 28 21:32:03 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - build with llvm15 on Leap ------------------------------------------------------------------- Tue May 16 21:16:23 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> - Chromium 113.0.5672.126 (boo#1211442): * CVE-2023-2721: Use after free in Navigation * CVE-2023-2722: Use after free in Autofill UI * CVE-2023-2723: Use after free in DevTools * CVE-2023-2724: Type Confusion in V8 * CVE-2023-2725: Use after free in Guest View * CVE-2023-2726: Inappropriate implementation in WebApp Installs * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Tue May 9 19:14:20 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> - Chromium 113.0.5672.92 (boo#1211211) - Multiple security fixes (boo#1211036): * CVE-2023-2459: Inappropriate implementation in Prompts * CVE-2023-2460: Insufficient validation of untrusted input in Extensions * CVE-2023-2461: Use after free in OS Inputs * CVE-2023-2462: Inappropriate implementation in Prompts * CVE-2023-2463: Inappropriate implementation in Full Screen Mode * CVE-2023-2464: Inappropriate implementation in PictureInPicture * CVE-2023-2465: Inappropriate implementation in CORS * CVE-2023-2466: Inappropriate implementation in Prompts * CVE-2023-2467: Inappropriate implementation in Prompts * CVE-2023-2468: Inappropriate implementation in PictureInPicture - drop chromium-94-sql-no-assert.patch - drop no-location-leap151.patch - add chromium-113-webview-namespace.patch - add chromium-113-webauth-include-variant.patch - add chromium-113-typename.patch - add chromium-113-workaround_clang_bug-structured_binding.patch ------------------------------------------------------------------- Wed Apr 19 19:55:51 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de> - Chromium 112.0.5615.165 (boo#1210618): * CVE-2023-2133: Out of bounds memory access in Service Worker API * CVE-2023-2134: Out of bounds memory access in Service Worker API * CVE-2023-2135: Use after free in DevTools * CVE-2023-2136: Integer overflow in Skia * CVE-2023-2137: Heap buffer overflow in sqlite - drop chromium-112-feed_protos.patch ------------------------------------------------------------------- Sun Apr 16 02:10:30 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Fix Leap 15.4 build failures from default comparison operators defined outside of the class definition, a C++20 feature adding chromium-112-default-comparison-operators.patch ------------------------------------------------------------------- Sat Apr 15 10:49:51 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 112.0.5615.121: * CVE-2023-2033: Type Confusion in V8 (boo#1210478) ------------------------------------------------------------------- Fri Apr 7 07:57:40 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Revert a breaking change with chromium-112-feed_protos.patch ------------------------------------------------------------------- Tue Apr 4 22:38:23 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 112.0.5615.49 * CSS now supports nesting rules. * The algorithm to set the initial focus on <dialog> elements was updated. * No-op fetch() handlers on service workers are skipped from now on to make navigations faster * The setter for document.domain is now deprecated. * The recorder in devtools can now record with pierce selectors. * Security fixes (boo#1210126): * CVE-2023-1810: Heap buffer overflow in Visuals * CVE-2023-1811: Use after free in Frames * CVE-2023-1812: Out of bounds memory access in DOM Bindings * CVE-2023-1813: Inappropriate implementation in Extensions * CVE-2023-1814: Insufficient validation of untrusted input in Safe Browsing * CVE-2023-1815: Use after free in Networking APIs * CVE-2023-1816: Incorrect security UI in Picture In Picture * CVE-2023-1817: Insufficient policy enforcement in Intents * CVE-2023-1818: Use after free in Vulkan * CVE-2023-1819: Out of bounds read in Accessibility * CVE-2023-1820: Heap buffer overflow in Browser History * CVE-2023-1821: Inappropriate implementation in WebShare * CVE-2023-1822: Incorrect security UI in Navigation * CVE-2023-1823: Inappropriate implementation in FedCM ------------------------------------------------------------------- Mon Mar 27 20:12:21 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 111.0.5563.147: * nth-child() validation performance regression for SAP apps ------------------------------------------------------------------- Thu Mar 23 08:40:11 UTC 2023 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Update gcc13-fix.patch with few fixes required for aarch64, borrowed from Fedora's gcc13 patch ------------------------------------------------------------------- Wed Mar 22 09:03:45 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 111.0.5563.110 (boo#1209598) * CVE-2023-1528: Use after free in Passwords * CVE-2023-1529: Out of bounds memory access in WebHID * CVE-2023-1530: Use after free in PDF * CVE-2023-1531: Use after free in ANGLE * CVE-2023-1532: Out of bounds read in GPU Video * CVE-2023-1533: Use after free in WebProtect * CVE-2023-1534: Out of bounds read in ANGLE ------------------------------------------------------------------- Mon Mar 20 11:59:36 UTC 2023 - Martin Liška <mliska@suse.cz> - Add gcc13-fix.patch in order to support GCC 13. ------------------------------------------------------------------- Thu Mar 9 23:54:55 UTC 2023 - Callum Farmer <gmbr3@opensuse.org> - Revert back to GCC 11 on 15.4 as Clang 13 doesn't support GCC 12 ------------------------------------------------------------------- Thu Mar 9 15:48:22 UTC 2023 - Callum Farmer <gmbr3@opensuse.org> - Bump Leap's GCC to 12 as Chromium really likes newer standards ------------------------------------------------------------------- Thu Mar 9 01:58:25 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 111.0.5563.64 * New View Transitions API * CSS Color Level 4 * New developer tools in style panel for color functionality * CSS added trigonometric functions, additional root font units and extended the n-th child pseudo selector. * previousslide and nextslide actions are now part of the Media Session API * A number of security fixes (boo#1209040) * CVE-2023-1213: Use after free in Swiftshader * CVE-2023-1214: Type Confusion in V8 * CVE-2023-1215: Type Confusion in CSS * CVE-2023-1216: Use after free in DevTools * CVE-2023-1217: Stack buffer overflow in Crash reporting * CVE-2023-1218: Use after free in WebRTC * CVE-2023-1219: Heap buffer overflow in Metrics * CVE-2023-1220: Heap buffer overflow in UMA * CVE-2023-1221: Insufficient policy enforcement in Extensions API * CVE-2023-1222: Heap buffer overflow in Web Audio API * CVE-2023-1223: Insufficient policy enforcement in Autofill * CVE-2023-1224: Insufficient policy enforcement in Web Payments API * CVE-2023-1225: Insufficient policy enforcement in Navigation * CVE-2023-1226: Insufficient policy enforcement in Web Payments API * CVE-2023-1227: Use after free in Core * CVE-2023-1228: Insufficient policy enforcement in Intents * CVE-2023-1229: Inappropriate implementation in Permission prompts * CVE-2023-1230: Inappropriate implementation in WebApp Installs * CVE-2023-1231: Inappropriate implementation in Autofill * CVE-2023-1232: Insufficient policy enforcement in Resource Timing * CVE-2023-1233: Insufficient policy enforcement in Resource Timing * CVE-2023-1234: Inappropriate implementation in Intents * CVE-2023-1235: Type Confusion in DevTools * CVE-2023-1236: Inappropriate implementation in Internals - drop patches: * chromium-86-ImageMemoryBarrierData-init.patch * chromium-93-InkDropHost-crash.patch * chromium-110-NativeThemeBase-fabs.patch * chromium-110-CredentialUIEntry-const.patch * chromium-110-DarkModeLABColorSpace-pow.patch * v8-move-the-Stack-object-from-ThreadLocalTop.patch * chromium-icu72-1.patch ------------------------------------------------------------------- Thu Feb 23 08:21:24 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 110.0.5481.177 (boo#1208589) * CVE-2023-0927: Use after free in Web Payments API * CVE-2023-0928: Use after free in SwiftShader * CVE-2023-0929: Use after free in Vulkan * CVE-2023-0930: Heap buffer overflow in Video * CVE-2023-0931: Use after free in Video * CVE-2023-0932: Use after free in WebRTC * CVE-2023-0933: Integer overflow in PDF * CVE-2023-0941: Use after free in Prompts * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Thu Feb 16 20:30:43 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 110.0.5481.100 * fix regression on SAP Business Objects web UI * fix date formatting behavior change from ICU 72 ------------------------------------------------------------------- Wed Feb 8 20:16:01 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 110.0.5481.77 (boo#1208029): * CVE-2023-0696: Type Confusion in V8 * CVE-2023-0697: Inappropriate implementation in Full screen mode * CVE-2023-0698: Out of bounds read in WebRTC * CVE-2023-0699: Use after free in GPU * CVE-2023-0700: Inappropriate implementation in Download * CVE-2023-0701: Heap buffer overflow in WebUI * CVE-2023-0702: Type Confusion in Data Transfer * CVE-2023-0703: Type Confusion in DevTools * CVE-2023-0704: Insufficient policy enforcement in DevTools * CVE-2023-0705: Integer overflow in Core * Various fixes from internal audits, fuzzing and other initiatives - build with bundled libavif - dropped patches: * chromium-109-compiler.patch * chromium-icu72-3.patch - added patches: * chromium-110-compiler.patch * chromium-110-system-libffi.patch * chromium-110-NativeThemeBase-fabs.patch * chromium-110-CredentialUIEntry-const.patch * chromium-110-DarkModeLABColorSpace-pow.patch * v8-move-the-Stack-object-from-ThreadLocalTop.patch ------------------------------------------------------------------- Wed Jan 25 04:51:29 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 109.0.5414.119 (boo#1207512): * CVE-2023-0471: Use after free in WebTransport * CVE-2023-0472: Use after free in WebRTC * CVE-2023-0473: Type Confusion in ServiceWorker API * CVE-2023-0474: Use after free in GuestView * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Tue Jan 17 21:03:29 UTC 2023 - Callum Farmer <gmbr3@opensuse.org> - Added patches: * chromium-icu72-1.patch: ensure TextCodecCJK doesn't conflict with system icu (bsc#1207147) * chromium-icu72-2.patch: align default characters for old icu with that of ICU 72 * chromium-icu72-3.patch: make V8 aware of space in ICU 72 time format ------------------------------------------------------------------- Tue Jan 10 21:24:55 UTC 2023 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 109.0.5414.74: * Add support for MathML Core * CSS: Auto range support for font descriptors inside @font-face rule * CSS: Add lh length unit * CSS: Add hyphenate-limit-chars property * CSS: Snap border, outline and column-rule widths before layout * API: Improved screen sharing and web conferencing: hints for suppressing local audio playback, and Conditional Focus * API: HTTP response status code in the Resource Timing API * API: Same-site cross-origin prerendering triggered by the speculation rules API * Remove Event.path API * CVE-2023-0128: Use after free in Overview Mode * CVE-2023-0129: Heap buffer overflow in Network Service * CVE-2023-0130: Inappropriate implementation in Fullscreen API * CVE-2023-0131: Inappropriate implementation in iframe Sandbox * CVE-2023-0132: Inappropriate implementation in Permission prompts * CVE-2023-0133: Inappropriate implementation in Permission prompts * CVE-2023-0134: Use after free in Cart * CVE-2023-0135: Use after free in Cart * CVE-2023-0136: Inappropriate implementation in Fullscreen API * CVE-2023-0137: Heap buffer overflow in Platform Apps * CVE-2023-0138: Heap buffer overflow in libphonenumber * CVE-2023-0139: Insufficient validation of untrusted input in Downloads * CVE-2023-0140: Inappropriate implementation in File System API * CVE-2023-0141: Insufficient policy enforcement in CORS * Various fixes from internal audits, fuzzing and other initiatives - drop patches: * chromium-gcc11.patch - not needed * chromium-107-system-zlib.patch - upstream * chromium-108-compiler.patch - add patches: * chromium-109-compiler.patch * chromium-109-clang-lp154.patch ------------------------------------------------------------------- Sun Dec 18 17:31:22 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Add chromium-disable-GlobalMediaControlsCastStartStop.patch: disable GlobalMediaControlsCastStartStop to fix crashes occurring when interacting with the Media UI (bsc#1198124) ------------------------------------------------------------------- Wed Dec 14 09:01:57 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 108.0.5359.124 (boo#1206403): * CVE-2022-4436: Use after free in Blink Media * CVE-2022-4437: Use after free in Mojo IPC * CVE-2022-4438: Use after free in Blink Frames * CVE-2022-4439: Use after free in Aura * CVE-2022-4440: Use after free in Profiles ------------------------------------------------------------------- Wed Dec 7 20:43:54 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 108.0.5359.98 * Fix regression in computing <select> visibility ------------------------------------------------------------------- Sat Dec 3 09:40:02 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 108.0.5359.94: * CVE-2022-4262: Type Confusion in V8 (boo#1205999) ------------------------------------------------------------------- Wed Nov 30 21:56:32 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 108.0.5359.71 (boo#1205871): * CVE-2022-4174: Type Confusion in V8 * CVE-2022-4175: Use after free in Camera Capture * CVE-2022-4176: Out of bounds write in Lacros Graphics * CVE-2022-4177: Use after free in Extensions * CVE-2022-4178: Use after free in Mojo * CVE-2022-4179: Use after free in Audio * CVE-2022-4180: Use after free in Mojo * CVE-2022-4181: Use after free in Forms * CVE-2022-4182: Inappropriate implementation in Fenced Frames * CVE-2022-4183: Insufficient policy enforcement in Popup Blocker * CVE-2022-4184: Insufficient policy enforcement in Autofill * CVE-2022-4185: Inappropriate implementation in Navigation * CVE-2022-4186: Insufficient validation of untrusted input in Downloads * CVE-2022-4187: Insufficient policy enforcement in DevTools * CVE-2022-4188: Insufficient validation of untrusted input in CORS * CVE-2022-4189: Insufficient policy enforcement in DevTools * CVE-2022-4190: Insufficient data validation in Directory * CVE-2022-4191: Use after free in Sign-In * CVE-2022-4192: Use after free in Live Caption * CVE-2022-4193: Insufficient policy enforcement in File System API * CVE-2022-4194: Use after free in Accessibility * CVE-2022-4195: Insufficient policy enforcement in Safe Browsing - drop chromium-105-wayland-1.20.patch, upstream - drop chromium-107-compiler.patch - add chromium-108-compiler.patch - drop chromium-98-EnumTable-crash.patch ------------------------------------------------------------------- Thu Nov 24 20:48:10 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 107.0.5304.121 (boo#1205736) * CVE-2022-4135: Heap buffer overflow in GPU ------------------------------------------------------------------- Thu Nov 17 21:46:42 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Build with llvm15 on openSUSE:Backports:SLE-15-SP5 and up ------------------------------------------------------------------- Wed Nov 9 17:03:58 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 107.0.5304.110 (boo#1205221) * CVE-2022-3885: Use after free in V8 * CVE-2022-3886: Use after free in Speech Recognition * CVE-2022-3887: Use after free in Web Workers * CVE-2022-3888: Use after free in WebCodecs * CVE-2022-3889: Type Confusion in V8 * CVE-2022-3890: Heap buffer overflow in Crashpad ------------------------------------------------------------------- Fri Oct 28 08:35:09 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 107.0.5304.87 (boo#1204819) * CVE-2022-3723: Type Confusion in V8 ------------------------------------------------------------------- Thu Oct 27 08:57:48 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Chromium 107.0.5304.68 (boo#1204732) * CVE-2022-3652: Type Confusion in V8 * CVE-2022-3653: Heap buffer overflow in Vulkan * CVE-2022-3654: Use after free in Layout * CVE-2022-3655: Heap buffer overflow in Media Galleries * CVE-2022-3656: Insufficient data validation in File System * CVE-2022-3657: Use after free in Extensions * CVE-2022-3658: Use after free in Feedback service on Chrome OS * CVE-2022-3659: Use after free in Accessibility * CVE-2022-3660: Inappropriate implementation in Full screen mode * CVE-2022-3661: Insufficient data validation in Extensions - Added patches: * chromium-107-compiler.patch * chromium-107-system-zlib.patch - Removed patches: * chromium-105-compiler.patch * chromium-105-Bitmap-include.patch * chromium-106-AutofillPopupControllerImpl-namespace.patch - Unbundle libyuv and libavif on TW - Prepare 15.5 - Use qt on 15.4+ (15.3 too old) ------------------------------------------------------------------- Wed Oct 12 04:47:50 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 106.0.5249.119 (boo#1204223) * CVE-2022-3445: Use after free in Skia * CVE-2022-3446: Heap buffer overflow in WebSQL * CVE-2022-3447: Inappropriate implementation in Custom Tabs * CVE-2022-3448: Use after free in Permissions API * CVE-2022-3449: Use after free in Safe Browsing * CVE-2022-3450: Use after free in Peer Connection ------------------------------------------------------------------- Thu Oct 6 21:02:32 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 106.0.5249.103: * fix possible cache manager deadlock * Fix right-click menu appearing unexpectedly affecting screen readers ------------------------------------------------------------------- Sat Oct 1 07:59:24 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 106.0.5249.91 (boo#1203808): * CVE-2022-3370: Use after free in Custom Elements * CVE-2022-3373: Out of bounds write in V8 - includes changes from 106.0.5249.61: * CVE-2022-3304: Use after free in CSS * CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools * CVE-2022-3305: Use after free in Survey * CVE-2022-3306: Use after free in Survey * CVE-2022-3307: Use after free in Media * CVE-2022-3308: Insufficient policy enforcement in Developer Tools * CVE-2022-3309: Use after free in Assistant * CVE-2022-3310: Insufficient policy enforcement in Custom Tabs * CVE-2022-3311: Use after free in Import * CVE-2022-3312: Insufficient validation of untrusted input in VPN * CVE-2022-3313: Incorrect security UI in Full Screen * CVE-2022-3314: Use after free in Logging * CVE-2022-3315: Type confusion in Blink * CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing * CVE-2022-3317: Insufficient validation of untrusted input in Intents * CVE-2022-3318: Use after free in ChromeOS Notifications - drop patches: * chromium-104-tflite-system-zlib.patch * chromium-105-AdjustMaskLayerGeometry-ceilf.patch * chromium-105-Trap-raw_ptr.patch * chromium-105-browser_finder-include.patch * chromium-105-raw_ptr-noexcept.patch - add patches * chromium-106-ffmpeg-duration.patch * chromium-106-AutofillPopupControllerImpl-namespace.patch ------------------------------------------------------------------- Wed Sep 14 18:09:26 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 105.0.5195.127 (boo#1203419): * CVE-2022-3195: Out of bounds write in Storage * CVE-2022-3196: Use after free in PDF * CVE-2022-3197: Use after free in PDF * CVE-2022-3198: Use after free in PDF * CVE-2022-3199: Use after free in Frames * CVE-2022-3200: Heap buffer overflow in Internals * CVE-2022-3201: Insufficient validation of untrusted input in DevTools * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Thu Sep 8 10:46:42 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Chromium 105.0.5195.102 (boo#1203102): * CVE-2022-3075: Insufficient data validation in Mojo - Chromium 105.0.5195.52 (boo#1202964): * CVE-2022-3038: Use after free in Network Service * CVE-2022-3039: Use after free in WebSQL * CVE-2022-3040: Use after free in Layout * CVE-2022-3041: Use after free in WebSQL * CVE-2022-3042: Use after free in PhoneHub * CVE-2022-3043: Heap buffer overflow in Screen Capture * CVE-2022-3044: Inappropriate implementation in Site Isolation * CVE-2022-3045: Insufficient validation of untrusted input in V8 * CVE-2022-3046: Use after free in Browser Tag * CVE-2022-3071: Use after free in Tab Strip * CVE-2022-3047: Insufficient policy enforcement in Extensions API * CVE-2022-3048: Inappropriate implementation in Chrome OS lockscreen * CVE-2022-3049: Use after free in SplitScreen * CVE-2022-3050: Heap buffer overflow in WebUI * CVE-2022-3051: Heap buffer overflow in Exosphere * CVE-2022-3052: Heap buffer overflow in Window Manager * CVE-2022-3053: Inappropriate implementation in Pointer Lock * CVE-2022-3054: Insufficient policy enforcement in DevTools * CVE-2022-3055: Use after free in Passwords * CVE-2022-3056: Insufficient policy enforcement in Content Security Policy * CVE-2022-3057: Inappropriate implementation in iframe Sandbox * CVE-2022-3058: Use after free in Sign-In Flow - Added patches: * chromium-105-AdjustMaskLayerGeometry-ceilf.patch * chromium-105-Bitmap-include.patch * chromium-105-browser_finder-include.patch * chromium-105-raw_ptr-noexcept.patch * chromium-105-Trap-raw_ptr.patch * chromium-105-wayland-1.20.patch * chromium-105-compiler.patch - Removed patches: * chromium-104-compiler.patch * chromium-104-ContentRendererClient-type.patch * chromium-78-protobuf-RepeatedPtrField-export.patch ------------------------------------------------------------------- Thu Sep 1 07:39:28 UTC 2022 - Paolo Stivanin <info@paolostivanin.com> - Update chromium-symbolic.svg: this fixes bsc#1202403. ------------------------------------------------------------------- Mon Aug 22 09:53:49 UTC 2022 - Andreas Schwab <schwab@suse.de> - Fix quoting in chrome-wrapper, don't put cwd on LD_LIBRARY_PATH ------------------------------------------------------------------- Thu Aug 18 15:32:26 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 104.0.5112.101 (boo#1202509): * CVE-2022-2852: Use after free in FedCM * CVE-2022-2854: Use after free in SwiftShader * CVE-2022-2855: Use after free in ANGLE * CVE-2022-2857: Use after free in Blink * CVE-2022-2858: Use after free in Sign-In Flow * CVE-2022-2853: Heap buffer overflow in Downloads * CVE-2022-2856: Insufficient validation of untrusted input in Intents * CVE-2022-2859: Use after free in Chrome OS Shell * CVE-2022-2860: Insufficient policy enforcement in Cookies * CVE-2022-2861: Inappropriate implementation in Extensions API ------------------------------------------------------------------- Tue Aug 16 14:17:49 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Re-enable our version of chrome-wrapper - Set no sandbox if root is being used (https://crbug.com/638180) ------------------------------------------------------------------- Tue Aug 9 12:29:06 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Chromium 104.0.5112.79 (boo#1202075) * CVE-2022-2603: Use after free in Omnibox * CVE-2022-2604: Use after free in Safe Browsing * CVE-2022-2605: Out of bounds read in Dawn * CVE-2022-2606: Use after free in Managed devices API * CVE-2022-2607: Use after free in Tab Strip * CVE-2022-2608: Use after free in Overview Mode * CVE-2022-2609: Use after free in Nearby Share * CVE-2022-2610: Insufficient policy enforcement in Background Fetch * CVE-2022-2611: Inappropriate implementation in Fullscreen API * CVE-2022-2612: Side-channel information leakage in Keyboard input * CVE-2022-2613: Use after free in Input * CVE-2022-2614: Use after free in Sign-In Flow * CVE-2022-2615: Insufficient policy enforcement in Cookies * CVE-2022-2616: Inappropriate implementation in Extensions API * CVE-2022-2617: Use after free in Extensions API * CVE-2022-2618: Insufficient validation of untrusted input in Internals * CVE-2022-2619: Insufficient validation of untrusted input in Settings * CVE-2022-2620: Use after free in WebUI * CVE-2022-2621: Use after free in Extensions * CVE-2022-2622: Insufficient validation of untrusted input in Safe Browsing * CVE-2022-2623: Use after free in Offline * CVE-2022-2624: Heap buffer overflow in PDF - Added patches: * chromium-104-compiler.patch * chromium-104-ContentRendererClient-type.patch * chromium-104-tflite-system-zlib.patch - Removed patches: * chromium-103-SubstringSetMatcher-packed.patch * chromium-103-FrameLoadRequest-type.patch * chromium-103-compiler.patch - Use FFmpeg 5.1 on TW ------------------------------------------------------------------- Sat Jul 23 12:20:39 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Switch back to Clang so that we can use BTI on aarch64 * Gold is too old - doesn't understand BTI * LD crashes on aarch64 - Re-enable LTO - Prepare move to FFmpeg 5 for new channel layout (requires 5.1+) ------------------------------------------------------------------- Wed Jul 20 08:05:57 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 103.0.5060.134 (boo#1201679): * CVE-2022-2477 : Use after free in Guest View * CVE-2022-2478 : Use after free in PDF * CVE-2022-2479 : Insufficient validation of untrusted input in File * CVE-2022-2480 : Use after free in Service Worker API * CVE-2022-2481: Use after free in Views * CVE-2022-2163: Use after free in Cast UI and Toolbar * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Sat Jul 9 12:52:33 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 103.0.5060.114 (boo#1201216) * CVE-2022-2294: Heap buffer overflow in WebRTC * CVE-2022-2295: Type Confusion in V8 * CVE-2022-2296: Use after free in Chrome OS Shell ------------------------------------------------------------------- Thu Jul 7 18:07:43 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 103.0.5060.66 * no upstream release notes ------------------------------------------------------------------- Sat Jun 25 10:43:48 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Chromium 103.0.5060.53 (boo#1200783) * CVE-2022-2156: Use after free in Base * CVE-2022-2157: Use after free in Interest groups * CVE-2022-2158: Type Confusion in V8 * CVE-2022-2160: Insufficient policy enforcement in DevTools * CVE-2022-2161: Use after free in WebApp Provider * CVE-2022-2162: Insufficient policy enforcement in File System API * CVE-2022-2163: Use after free in Cast UI and Toolbar * CVE-2022-2164: Inappropriate implementation in Extensions API * CVE-2022-2165: Insufficient data validation in URL formatting - Added patches: * chromium-103-FrameLoadRequest-type.patch * chromium-103-SubstringSetMatcher-packed.patch * chromium-103-VirtualCursor-std-layout.patch * chromium-103-compiler.patch - Removed patches: * chromium-102-compiler.patch * chromium-91-sql-standard-layout-type.patch * chromium-101-libxml-unbundle.patch * chromium-102-fenced_frame_utils-include.patch * chromium-102-swiftshader-template-instantiation.patch * chromium-102-symbolize-include.patch * chromium-97-arm-tflite-cast.patch * chromium-97-ScrollView-reference.patch ------------------------------------------------------------------- Fri Jun 10 15:35:20 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 102.0.5005.115 (boo#1200423) * CVE-2022-2007: Use after free in WebGPU * CVE-2022-2008: Out of bounds memory access in WebGL * CVE-2022-2010: Out of bounds read in compositing * CVE-2022-2011: Use after free in ANGLE ------------------------------------------------------------------- Wed Jun 8 13:40:43 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Switch to GTK4 on TW and Leap 15.4+ (boo#1200139) ------------------------------------------------------------------- Wed Jun 1 09:43:54 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Disable ARM control flow integrity, it causes build issues at the moment - Try a different SVG (black logo on GNOME) - Removed patches: * chromium-third_party-symbolize-missing-include.patch (replaced by chromium-102-symbolize-include.patch) ------------------------------------------------------------------- Fri May 27 19:40:42 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Chromium 102.0.5001.61 (boo#1199893) * CVE-2022-1853: Use after free in Indexed DB * CVE-2022-1854: Use after free in ANGLE * CVE-2022-1855: Use after free in Messaging * CVE-2022-1856: Use after free in User Education * CVE-2022-1857: Insufficient policy enforcement in File System API * CVE-2022-1858: Out of bounds read in DevTools * CVE-2022-1859: Use after free in Performance Manager * CVE-2022-1860: Use after free in UI Foundations * CVE-2022-1861: Use after free in Sharing * CVE-2022-1862: Inappropriate implementation in Extensions * CVE-2022-1863: Use after free in Tab Groups * CVE-2022-1864: Use after free in WebApp Installs * CVE-2022-1865: Use after free in Bookmarks * CVE-2022-1866: Use after free in Tablet Mode * CVE-2022-1867: Insufficient validation of untrusted input in Data Transfer * CVE-2022-1868: Inappropriate implementation in Extensions API * CVE-2022-1869: Type Confusion in V8 * CVE-2022-1870: Use after free in App Service * CVE-2022-1871: Insufficient policy enforcement in File System API * CVE-2022-1872: Insufficient policy enforcement in Extensions API * CVE-2022-1873: Insufficient policy enforcement in COOP * CVE-2022-1874: Insufficient policy enforcement in Safe Browsing * CVE-2022-1875: Inappropriate implementation in PDF * CVE-2022-1876: Heap buffer overflow in DevTools - Added patches: * chromium-102-compiler.patch * chromium-102-fenced_frame_utils-include.patch * chromium-102-regex_pattern-array.patch * chromium-102-swiftshader-template-instantiation.patch * chromium-102-symbolize-include.patch * ffmpeg-new-channel-layout.patch - Removed patches: * chromium-100-compiler.patch * chromium-80-QuicStreamSendBuffer-deleted-move-constructor.patch * chromium-95-quiche-include.patch * chromium-fix-swiftshader-template.patch * chromium-missing-include-tuple.patch * chromium-webrtc-stats-missing-vector.patch * chromium-101-segmentation_platform-type.patch ------------------------------------------------------------------- Sun May 15 09:03:28 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 101.0.4951.67 * fixes for other platforms ------------------------------------------------------------------- Wed May 11 06:33:01 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 101.0.4951.64 (boo#1199409) * CVE-2022-1633: Use after free in Sharesheet * CVE-2022-1634: Use after free in Browser UI * CVE-2022-1635: Use after free in Permission Prompts * CVE-2022-1636: Use after free in Performance APIs * CVE-2022-1637: Inappropriate implementation in Web Contents * CVE-2022-1638: Heap buffer overflow in V8 Internationalization * CVE-2022-1639: Use after free in ANGLE * CVE-2022-1640: Use after free in Sharing * CVE-2022-1641: Use after free in Web UI Diagnostics ------------------------------------------------------------------- Wed May 4 09:34:58 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Chromium 101.0.4951.54 (boo#1199118) - Chromium 101.0.4951.41 (boo#1198917) * CVE-2022-1477: Use after free in Vulkan * CVE-2022-1478: Use after free in SwiftShader * CVE-2022-1479: Use after free in ANGLE * CVE-2022-1480: Use after free in Device API * CVE-2022-1481: Use after free in Sharing * CVE-2022-1482: Inappropriate implementation in WebGL * CVE-2022-1483: Heap buffer overflow in WebGPU * CVE-2022-1484: Heap buffer overflow in Web UI Settings * CVE-2022-1485: Use after free in File System API * CVE-2022-1486: Type Confusion in V8 * CVE-2022-1487: Use after free in Ozone * CVE-2022-1488: Inappropriate implementation in Extensions API * CVE-2022-1489: Out of bounds memory access in UI Shelf * CVE-2022-1490: Use after free in Browser Switcher * CVE-2022-1491: Use after free in Bookmarks * CVE-2022-1492: Insufficient data validation in Blink Editing * CVE-2022-1493: Use after free in Dev Tools * CVE-2022-1494: Insufficient data validation in Trusted Types * CVE-2022-1495: Incorrect security UI in Downloads * CVE-2022-1496: Use after free in File Manager * CVE-2022-1497: Inappropriate implementation in Input * CVE-2022-1498: Inappropriate implementation in HTML Parser * CVE-2022-1499: Inappropriate implementation in WebAuthentication * CVE-2022-1500: Insufficient data validation in Dev Tools * CVE-2022-1501: Inappropriate implementation in iframe - Added patches: * chromium-101-libxml-unbundle.patch * chromium-101-segmentation_platform-type.patch - Removed patches: * chromium-100-SCTHashdanceMetadata-move.patch * chromium-100-GLImplementationParts-constexpr.patch * chromium-100-macro-typo.patch ------------------------------------------------------------------- Thu Apr 21 10:04:22 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Fixes for go 1.18 ------------------------------------------------------------------- Fri Apr 15 07:29:35 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 100.0.4896.127 (boo#1198509) * CVE-2022-1364: Type Confusion in V8 * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Tue Apr 12 05:02:45 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 100.0.4896.88 (boo#1198361) * CVE-2022-1305: Use after free in storage * CVE-2022-1306: Inappropriate implementation in compositing * CVE-2022-1307: Inappropriate implementation in full screen * CVE-2022-1308: Use after free in BFCache * CVE-2022-1309: Insufficient policy enforcement in developer tools * CVE-2022-1310: Use after free in regular expressions * CVE-2022-1311: Use after free in Chrome OS shell * CVE-2022-1312: Use after free in storage * CVE-2022-1313: Use after free in tab groups * CVE-2022-1314: Type Confusion in V8 * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Sun Apr 10 13:52:31 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Patches for GCC 12: * chromium-fix-swiftshader-template.patch * chromium-missing-include-tuple.patch * chromium-webrtc-stats-missing-vector.patch ------------------------------------------------------------------- Tue Apr 5 02:11:03 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 100.0.4896.75: * CVE-2022-1232: Type Confusion in V8 (boo#1198053) ------------------------------------------------------------------- Wed Mar 30 16:25:44 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Chromium 100.0.4896.60 (boo#1197680) * CVE-2022-1125: Use after free in Portals * CVE-2022-1127: Use after free in QR Code Generator * CVE-2022-1128: Inappropriate implementation in Web Share API * CVE-2022-1129: Inappropriate implementation in Full Screen Mode * CVE-2022-1130: Insufficient validation of untrusted input in WebOTP * CVE-2022-1131: Use after free in Cast UI * CVE-2022-1132: Inappropriate implementation in Virtual Keyboard * CVE-2022-1133: Use after free in WebRTC * CVE-2022-1134: Type Confusion in V8 * CVE-2022-1135: Use after free in Shopping Cart * CVE-2022-1136: Use after free in Tab Strip * CVE-2022-1137: Inappropriate implementation in Extensions * CVE-2022-1138: Inappropriate implementation in Web Cursor * CVE-2022-1139: Inappropriate implementation in Background Fetch API * CVE-2022-1141: Use after free in File Manager * CVE-2022-1142: Heap buffer overflow in WebUI * CVE-2022-1143: Heap buffer overflow in WebUI * CVE-2022-1144: Use after free in WebUI * CVE-2022-1145: Use after free in Extensions * CVE-2022-1146: Inappropriate implementation in Resource Timing - Added patches: * chromium-100-compiler.patch * chromium-100-GLImplementationParts-constexpr.patch * chromium-100-InMilliseconds-constexpr.patch * chromium-100-SCTHashdanceMetadata-move.patch * chromium-100-macro-typo.patch - Removed patches: * chromium-98-compiler.patch * chromium-86-nearby-explicit.patch * chromium-glibc-2.34.patch * chromium-v8-missing-utility-include.patch * chromium-99-AutofillAssistantModelExecutor-NoDestructor.patch ------------------------------------------------------------------- Tue Mar 29 09:23:28 UTC 2022 - Andreas Schwab <schwab@suse.de> - Update disk constraints ------------------------------------------------------------------- Sat Mar 26 15:10:15 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 99.0.4844.84: * CVE-2022-1096: Type Confusion in V8 (boo#1197552) ------------------------------------------------------------------- Mon Mar 21 05:07:25 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 99.0.4844.82: * Fix potential problem in Hangouts (boo#1197332) ------------------------------------------------------------------- Wed Mar 16 09:36:49 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 99.0.4844.74 (boo#1197163) * CVE-2022-0971: Use after free in Blink Layout * CVE-2022-0972: Use after free in Extensions * CVE-2022-0973: Use after free in Safe Browsing * CVE-2022-0974: Use after free in Splitscreen * CVE-2022-0975: Use after free in ANGLE * CVE-2022-0976: Heap buffer overflow in GPU * CVE-2022-0977: Use after free in Browser UI * CVE-2022-0978: Use after free in ANGLE * CVE-2022-0979: Use after free in Safe Browsing * CVE-2022-0980: Use after free in New Tab Page * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Fri Mar 4 10:46:36 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Chromium 99.0.4844.51 (boo#1196641) * CVE-2022-0789: Heap buffer overflow in ANGLE * CVE-2022-0790: Use after free in Cast UI * CVE-2022-0791: Use after free in Omnibox * CVE-2022-0792: Out of bounds read in ANGLE * CVE-2022-0793: Use after free in Views * CVE-2022-0794: Use after free in WebShare * CVE-2022-0795: Type Confusion in Blink Layout * CVE-2022-0796: Use after free in Media * CVE-2022-0797: Out of bounds memory access in Mojo * CVE-2022-0798: Use after free in MediaStream * CVE-2022-0799: Insufficient policy enforcement in Installer * CVE-2022-0800: Heap buffer overflow in Cast UI * CVE-2022-0801: Inappropriate implementation in HTML parser * CVE-2022-0802: Inappropriate implementation in Full screen mode * CVE-2022-0803: Inappropriate implementation in Permissions * CVE-2022-0804: Inappropriate implementation in Full screen mode * CVE-2022-0805: Use after free in Browser Switcher * CVE-2022-0806: Data leak in Canvas * CVE-2022-0807: Inappropriate implementation in Autofill * CVE-2022-0808: Use after free in Chrome OS Shell * CVE-2022-0809: Out of bounds memory access in WebXR - Removed patches: * chromium-96-EnumTable-crash.patch * chromium-89-missing-cstring-header.patch * chromium-95-libyuv-aarch64.patch * chromium-95-libyuv-arm.patch * chromium-98-MiraclePtr-gcc-ice.patch * chromium-98-WaylandFrameManager-check.patch - Added patches: * chromium-97-arm-tflite-cast.patch * chromium-98-gtk4-build.patch * chromium-99-AutofillAssistantModelExecutor-NoDestructor.patch * chromium-98-EnumTable-crash.patch * chromium-third_party-symbolize-missing-include.patch * chromium-v8-missing-utility-include.patch ------------------------------------------------------------------- Tue Feb 15 19:13:43 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 98.0.4758.102 (boo#1195986) * CVE-2022-0603: Use after free in File Manager * CVE-2022-0604: Heap buffer overflow in Tab Groups * CVE-2022-0605: Use after free in Webstore API * CVE-2022-0606: Use after free in ANGLE * CVE-2022-0607: Use after free in GPU * CVE-2022-0608: Integer overflow in Mojo * CVE-2022-0609: Use after free in Animation * CVE-2022-0610: Inappropriate implementation in Gamepad API * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Thu Feb 3 19:35:46 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 98.0.4758.80 (boo#1195420) * CVE-2022-0452: Use after free in Safe Browsing * CVE-2022-0453: Use after free in Reader Mode * CVE-2022-0454: Heap buffer overflow in ANGLE * CVE-2022-0455: Inappropriate implementation in Full Screen Mode * CVE-2022-0456: Use after free in Web Search * CVE-2022-0457: Type Confusion in V8 * CVE-2022-0459: Use after free in Screen Capture * CVE-2022-0460: Use after free in Window Dialog * CVE-2022-0461: Policy bypass in COOP * CVE-2022-0462: Inappropriate implementation in Scroll * CVE-2022-0463: Use after free in Accessibility * CVE-2022-0464: Use after free in Accessibility * CVE-2022-0465: Use after free in Extensions * CVE-2022-0466: Inappropriate implementation in Extensions Platform * CVE-2022-0467: Inappropriate implementation in Pointer Lock * CVE-2022-0468: Use after free in Payments * CVE-2022-0469: Use after free in Cast * CVE-2022-0470: Out of bounds memory access in V8 * Various fixes from internal audits, fuzzing and other initiatives - drop upstreamed patches: * chromium-97-Point-constexpr.patch - add patches: * chromium-98-MiraclePtr-gcc-ice.patch * chromium-98-WaylandFrameManager-check.patch - change chromium-97-compiler.patch to chromium-98-compiler.patch ------------------------------------------------------------------- Fri Jan 21 06:43:25 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 97.0.4692.99 (boo#1194919): * CVE-2022-0289: Use after free in Safe browsing * CVE-2022-0290: Use after free in Site isolation * CVE-2022-0291: Inappropriate implementation in Storage * CVE-2022-0292: Inappropriate implementation in Fenced Frames * CVE-2022-0293: Use after free in Web packaging * CVE-2022-0294: Inappropriate implementation in Push messaging * CVE-2022-0295: Use after free in Omnibox * CVE-2022-0296: Use after free in Printing * CVE-2022-0297: Use after free in Vulkan * CVE-2022-0298: Use after free in Scheduling * CVE-2022-0300: Use after free in Text Input Method Editor * CVE-2022-0301: Heap buffer overflow in DevTools * CVE-2022-0302: Use after free in Omnibox * CVE-2022-0303: Race in GPU Watchdog * CVE-2022-0304: Use after free in Bookmarks * CVE-2022-0305: Inappropriate implementation in Service Worker API * CVE-2022-0306: Heap buffer overflow in PDFium * CVE-2022-0307: Use after free in Optimization Guide * CVE-2022-0308: Use after free in Data Transfer * CVE-2022-0309: Inappropriate implementation in Autofill * CVE-2022-0310: Heap buffer overflow in Task Manager * CVE-2022-0311: Heap buffer overflow in Task Manager * Various fixes from internal audits, fuzzing and other initiatives - drop upstreamed patches: * fix-tag-dragging-in-Mutter.patch * fix-tag-dragging-in-KWin.patch ------------------------------------------------------------------- Thu Jan 20 09:46:50 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Revert chromium-94-ffmpeg-roll.patch on TW: fix moved to FFmpeg ------------------------------------------------------------------- Tue Jan 11 20:00:16 UTC 2022 - Callum Farmer <gmbr3@opensuse.org> - Chromium 97.0.4692.71 (boo#1194331): * CVE-2022-0096: Use after free in Storage * CVE-2022-0097: Inappropriate implementation in DevTools * CVE-2022-0098: Use after free in Screen Capture * CVE-2022-0099: Use after free in Sign-in * CVE-2022-0100: Heap buffer overflow in Media streams API * CVE-2022-0101: Heap buffer overflow in Bookmarks * CVE-2022-0102: Type Confusion in V8 * CVE-2022-0103: Use after free in SwiftShader * CVE-2022-0104: Heap buffer overflow in ANGLE * CVE-2022-0105: Use after free in PDF * CVE-2022-0106: Use after free in Autofill * CVE-2022-0107: Use after free in File Manager API * CVE-2022-0108: Inappropriate implementation in Navigation * CVE-2022-0109: Inappropriate implementation in Autofill * CVE-2022-0110: Incorrect security UI in Autofill * CVE-2022-0111: Inappropriate implementation in Navigation * CVE-2022-0112: Incorrect security UI in Browser UI * CVE-2022-0113: Inappropriate implementation in Blink * CVE-2022-0114: Out of bounds memory access in Web Serial * CVE-2022-0115: Uninitialized Use in File API * CVE-2022-0116: Inappropriate implementation in Compositing * CVE-2022-0117: Policy bypass in Service Workers * CVE-2022-0118: Inappropriate implementation in WebShare * CVE-2022-0120: Inappropriate implementation in Passwords - Removed patches: * chromium-96-CommandLine-include.patch * chromium-96-RestrictedCookieManager-tuple.patch * chromium-96-DrmRenderNodePathFinder-include.patch * chromium-96-CouponDB-include.patch * chromium-96-freetype-unbundle.patch * chromium-96-compiler.patch * chromium-vaapi.patch * chromium-86-nearby-include.patch - Added patches: * chromium-97-compiler.patch * chromium-97-Point-constexpr.patch * chromium-97-ScrollView-reference.patch * chromium-95-libyuv-arm.patch * fix-tag-dragging-in-KWin.patch * fix-tag-dragging-in-Mutter.patch ------------------------------------------------------------------- Thu Dec 30 15:30:19 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Revert wayland fixes because it doesn't handle GPU correctly (boo#1194182) ------------------------------------------------------------------- Thu Dec 30 08:38:17 UTC 2021 - Martin Liška <mliska@suse.cz> - Use GCC 11, but disable LTO (boo#1194055). ------------------------------------------------------------------- Wed Dec 29 12:23:48 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Use our own copy of the wrapper so that we can use the fixes for Wayland ------------------------------------------------------------------- Sun Dec 26 23:02:18 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Define GNU_SOURCE and fix the below patched issues - Removed patches: * chromium-86-f_seal.patch * chromium-90-fseal.patch ------------------------------------------------------------------- Fri Dec 24 11:24:13 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Added patches: * chromium-96-freetype-unbundle.patch * chromium-96-EnumTable-crash.patch - Unbundle freetype on TW - Unbundle icu on 15.4 - Disable lto and update _constraints on aarch64 - Remove MEIPreload: it gets installed through component updater ------------------------------------------------------------------- Wed Dec 15 10:54:35 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Revert to gcc10 on TW: gcc11 is entirely broken - No auto thread LTO: linker crash on ARM ------------------------------------------------------------------- Tue Dec 14 15:24:47 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 96.0.4664.110 (boo#1193713): * CVE-2021-4098: Insufficient data validation in Mojo * CVE-2021-4099: Use after free in Swiftshader * CVE-2021-4100: Object lifecycle issue in ANGLE * CVE-2021-4101: Heap buffer overflow in Swiftshader * CVE-2021-4102: Use after free in V8 ------------------------------------------------------------------- Thu Dec 9 09:49:23 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Lord of the Browsers: The Two Compilers: * Go back to GCC * GCC: LTO removes needed assembly symbols * Clang: issues with libstdc++ - Chromium 96.0.4664.93 (boo#1193519): * CVE-2021-4052: Use after free in web apps * CVE-2021-4053: Use after free in UI * CVE-2021-4079: Out of bounds write in WebRTC * CVE-2021-4054: Incorrect security UI in autofill * CVE-2021-4078: Type confusion in V8 * CVE-2021-4055: Heap buffer overflow in extensions * CVE-2021-4056: Type Confusion in loader * CVE-2021-4057: Use after free in file API * CVE-2021-4058: Heap buffer overflow in ANGLE * CVE-2021-4059: Insufficient data validation in loader * CVE-2021-4061: Type Confusion in V8 * CVE-2021-4062: Heap buffer overflow in BFCache * CVE-2021-4063: Use after free in developer tools * CVE-2021-4064: Use after free in screen capture * CVE-2021-4065: Use after free in autofill * CVE-2021-4066: Integer underflow in ANGLE * CVE-2021-4067: Use after free in window manager * CVE-2021-4068: Insufficient validation of untrusted input in new tab page - Chromium 96.0.4664.45 (boo#1192734): * CVE-2021-38007: Type Confusion in V8 * CVE-2021-38008: Use after free in media * CVE-2021-38009: Inappropriate implementation in cache * CVE-2021-38006: Use after free in storage foundation * CVE-2021-38005: Use after free in loader * CVE-2021-38010: Inappropriate implementation in service workers * CVE-2021-38011: Use after free in storage foundation * CVE-2021-38012: Type Confusion in V8 * CVE-2021-38013: Heap buffer overflow in fingerprint recognition * CVE-2021-38014: Out of bounds write in Swiftshader * CVE-2021-38015: Inappropriate implementation in input * CVE-2021-38016: Insufficient policy enforcement in background fetch * CVE-2021-38017: Insufficient policy enforcement in iframe sandbox * CVE-2021-38018: Inappropriate implementation in navigation * CVE-2021-38019: Insufficient policy enforcement in CORS * CVE-2021-38020: Insufficient policy enforcement in contacts picker * CVE-2021-38021: Inappropriate implementation in referrer * CVE-2021-38022: Inappropriate implementation in WebAuthentication - Removed old patches: * chromium-95-compiler.patch * chromium-95-BitstreamReader-namespace.patch * chromium-95-system-zlib.patch * chromium-older-harfbuzz.patch * pipewire-do-not-typecheck-the-portal-session_handle.patch - Removed build breaking patches: * chromium-93-EnumTable-crash.patch - Added patches: * chromium-96-compiler.patch * chromium-96-CommandLine-include.patch * chromium-96-RestrictedCookieManager-tuple.patch * chromium-96-DrmRenderNodePathFinder-include.patch * chromium-96-CouponDB-include.patch - Changed patches: * gcc-enable-lto.patch: see above ------------------------------------------------------------------- Fri Nov 19 09:32:39 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Ensure newer libs and LLVM is used on Leap (boo#1192310) ------------------------------------------------------------------- Wed Nov 17 10:08:55 UTC 2021 - Steve Kowalik <steven.kowalik@suse.com> - Explicitly BuildRequire python3-six. ------------------------------------------------------------------- Sun Oct 31 07:57:37 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 95.0.4638.69 (boo#1192184): * CVE-2021-37997: Use after free in Sign-In * CVE-2021-37998: Use after free in Garbage Collection * CVE-2021-37999: Insufficient data validation in New Tab Page * CVE-2021-38000: Insufficient validation of untrusted input in Intents * CVE-2021-38001: Type Confusion in V8 * CVE-2021-38002: Use after free in Web Transport * CVE-2021-38003: Inappropriate implementation in V8 ------------------------------------------------------------------- Sun Oct 24 11:10:51 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Chromium 95.0.4638.54 (boo#1191844): * CVE-2021-37981: Heap buffer overflow in Skia * CVE-2021-37982: Use after free in Incognito * CVE-2021-37983: Use after free in Dev Tools * CVE-2021-37984: Heap buffer overflow in PDFium * CVE-2021-37985: Use after free in V8 * CVE-2021-37986: Heap buffer overflow in Settings * CVE-2021-37987: Use after free in Network APIs * CVE-2021-37988: Use after free in Profiles * CVE-2021-37989: Inappropriate implementation in Blink * CVE-2021-37990: Inappropriate implementation in WebView * CVE-2021-37991: Race in V8 * CVE-2021-37992: Out of bounds read in WebAudio * CVE-2021-37993: Use after free in PDF Accessibility * CVE-2021-37996: Insufficient validation of untrusted input in Downloads * CVE-2021-37994: Inappropriate implementation in iFrame Sandbox * CVE-2021-37995: Inappropriate implementation in WebApp Installer - Added patches: * chromium-95-BitstreamReader-namespace.patch * chromium-95-compiler.patch * chromium-95-libyuv-aarch64.patch * chromium-95-quiche-include.patch * chromium-95-system-zlib.patch - Removed patches: * chromium-94-compiler.patch * chromium-91-libyuv-aarch64.patch * chromium-90-ruy-include.patch * chromium-94-CustomSpaces-include.patch ------------------------------------------------------------------- Sat Oct 16 13:13:25 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Remove Python 2 requirement ------------------------------------------------------------------- Sat Oct 9 19:13:28 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Disable DCHECK(): that's for debug only ------------------------------------------------------------------- Sat Oct 9 12:53:41 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Add pipewire-do-not-typecheck-the-portal-session_handle.patch: fix WebRTC with xdg-desktop-portal 1.10 ------------------------------------------------------------------- Fri Oct 8 19:33:03 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Chromium 94.0.4606.81 (boo#1191463): * CVE-2021-37977: Use after free in Garbage Collection * CVE-2021-37978: Heap buffer overflow in Blink * CVE-2021-37979: Heap buffer overflow in WebRTC * CVE-2021-37980: Inappropriate implementation in Sandbox - Re-add after accidental deletion: * chromium-93-InkDropHost-crash.patch ------------------------------------------------------------------- Sun Oct 3 09:38:33 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Chromium 94.0.4606.54 (boo#1190765): * CVE-2021-37956: Use after free in Offline use * CVE-2021-37957: Use after free in WebGPU * CVE-2021-37958: Inappropriate implementation in Navigation * CVE-2021-37959: Use after free in Task Manager * CVE-2021-37960: Inappropriate implementation in Blink graphics * CVE-2021-37961: Use after free in Tab Strip * CVE-2021-37962: Use after free in Performance Manager * CVE-2021-37963: Side-channel information leakage in DevTools * CVE-2021-37964: Inappropriate implementation in ChromeOS Networking * CVE-2021-37965: Inappropriate implementation in Background Fetch API * CVE-2021-37966: Inappropriate implementation in Compositing * CVE-2021-37967: Inappropriate implementation in Background Fetch API * CVE-2021-37968: Inappropriate implementation in Background Fetch API * CVE-2021-37969: Inappropriate implementation in Google Updater * CVE-2021-37970: Use after free in File System API * CVE-2021-37971: Incorrect security UI in Web Browser UI * CVE-2021-37972: Out of bounds read in libjpeg-turbo - Chromium 94.0.4606.61 (boo#1191166): * CVE-2021-37973: Use after free in Portals - Chromium 94.0.4606.71 (boo#1191204): * CVE-2021-37974 : Use after free in Safe Browsing * CVE-2021-37975 : Use after free in V8 * CVE-2021-37976 : Information leak in core - Added patches: * chromium-94-CustomSpaces-include.patch * chromium-94-sql-no-assert.patch * chromium-older-harfbuzz.patch * chromium-94-ffmpeg-roll.patch * chromium-94-compiler.patch - Removed patches: * chromium-freetype-2.11.patch * chromium-93-ContextSet-permissive.patch * chromium-93-ClassProperty-include.patch * chromium-93-BluetoothLowEnergyScanFilter-include.patch * chromium-93-HashPasswordManager-include.patch * chromium-93-pdfium-include.patch * chromium-93-DevToolsEmbedderMessageDispatcher-include.patch * chromium-93-FormForest-constexpr.patch * chromium-93-ScopedTestDialogAutoConfirm-include.patch * chromium-93-InkDropHost-crash.patch * chromium-91-compiler.patch * chromium-glibc-2.33.patch * chromium-shim_headers.patch ------------------------------------------------------------------- Sat Sep 18 12:47:15 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Add patch to fix Leap 15.2 build: * chromium-ffmpeg-lp152.patch - Change system-libdrm.patch: add to unbundle instead of changing header path ------------------------------------------------------------------- Wed Sep 15 21:00:27 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Chromium 93.0.4577.63 (boo#1190096): * CVE-2021-30606: Use after free in Blink * CVE-2021-30607: Use after free in Permissions * CVE-2021-30608: Use after free in Web Share * CVE-2021-30609: Use after free in Sign-In * CVE-2021-30610: Use after free in Extensions API * CVE-2021-30611: Use after free in WebRTC * CVE-2021-30612: Use after free in WebRTC * CVE-2021-30613: Use after free in Base internals * CVE-2021-30614: Heap buffer overflow in TabStrip * CVE-2021-30615: Cross-origin data leak in Navigation * CVE-2021-30616: Use after free in Media * CVE-2021-30617: Policy bypass in Blink * CVE-2021-30618: Inappropriate implementation in DevTools * CVE-2021-30619: UI Spoofing in Autofill * CVE-2021-30620: Insufficient policy enforcement in Blink * CVE-2021-30621: UI Spoofing in Autofill * CVE-2021-30622: Use after free in WebApp Installs * CVE-2021-30623: Use after free in Bookmarks * CVE-2021-30624: Use after free in Autofill - Chromium 93.0.4577.82 (boo#1190476): * CVE-2021-30625: Use after free in Selection API * CVE-2021-30626: Out of bounds memory access in ANGLE * CVE-2021-30627: Type Confusion in Blink layout * CVE-2021-30628: Stack buffer overflow in ANGLE * CVE-2021-30629: Use after free in Permissions * CVE-2021-30630: Inappropriate implementation in Blink * CVE-2021-30631: Type Confusion in Blink layout * CVE-2021-30632: Out of bounds write in V8 * CVE-2021-30633: Use after free in Indexed DB API - Removed patches: * chromium-88-gcc-fix-swiftshader-libEGL-visibility.patch * chromium-92-v8-constexpr.patch * chromium-no-writeprotection.patch * chromium-92-EnumTable-crash.patch - Added patches: * chromium-93-ContextSet-permissive.patch * chromium-93-ClassProperty-include.patch * chromium-93-BluetoothLowEnergyScanFilter-include.patch * chromium-93-HashPasswordManager-include.patch * chromium-93-pdfium-include.patch * chromium-93-DevToolsEmbedderMessageDispatcher-include.patch * chromium-93-FormForest-constexpr.patch * chromium-93-ScopedTestDialogAutoConfirm-include.patch * chromium-93-InkDropHost-crash.patch * chromium-93-ffmpeg-4.4.patch * chromium-93-EnumTable-crash.patch ------------------------------------------------------------------- Sun Aug 29 08:19:56 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Updated chromium-glibc-2.34.patch: Fix PTHREAD_STACK_MIN errors with glibc 2.34 ------------------------------------------------------------------- Tue Aug 17 20:28:07 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 92.0.4515.159 (boo#1189490): * CVE-2021-30598: Type Confusion in V8 * CVE-2021-30599: Type Confusion in V8 * CVE-2021-30600: Use after free in Printing * CVE-2021-30601: Use after free in Extensions API * CVE-2021-30602: Use after free in WebRTC * CVE-2021-30603: Race in WebAudio * CVE-2021-30604: Use after free in ANGLE * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Sun Aug 15 16:42:43 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Add missing crashpad_handler (boo#1189254) ------------------------------------------------------------------- Fri Aug 6 16:51:50 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Chromium 92.0.4515.131 (boo#1189006) * CVE-2021-30590: Heap buffer overflow in Bookmarks * CVE-2021-30591: Use after free in File System API * CVE-2021-30592: Out of bounds write in Tab Groups * CVE-2021-30593: Out of bounds read in Tab Strip * CVE-2021-30594: Use after free in Page Info UI * CVE-2021-30596: Incorrect security UI in Navigation * CVE-2021-30597: Use after free in Browser UI - Removed patches: * chromium-92-GetUsableSize-nullptr.patch - Added patches: * chromium-no-writeprotection.patch * chromium-glibc-2.34.patch ------------------------------------------------------------------- Sun Aug 1 11:14:20 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Chromium 92.0.4515.107 (boo#1188590) * CVE-2021-30565: Out of bounds write in Tab Groups * CVE-2021-30566: Stack buffer overflow in Printing * CVE-2021-30567: Use after free in DevTools * CVE-2021-30568: Heap buffer overflow in WebGL * CVE-2021-30569: Use after free in sqlite * CVE-2021-30571: Insufficient policy enforcement in DevTools * CVE-2021-30572: Use after free in Autofill * CVE-2021-30573: Use after free in GPU * CVE-2021-30574: Use after free in protocol handling * CVE-2021-30575: Out of bounds read in Autofill * CVE-2021-30576: Use after free in DevTools * CVE-2021-30577: Insufficient policy enforcement in Installer * CVE-2021-30578: Uninitialized Use in Media * CVE-2021-30579: Use after free in UI framework * CVE-2021-30581: Use after free in DevTools * CVE-2021-30582: Inappropriate implementation in Animation * CVE-2021-30584: Incorrect security UI in Downloads * CVE-2021-30585: Use after free in sensor handling * CVE-2021-30588: Type Confusion in V8 * CVE-2021-30589: Insufficient validation of untrusted input in Sharing - Switched from GCC+LTO to Clang+ThinLTO due to errors - Removed patches: * chromium-90-compiler.patch * chromium-89-EnumTable-crash.patch * chromium-86-ConsumeDurationNumber-constexpr.patch * chromium-lp152-missing-includes.patch * chromium-91-GCC_fix_vector_types_in_pcscan.patch * chromium-91-system-icu.patch * chromium-91-1190561-boo1186948.patch - Added patches: * chromium-91-compiler.patch * chromium-92-EnumTable-crash.patch * chromium-92-v8-constexpr.patch * chromium-92-GetUsableSize-nullptr.patch * chromium-freetype-2.11.patch * chromium-clang-nomerge.patch ------------------------------------------------------------------- Sat Jul 17 18:17:02 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - chromium 91.0.4472.164 (boo#1188373) * CVE-2021-30559: Out of bounds write in ANGLE * CVE-2021-30541: Use after free in V8 * CVE-2021-30560: Use after free in Blink XSLT * CVE-2021-30561: Type Confusion in V8 * CVE-2021-30562: Use after free in WebSerial * CVE-2021-30563: Type Confusion in V8 * CVE-2021-30564: Heap buffer overflow in WebXR * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Mon Jul 5 09:03:02 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Add chromium-91-sql-standard-layout-type.patch: to fix SQL being incorrect with libstdc++ 11 ------------------------------------------------------------------- Mon Jun 21 18:29:12 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - fix crash upon exit boo#1186948 add chromium-91-1190561-boo1186948.patch ------------------------------------------------------------------- Fri Jun 18 09:05:03 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 91.0.4472.114 (boo#1187481) * CVE-2021-30554: Use after free in WebGL * CVE-2021-30555: Use after free in Sharing * CVE-2021-30556: Use after free in WebAudio * CVE-2021-30557: Use after free in TabGroups ------------------------------------------------------------------- Wed Jun 16 17:37:29 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 91.0.4472.106 * Fix use-after-free in SendTabToSelfSubMenuModel * Destroy system-token NSSCertDatabase on the IO thread ------------------------------------------------------------------- Wed Jun 9 20:26:43 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 91.0.4472.101 (boo#1187141) * CVE-2021-30544: Use after free in BFCache * CVE-2021-30545: Use after free in Extensions * CVE-2021-30546: Use after free in Autofill * CVE-2021-30547: Out of bounds write in ANGLE * CVE-2021-30548: Use after free in Loader * CVE-2021-30549: Use after free in Spell check * CVE-2021-30550: Use after free in Accessibility * CVE-2021-30551: Type Confusion in V8 * CVE-2021-30552: Use after free in Extensions * CVE-2021-30553: Use after free in Network service * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Thu Jun 3 12:11:18 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Add README.SUSE - Fix aarch64 build: * chromium-91-libyuv-aarch64.patch * Update highway to 0.12.2 (arm only) - Add -flax-vector-conversions to build flags ------------------------------------------------------------------- Thu May 27 05:12:18 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 91.0.4472.77 (boo#1186458): * Support Managed configuration API for Web Applications * WebOTP API: cross-origin iframe support * CSS custom counter styles * Support JSON Modules * Clipboard: read-only files support * Remove webkitBeforeTextInserted & webkitEditableCOntentChanged JS events * Honor media HTML attribute for link icon * Import Assertions * Class static initializer blocks * Ergonomic brand checks for private fields * Expose WebAssembly SIMD * New Feature: WebTransport * ES Modules for service workers ('module' type option) * Suggested file name and location for the File System Access API * adaptivePTime property for RTCRtpEncodingParameters * Block HTTP port 10080 - mitigation for NAT Slipstream 2.0 attack * Support WebSockets over HTTP/2 * Support 103 Early Hints for Navigation * CVE-2021-30521: Heap buffer overflow in Autofill * CVE-2021-30522: Use after free in WebAudio * CVE-2021-30523: Use after free in WebRTC * CVE-2021-30524: Use after free in TabStrip * CVE-2021-30525: Use after free in TabGroups * CVE-2021-30526: Out of bounds write in TabStrip * CVE-2021-30527: Use after free in WebUI * CVE-2021-30528: Use after free in WebAuthentication * CVE-2021-30529: Use after free in Bookmarks * CVE-2021-30530: Out of bounds memory access in WebAudio * CVE-2021-30531: Insufficient policy enforcement in Content Security Policy * CVE-2021-30532: Insufficient policy enforcement in Content Security Policy * CVE-2021-30533: Insufficient policy enforcement in PopupBlocker * CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox * CVE-2021-30535: Double free in ICU * CVE-2021-21212: Insufficient data validation in networking * CVE-2021-30536: Out of bounds read in V8 * CVE-2021-30537: Insufficient policy enforcement in cookies * CVE-2021-30538: Insufficient policy enforcement in content security policy * CVE-2021-30539: Insufficient policy enforcement in content security policy * CVE-2021-30540: Incorrect security UI in payments * Various fixes from internal audits, fuzzing and other initiatives * drop chromium-90-TokenizedOutput-include.patch * drop chromium-90-CrossThreadCopier-qualification.patch * drop chromium-90-quantization_utils-include.patch * drop chromium-90-angle-constexpr.patch * add chromium-91-java-only-allowed-in-android-builds.patch * add chromium-91-GCC_fix_vector_types_in_pcscan.patch * add chromium-91-system-icu.patch ------------------------------------------------------------------- Mon May 17 10:44:26 UTC 2021 - Marcus Meissner <meissner@suse.com> - use asimdrdm CPU flag for aarch64 to select only more powerful buildhosts. ------------------------------------------------------------------- Tue May 11 10:59:27 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 90.0.4430.212 (boo#1185908) * CVE-2021-30506: Incorrect security UI in Web App Installs * CVE-2021-30507: Inappropriate implementation in Offline * CVE-2021-30508: Heap buffer overflow in Media Feeds * CVE-2021-30509: Out of bounds write in Tab Strip * CVE-2021-30510: Race in Aura * CVE-2021-30511: Out of bounds read in Tab Group * CVE-2021-30512: Use after free in Notifications * CVE-2021-30513: Type Confusion in V8 * CVE-2021-30514: Use after free in Autofill * CVE-2021-30515: Use after free in File API * CVE-2021-30516: Heap buffer overflow in History * CVE-2021-30517: Type Confusion in V8 * CVE-2021-30518: Heap buffer overflow in Reader Mode * CVE-2021-30519: Use after free in Payments * CVE-2021-30520: Use after free in Tab Strip - FTP support disabled at runtime by default since release 88. Chromium 91 will remove support for ftp altogether (boo#1185496) ------------------------------------------------------------------- Thu May 6 15:45:57 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> * Patch change * - Fix build with GCC 11 again (bsc#1185716) - Remove chromium-88-compiler.patch - Remove chromium-90-cstdint.patch - Remove chromium-90-gslang-linkage-fixup.patch - Added chromium-90-compiler.patch - Added chromium-90-angle-constexpr.patch - Added chromium-90-TokenizedOutput-include.patch - Added chromium-90-ruy-include.patch - Added chromium-90-CrossThreadCopier-qualification.patch - Added chromium-90-quantization_utils-include.patch ------------------------------------------------------------------- Wed Apr 28 08:53:55 UTC 2021 - Marcus Meissner <meissner@suse.com> - Chromium 90.0.4430.93 (boo#1185398): - CVE-2021-21227: Insufficient data validation in V8. - CVE-2021-21232: Use after free in Dev Tools. - CVE-2021-21233: Heap buffer overflow in ANGLE. - CVE-2021-21228: Insufficient policy enforcement in extensions. - CVE-2021-21229: Incorrect security UI in downloads. - CVE-2021-21230: Type Confusion in V8. - CVE-2021-21231: Insufficient data validation in V8. - Reference: https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop_26.html ------------------------------------------------------------------- Wed Apr 21 07:43:59 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 90.0.4430.85 (boo#1185047): * CVE-2021-21222: Heap buffer overflow in V8 * CVE-2021-21223: Integer overflow in Mojo * CVE-2021-21224: Type Confusion in V8 * CVE-2021-21225: Out of bounds memory access in V8 * CVE-2021-21226: Use after free in navigation - Chromium 90.0.4430.72 (boo#1184764): * CVE-2021-21201: Use after free in permissions * CVE-2021-21202: Use after free in extensions * CVE-2021-21203: Use after free in Blink * CVE-2021-21204: Use after free in Blink * CVE-2021-21205: Insufficient policy enforcement in navigation * CVE-2021-21221: Insufficient validation of untrusted input in Mojo * CVE-2021-21207: Use after free in IndexedDB * CVE-2021-21208: Insufficient data validation in QR scanner * CVE-2021-21209: Inappropriate implementation in storage * CVE-2021-21210: Inappropriate implementation in Network * CVE-2021-21211: Inappropriate implementation in Navigatio * CVE-2021-21212: Incorrect security UI in Network Config UI * CVE-2021-21213: Use after free in WebMIDI * CVE-2021-21214: Use after free in Network API * CVE-2021-21215: Inappropriate implementation in Autofill * CVE-2021-21216: Inappropriate implementation in Autofill * CVE-2021-21217: Uninitialized Use in PDFium * CVE-2021-21218: Uninitialized Use in PDFium * CVE-2021-21219: Uninitialized Use in PDFiu * drop chromium-89-quiche-private.patch * drop chromium-89-quiche-dcheck.patch * drop chromium-89-skia-CropRect.patch * drop chromium-89-dawn-include.patch * drop chromium-89-webcodecs-deps.patch * drop chromium-89-AXTreeSerializer-include.patch * drop libva-2.11.patch * drop libva-2.11-nolegacy.patch * drop chromium-84-blink-disable-clang-format.patch - chromium-90-gslang-linkage-fixup.patch: fixed a weird static/nonpic error - chromium-90-cstdint.patch: some cstd includes added - chromium-90-fseal.patch: F_SEAL defines added ------------------------------------------------------------------- Wed Apr 14 16:09:27 UTC 2021 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 89.0.4389.128 (boo#1184700): * CVE-2021-21206: Use after free in blink * CVE-2021-21220: Insufficient validation of untrusted input in v8 for x86_64 ------------------------------------------------------------------- Sat Apr 3 17:41:28 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to 89.0.4389.114 bsc#1184256 - CVE-2021-21194: Use after free in screen capture - CVE-2021-21195: Use after free in V8 - CVE-2021-21196: Heap buffer overflow in TabStrip - CVE-2021-21197: Heap buffer overflow in TabStrip - CVE-2021-21198: Out of bounds read in IPC - CVE-2021-21199: Use Use after free in Aura - Add libva-2.11.patch to fix build with libva <2.11 - Add libva-2.11-nolegacy.patch to fix build with libva 2.11 - Remove x11-ozone-fix-two-edge-cases.patch ------------------------------------------------------------------- Mon Mar 15 10:55:23 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to 89.0.4389.90 bsc#1183515 - CVE-2021-21191: Use after free in WebRTC. - CVE-2021-21192: Heap buffer overflow in tab groups. - CVE-2021-21193: Use after free in Blink. ------------------------------------------------------------------- Thu Mar 11 18:03:38 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to 89.0.4389.82 - Add x11-ozone-fix-two-edge-cases.patch to fix tab drag errors ------------------------------------------------------------------- Fri Mar 5 11:44:48 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to 89.0.4389.72 bsc#1182960 - CVE-2021-21159: Heap buffer overflow in TabStrip. - CVE-2021-21160: Heap buffer overflow in WebAudio. - CVE-2021-21161: Heap buffer overflow in TabStrip. - CVE-2021-21162: Use after free in WebRTC. - CVE-2021-21163: Insufficient data validation in Reader Mode. - CVE-2021-21164: Insufficient data validation in Chrome for iOS. - CVE-2021-21165: Object lifecycle issue in audio. - CVE-2021-21166: Object lifecycle issue in audio. - CVE-2021-21167: Use after free in bookmarks. - CVE-2021-21168: Insufficient policy enforcement in appcache. - CVE-2021-21169: Out of bounds memory access in V8. - CVE-2021-21170: Incorrect security UI in Loader. - CVE-2021-21171: Incorrect security UI in TabStrip and Navigation. - CVE-2021-21172: Insufficient policy enforcement in File System API. - CVE-2021-21173: Side-channel information leakage in Network Internals. - CVE-2021-21174: Inappropriate implementation in Referrer. - CVE-2021-21175: Inappropriate implementation in Site isolation. - CVE-2021-21176: Inappropriate implementation in full screen mode. - CVE-2021-21177: Insufficient policy enforcement in Autofill. - CVE-2021-21178: Inappropriate implementation in Compositing. - CVE-2021-21179: Use after free in Network Internals. - CVE-2021-21180: Use after free in tab search. - CVE-2020-27844: Heap buffer overflow in OpenJPEG. - CVE-2021-21181: Side-channel information leakage in autofill. - CVE-2021-21182: Insufficient policy enforcement in navigations. - CVE-2021-21183: Inappropriate implementation in performance APIs. - CVE-2021-21184: Inappropriate implementation in performance APIs. - CVE-2021-21185: Insufficient policy enforcement in extensions. - CVE-2021-21186: Insufficient policy enforcement in QR scanning. - CVE-2021-21187: Insufficient data validation in URL formatting. - CVE-2021-21188: Use after free in Blink. - CVE-2021-21189: Insufficient policy enforcement in payments. - CVE-2021-21190: Uninitialized Use in PDFium. - Added patches: - chromium-89-quiche-private.patch - chromium-89-quiche-dcheck.patch - chromium-89-skia-CropRect.patch - chromium-89-dawn-include.patch - chromium-89-webcodecs-deps.patch - chromium-89-EnumTable-crash.patch - chromium-shim_headers.patch - chromium-89-missing-cstring-header.patch - chromium-89-AXTreeSerializer-include.patch - chromium-88-gcc-fix-swiftshader-libEGL-visibility.patch (bsc#1182775) - Removed patches: - chromium-fix-char_traits.patch - build-with-pipewire-0.3.patch - chromium-79-gcc-protobuf-alignas.patch - chromium-87-CursorFactory-include.patch - chromium-87-openscreen-include.patch - chromium-88-vaapi-attribute.patch - chromium-88-ozone-deps.patch - chromium-87-webcodecs-deps.patch - chromium-88-ityp-include.patch - chromium-88-AXTreeFormatter-include.patch - chromium-88-BookmarkModelObserver-include.patch - chromium-88-federated_learning-include.patch - chromium-88-ideographicSpaceCharacter.patch - chromium-88-StringPool-include.patch - chromium-88-dawn-static.patch - chromium-88-CompositorFrameReporter-dcheck.patch ------------------------------------------------------------------- Wed Feb 17 11:41:49 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to 88.0.4324.182 bsc#1182358 - CVE-2021-21149: Stack overflow in Data Transfer. - CVE-2021-21150: Use after free in Downloads. - CVE-2021-21151: Use after free in Payments. - CVE-2021-21152: Heap buffer overflow in Media. - CVE-2021-21153: Stack overflow in GPU Process. - CVE-2021-21154: Heap buffer overflow in Tab Strip. - CVE-2021-21155: Heap buffer overflow in Tab Strip. - CVE-2021-21156: Heap buffer overflow in V8. - CVE-2021-21157: Use after free in Web Sockets. ------------------------------------------------------------------- Mon Feb 15 07:53:24 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Add chromium-glibc-2.33.patch: fix Sandbox with glibc 2.33 (bsc#1182233) ------------------------------------------------------------------- Sat Feb 6 13:26:42 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to 88.0.4324.150 bsc#1181827 - CVE-2021-21148: Heap buffer overflow in V8 ------------------------------------------------------------------- Thu Feb 4 10:09:32 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to 88.0.4324.146 bsc#1181772 - CVE-2021-21142: Use after free in Payments - CVE-2021-21143: Heap buffer overflow in Extensions - CVE-2021-21144: Heap buffer overflow in Tab Groups. - CVE-2021-21145: Use after free in Fonts - CVE-2021-21146: Use after free in Navigation. - CVE-2021-21147: Inappropriate implementation in Skia ------------------------------------------------------------------- Sat Jan 23 10:09:14 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to 88.0.4324.96 bsc#1181137 - CVE-2021-21117: Insufficient policy enforcement in Cryptohome - CVE-2021-21118: Insufficient data validation in V8 - CVE-2021-21119: Use after free in Media - CVE-2021-21120: Use after free in WebSQL - CVE-2021-21121: Use after free in Omnibox - CVE-2021-21122: Use after free in Blink - CVE-2021-21123: Insufficient data validation in File System API - CVE-2021-21124: Potential user after free in Speech Recognizer - CVE-2021-21125: Insufficient policy enforcement in File System API - CVE-2020-16044: Use after free in WebRTC - CVE-2021-21126: Insufficient policy enforcement in extensions - CVE-2021-21127: Insufficient policy enforcement in extensions - CVE-2021-21128: Heap buffer overflow in Blink - CVE-2021-21129: Insufficient policy enforcement in File System API - CVE-2021-21130: Insufficient policy enforcement in File System API - CVE-2021-21131: Insufficient policy enforcement in File System API - CVE-2021-21132: Inappropriate implementation in DevTools - CVE-2021-21133: Insufficient policy enforcement in Downloads - CVE-2021-21134: Incorrect security UI in Page Info - CVE-2021-21135: Inappropriate implementation in Performance API - CVE-2021-21136: Insufficient policy enforcement in WebView - CVE-2021-21137: Inappropriate implementation in DevTools - CVE-2021-21138: Use after free in DevTools - CVE-2021-21139: Inappropriate implementation in iframe sandbox - CVE-2021-21140: Uninitialized Use in USB - CVE-2021-21141: Insufficient policy enforcement in File System API - Added patches: - chromium-88-compiler.patch - chromium-88-ozone-deps.patch - chromium-88-ityp-include.patch - chromium-88-AXTreeFormatter-include.patch - chromium-88-BookmarkModelObserver-include.patch - chromium-88-federated_learning-include.patch - chromium-88-ideographicSpaceCharacter.patch - chromium-88-StringPool-include.patch - chromium-88-dawn-static.patch - chromium-88-CompositorFrameReporter-dcheck.patch - Removed patches: - gpu-timeout.patch - chromium-87-compiler.patch - chromium-87-ServiceWorkerContainerHost-crash.patch - chromium-87-ozone-deps.patch - chromium-87-v8-icu68.patch - chromium-87-icu68.patch ------------------------------------------------------------------- Sat Jan 16 11:40:43 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Remove C++ only flags from CFLAGS - Update chromium-gcc11.patch - Comply with new Google API key rules for Derivatives ------------------------------------------------------------------- Thu Jan 7 08:59:35 UTC 2021 - Callum Farmer <gmbr3@opensuse.org> - Update to 87.0.4280.141 bsc#1180645 - CVE-2021-21106: Use after free in autofill - CVE-2021-21107: Use after free in drag and drop - CVE-2021-21108: Use after free in media - CVE-2021-21109: Use after free in payments - CVE-2021-21110: Use after free in safe browsing - CVE-2021-21111: Insufficient policy enforcement in WebUI - CVE-2021-21112: Use after free in Blink - CVE-2021-21113: Heap buffer overflow in Skia - CVE-2020-16043: Insufficient data validation in networking - CVE-2021-21114: Use after free in audio - CVE-2020-15995: Out of bounds write in V8 - CVE-2021-21115: Use after free in safe browsing - CVE-2021-21116: Heap buffer overflow in audio ------------------------------------------------------------------- Sun Dec 20 17:27:47 UTC 2020 - Callum Farmer <gmbr3@opensuse.org> - Use main URLs instead of redirects in master preferences - Remove useless %post and %postun ------------------------------------------------------------------- Fri Dec 4 15:24:58 UTC 2020 - Callum Farmer <gmbr3@opensuse.org> - Added patches: - chromium-87-icu68.patch - chromium-87-v8-icu68.patch - Update to 87.0.4280.88 bsc#1179576 - CVE-2020-16037: Use after free in clipboard - CVE-2020-16038: Use after free in media - CVE-2020-16039: Use after free in extensions - CVE-2020-16040: Insufficient data validation in V8 - CVE-2020-16041: Out of bounds read in networking - CVE-2020-16042: Uninitialized Use in V8 ------------------------------------------------------------------- Sat Nov 28 16:29:53 UTC 2020 - Callum Farmer <gmbr3@opensuse.org> - Remove erroneous call to ldconfig which causes Firefox crashes (boo#1179298) ------------------------------------------------------------------- Thu Nov 19 21:17:10 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com> - Added patches: - chromium-gcc11.patch - chromium-86-fix-vaapi-on-intel.patch - chromium-87-compiler.patch - chromium-87-CursorFactory-include.patch - chromium-87-openscreen-include.patch - chromium-87-ozone-deps.patch - chromium-87-ServiceWorkerContainerHost-crash.patch - chromium-87-webcodecs-deps.patch - chromium-88-vaapi-attribute.patch - chromium-lp152-missing-includes.patch - Removed patches: - chromium-86-ServiceWorkerRunningInfo-noexcept.patch - chromium-86-compiler.patch - fix-invalid-end-iterator-usage-in-CookieMonster.patch - old-libva.patch - Update to 87.0.4280.66 bsc#1178923 - Wayland support by default - CVE-2020-16018: Use after free in payments. - CVE-2020-16019: Inappropriate implementation in filesystem. - CVE-2020-16020: Inappropriate implementation in cryptohome. - CVE-2020-16021: Race in ImageBurner. - CVE-2020-16022: Insufficient policy enforcement in networking. - CVE-2020-16015: Insufficient data validation in WASM. R - CVE-2020-16014: Use after free in PPAPI. - CVE-2020-16023: Use after free in WebCodecs. - CVE-2020-16024: Heap buffer overflow in UI. - CVE-2020-16025: Heap buffer overflow in clipboard. - CVE-2020-16026: Use after free in WebRTC. - CVE-2020-16027: Insufficient policy enforcement in developer tools. R - CVE-2020-16028: Heap buffer overflow in WebRTC. - CVE-2020-16029: Inappropriate implementation in PDFium. - CVE-2020-16030: Insufficient data validation in Blink. - CVE-2019-8075: Insufficient data validation in Flash. - CVE-2020-16031: Incorrect security UI in tab preview. - CVE-2020-16032: Incorrect security UI in sharing. - CVE-2020-16033: Incorrect security UI in WebUSB. - CVE-2020-16034: Inappropriate implementation in WebRTC. - CVE-2020-16035: Insufficient data validation in cros-disks. - CVE-2020-16012: Side-channel information leakage in graphics. - CVE-2020-16036: Inappropriate implementation in cookies. ------------------------------------------------------------------- Thu Nov 12 08:44:47 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com> - Update to 86.0.4240.198 bsc#1178703 - CVE-2020-16013: Inappropriate implementation in V8 - CVE-2020-16017: Use after free in site isolation ------------------------------------------------------------------- Wed Nov 11 14:21:25 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com> - Update to 86.0.4240.193 bsc#1178630 - CVE-2020-16016: Inappropriate implementation in base. ------------------------------------------------------------------- Tue Nov 3 09:37:03 UTC 2020 - Callum Farmer <callumjfarmer13@gmail.com> - Update to 86.0.4240.183 bsc#1178375 - CVE-2020-16004: Use after free in user interface. - CVE-2020-16005: Insufficient policy enforcement in ANGLE. - CVE-2020-16006: Inappropriate implementation in V8 - CVE-2020-16007: Insufficient data validation in installer. - CVE-2020-16008: Stack buffer overflow in WebRTC. - CVE-2020-16009: Inappropriate implementation in V8. - CVE-2020-16011: Heap buffer overflow in UI on Windows. ------------------------------------------------------------------- Thu Oct 22 06:06:13 UTC 2020 - Marcus Meissner <meissner@suse.com> - Update to 86.0.4240.111 bsc#1177936 - CVE-2020-16000: Inappropriate implementation in Blink. - CVE-2020-16001: Use after free in media. - CVE-2020-16002: Use after free in PDFium. - CVE-2020-15999: Heap buffer overflow in Freetype. - CVE-2020-16003: Use after free in printing. ------------------------------------------------------------------- Mon Oct 19 12:27:04 UTC 2020 - Marcus Meissner <meissner@suse.com> - chromium-86-f_seal.patch: F_SEAL* definitions added for leap 15.1 and 15.2 - replace one missed g++-9 by g++-10 for leap 15.1/15.2 ------------------------------------------------------------------- Wed Oct 14 11:37:13 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Remove vdpau->vaapi bridge as it breaks a lot: (fixes welcome by someone else than me) * chromium-vaapi-fix.patch ------------------------------------------------------------------- Wed Oct 14 11:36:22 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Fix cookiemonster: * fix-invalid-end-iterator-usage-in-CookieMonster.patch ------------------------------------------------------------------- Wed Oct 14 11:06:57 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 86.0.4240.75 bsc#1177408: * CVE-2020-15967: Use after free in payments. * CVE-2020-15968: Use after free in Blink. * CVE-2020-15969: Use after free in WebRTC. * CVE-2020-15970: Use after free in NFC. * CVE-2020-15971: Use after free in printing. * CVE-2020-15972: Use after free in audio. * CVE-2020-15990: Use after free in autofill. * CVE-2020-15991: Use after free in password manager. * CVE-2020-15973: Insufficient policy enforcement in extensions. * CVE-2020-15974: Integer overflow in Blink. * CVE-2020-15975: Integer overflow in SwiftShader. * CVE-2020-15976: Use after free in WebXR. * CVE-2020-6557: Inappropriate implementation in networking. * CVE-2020-15977: Insufficient data validation in dialogs. * CVE-2020-15978: Insufficient data validation in navigation. * CVE-2020-15979: Inappropriate implementation in V8. * CVE-2020-15980: Insufficient policy enforcement in Intents. * CVE-2020-15981: Out of bounds read in audio. * CVE-2020-15982: Side-channel information leakage in cache. * CVE-2020-15983: Insufficient data validation in webUI. * CVE-2020-15984: Insufficient policy enforcement in Omnibox. * CVE-2020-15985: Inappropriate implementation in Blink. * CVE-2020-15986: Integer overflow in media. * CVE-2020-15987: Use after free in WebRTC. * CVE-2020-15992: Insufficient policy enforcement in networking. * CVE-2020-15988: Insufficient policy enforcement in downloads. * CVE-2020-15989: Uninitialized Use in PDFium. - Add patches: * chromium-78-protobuf-RepeatedPtrField-export.patch * chromium-79-gcc-protobuf-alignas.patch * chromium-80-QuicStreamSendBuffer-deleted-move-constructor.patch * chromium-86-ConsumeDurationNumber-constexpr.patch * chromium-86-ImageMemoryBarrierData-init.patch * chromium-86-ServiceWorkerRunningInfo-noexcept.patch * chromium-86-compiler.patch * chromium-86-nearby-explicit.patch * chromium-86-nearby-include.patch - Remove patches: * chromium-79-gcc-alignas.patch * chromium-80-gcc-quiche.patch * chromium-82-gcc-constexpr.patch * chromium-83-gcc-10.patch * chromium-84-gcc-include.patch * chromium-84-mediaalloc.patch * chromium-85-DelayNode-cast.patch * chromium-85-FrameWidget-namespace.patch * chromium-85-NearbyConnection-abstract.patch * chromium-85-NearbyShareEncryptedMetadataKey-include.patch * chromium-85-oscillator_node-cast.patch * chromium-85-ostream-operator.patch * chromium-85-ozone-include.patch * chromium-85-sim_hash-include.patch * chromium-blink-gcc-diagnostic-pragma.patch * chromium-dma-buf.patch * chromium-drm.patch * chromium-quiche-invalid-offsetof.patch ------------------------------------------------------------------- Sat Oct 10 17:05:01 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de> - build with system libevent, the gn bug is no longer present ------------------------------------------------------------------- Wed Sep 23 08:38:34 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Remove TOC files to avoid warning in post and fix angle conditional ------------------------------------------------------------------- Tue Sep 22 12:28:43 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 85.0.4183.121 bsc#1176791: * CVE-2020-15960: Out of bounds read in storage * CVE-2020-15961: Insufficient policy enforcement in extensions * CVE-2020-15962: Insufficient policy enforcement in serial * CVE-2020-15963: Insufficient policy enforcement in extensions * CVE-2020-15965: Out of bounds write in V8 * CVE-2020-15966: Insufficient policy enforcement in extensions * CVE-2020-15964: Insufficient data validation in media ------------------------------------------------------------------- Tue Sep 15 08:38:18 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - The egl stuff is from angle not swiftshader, thanks Fedora bsc#1176450 ------------------------------------------------------------------- Sat Sep 12 17:01:53 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add back the swiftshader folder wrt bsc#1176450 ------------------------------------------------------------------- Wed Sep 9 06:36:04 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update 85.0.4183.102 bsc#1176306: * CVE-2020-6573: Use after free in video. * CVE-2020-6574: Insufficient policy enforcement in installer. * CVE-2020-6575: Race in Mojo. * CVE-2020-6576: Use after free in offscreen canvas. * CVE-2020-15959: Insufficient policy enforcement in networking. ------------------------------------------------------------------- Tue Sep 8 06:53:23 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Move swiftshader stuff to chromium folder directly bsc#1176207 ------------------------------------------------------------------- Tue Sep 1 10:15:44 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Really update to .83 we accidentally included .69 beta release ------------------------------------------------------------------- Fri Aug 28 07:21:04 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add patch trying to compile with old libdrm on Leap 15.1: * chromium-lp151-old-drm.patch ------------------------------------------------------------------- Thu Aug 27 08:27:42 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Version update to 85.0.4183.83 bsc#1175757 * CVE-2020-6558: Insufficient policy enforcement in iOS * CVE-2020-6559: Use after free in presentation API * CVE-2020-6560: Insufficient policy enforcement in autofill * CVE-2020-6561: Inappropriate implementation in Content Security Policy * CVE-2020-6562: Insufficient policy enforcement in Blink * CVE-2020-6563: Insufficient policy enforcement in intent handling. * CVE-2020-6564: Incorrect security UI in permissions * CVE-2020-6565: Incorrect security UI in Omnibox. * CVE-2020-6566: Insufficient policy enforcement in media. * CVE-2020-6567: Insufficient validation of untrusted input in command line handling. * CVE-2020-6568: Insufficient policy enforcement in intent handling. * CVE-2020-6569: Integer overflow in WebUSB. * CVE-2020-6570: Side-channel information leakage in WebRTC. * CVE-2020-6571: Incorrect security UI in Omnibox. - Use bundled vpx everywhere again as it fails to compile against system version - Added patches: * chromium-85-DelayNode-cast.patch * chromium-85-FrameWidget-namespace.patch * chromium-85-NearbyConnection-abstract.patch * chromium-85-NearbyShareEncryptedMetadataKey-include.patch * chromium-85-oscillator_node-cast.patch * chromium-85-ostream-operator.patch * chromium-85-ozone-include.patch * chromium-85-sim_hash-include.patch - Removed patches: * chromium-82-gcc-template.patch * chromium-84-AXObject-stl-iterator.patch * chromium-84-FilePath-add-noexcept.patch * chromium-84-base-has_bultin.patch * chromium-84-fix-decltype.patch * chromium-84-gcc-DOMRect-constexpr.patch * chromium-84-gcc-noexcept.patch * chromium-84-gcc-template.patch * chromium-84-gcc-unique_ptr.patch * chromium-84-gcc-use-brace-initializer.patch * chromium-84-nss-include.patch * chromium-84-ozone-include.patch * chromium-84-revert-manage-ManifestManagerHost-per-document.patch * chromium-84-std-vector-const.patch * chromium-clang_lto_visibility_public.patch - Updated patches: * chromium-83-gcc-10.patch * chromium-84-gcc-include.patch * chromium-prop-codecs.patch * gcc-enable-lto.patch ------------------------------------------------------------------- Thu Aug 27 06:36:50 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Do not use libexec as we use /usr/lib as a target folder ------------------------------------------------------------------- Fri Aug 21 08:12:26 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Fix the build by removing expectation of llvm-7.0 ------------------------------------------------------------------- Thu Aug 20 07:29:42 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 84.0.4147.135 (bsc#1175505): * CVE-2020-6556: Heap buffer overflow in SwiftShader ------------------------------------------------------------------- Wed Aug 12 12:00:41 UTC 2020 - Martin Liška <mliska@suse.cz> - Add chromium-disable-parallel-gold.patch in order to disable broken parallel ld.gold with LTO. - Enable again LTO for x86_64 and increase memory constraints. - Use parallel WPA streaming, we will easily fit into memory constraints. - Remove memory_constrain hack for LTO. ------------------------------------------------------------------- Mon Aug 10 22:06:22 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de> - Chromium 84.0.4147.125 (boo#1175085) * CVE-2020-6542: Use after free in ANGLE * CVE-2020-6543: Use after free in task scheduling * CVE-2020-6544: Use after free in media * CVE-2020-6545: Use after free in audio * CVE-2020-6546: Inappropriate implementation in installer * CVE-2020-6547: Incorrect security UI in media * CVE-2020-6548: Heap buffer overflow in Skia * CVE-2020-6549: Use after free in media * CVE-2020-6550: Use after free in IndexedDB * CVE-2020-6551: Use after free in WebXR * CVE-2020-6552: Use after free in Blink * CVE-2020-6553: Use after free in offline mode * CVE-2020-6554: Use after free in extensions * CVE-2020-6555: Out of bounds read in WebGL * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Mon Aug 10 10:50:11 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Disable wayland everywhere as it breaks headless and middle mouse copy everywhere: bsc#1174497 bsc#1175044 ------------------------------------------------------------------- Mon Aug 3 17:48:18 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de> - Update to 84.0.4147.105 (boo#1174582): * CVE-2020-6537: Type Confusion in V8 * CVE-2020-6538: Inappropriate implementation in WebView * CVE-2020-6532: Use after free in SCTP * CVE-2020-6539: Use after free in CSS * CVE-2020-6540: Heap buffer overflow in Skia * CVE-2020-6541: Use after free in WebUSB ------------------------------------------------------------------- Fri Jul 17 07:00:20 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Try to fix non-wayland build for Leap builds ------------------------------------------------------------------- Thu Jul 16 11:33:24 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 84.0.4147.89 bsc#1174189: * Critical CVE-2020-6510: Heap buffer overflow in background fetch. * High CVE-2020-6511: Side-channel information leakage in content security policy. * High CVE-2020-6512: Type Confusion in V8. * High CVE-2020-6513: Heap buffer overflow in PDFium. * High CVE-2020-6514: Inappropriate implementation in WebRTC. * High CVE-2020-6515: Use after free in tab strip. * High CVE-2020-6516: Policy bypass in CORS. * High CVE-2020-6517: Heap buffer overflow in history. * Medium CVE-2020-6518: Use after free in developer tools. * Medium CVE-2020-6519: Policy bypass in CSP. * Medium CVE-2020-6520: Heap buffer overflow in Skia. * Medium CVE-2020-6521: Side-channel information leakage in autofill. * Medium CVE-2020-6522: Inappropriate implementation in external protocol handlers. * Medium CVE-2020-6523: Out of bounds write in Skia. * Medium CVE-2020-6524: Heap buffer overflow in WebAudio. * Medium CVE-2020-6525: Heap buffer overflow in Skia. * Low CVE-2020-6526: Inappropriate implementation in iframe sandbox. * Low CVE-2020-6527: Insufficient policy enforcement in CSP. * Low CVE-2020-6528: Incorrect security UI in basic auth. * Low CVE-2020-6529: Inappropriate implementation in WebRTC. * Low CVE-2020-6530: Out of bounds memory access in developer tools. * Low CVE-2020-6531: Side-channel information leakage in scroll to text. * Low CVE-2020-6533: Type Confusion in V8. * Low CVE-2020-6534: Heap buffer overflow in WebRTC. * Low CVE-2020-6535: Insufficient data validation in WebUI. * Low CVE-2020-6536: Incorrect security UI in PWAs. - Use bundled xcb-proto as we need to generate py2 bindings - Add new patches: * chromium-84-AXObject-stl-iterator.patch * chromium-84-FilePath-add-noexcept.patch * chromium-84-base-has_bultin.patch * chromium-84-blink-disable-clang-format.patch * chromium-84-fix-decltype.patch * chromium-84-gcc-DOMRect-constexpr.patch * chromium-84-gcc-include.patch * chromium-84-gcc-noexcept.patch * chromium-84-gcc-template.patch * chromium-84-gcc-unique_ptr.patch * chromium-84-gcc-use-brace-initializer.patch * chromium-84-nss-include.patch * chromium-84-ozone-include.patch * chromium-84-revert-manage-ManifestManagerHost-per-document.patch * chromium-84-std-vector-const.patch * chromium-84.0.4147.89.tar.xz * chromium-blink-gcc-diagnostic-pragma.patch * chromium-clang_lto_visibility_public.patch * chromium-quiche-invalid-offsetof.patch * system-libdrm.patch - Remove no longer needed patches: * chromium-81-re2-0.2020.05.01.patch * chromium-82-gcc-incomplete-type.patch * chromium-82-gcc-iterator.patch * chromium-82-gcc-noexcept.patch * chromium-83-gcc-include.patch * chromium-83-gcc-iterator.patch * chromium-83-gcc-permissive.patch * chromium-83-gcc-serviceworker.patch * chromium-83-gcc-template.patch * chromium-83-icu67.patch * chromium-83.0.4103.97-skia-gcc-no_sanitize-fixes.patch * chromium-dev-shm.patch - Rebase and update patches: * build-with-pipewire-0.3.patch * chromium-83-gcc-10.patch * chromium-84-mediaalloc.patch * chromium-norar.patch * chromium-vaapi-fix.patch ------------------------------------------------------------------- Sun Jun 28 02:27:12 UTC 2020 - Atri Bhattacharya <badshah400@gmail.com> - Refresh build-with-pipewire-0.3.patch to mirror similar patch by Fedora for Firefox; screen-capture wasn't actually working with the previous version of the patch. - Add BuildRequires: pkgconfig(libspa-2.0) when building with pipewire support to guard against potential package splitting off of pipewire-spa-devel from pipewire-devel. ------------------------------------------------------------------- Thu Jun 25 07:12:24 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Disable the LTO again as it still OOMs quite often ------------------------------------------------------------------- Wed Jun 24 07:40:07 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add patch to work with new ffmpeg wrt bsc#1173292: * chromium-84-mediaalloc.patch ------------------------------------------------------------------- Tue Jun 23 14:20:46 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add multimedia fix for disabled location and also try one additional patch from Debian on the same issue bsc#1173107 Update patch: * no-location-leap151.patch ------------------------------------------------------------------- Tue Jun 23 08:20:43 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add patch from Fedora to avoid attribute overrides in skia: * chromium-83.0.4103.97-skia-gcc-no_sanitize-fixes.patch ------------------------------------------------------------------- Tue Jun 23 08:08:08 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add patch to hopefully fix bsc#1173107: * chromium-dev-shm.patch ------------------------------------------------------------------- Tue Jun 23 07:51:28 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 83.0.4103.116 bsc#1173251: * CVE-2020-6509: Use after free in extensions ------------------------------------------------------------------- Fri Jun 19 07:34:53 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Reduce constraints to say 20 GB disk space is enough ------------------------------------------------------------------- Fri Jun 19 07:13:03 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Disable wayland integration on 15.x bsc#1173187 bsc#1173188 bsc#1173254 ------------------------------------------------------------------- Thu Jun 18 07:39:50 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Enforce to not use system borders bsc#1173063 ------------------------------------------------------------------- Wed Jun 17 08:32:06 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 83.0.4103.106 bsc#1173029: * CVE-2020-6505: Use after free in speech * CVE-2020-6506: Insufficient policy enforcement in WebView * CVE-2020-6507: Out of bounds write in V8 ------------------------------------------------------------------- Mon Jun 15 14:05:36 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Another attempt on the location handling for Leap 15.1: * no-location-leap151.patch ------------------------------------------------------------------- Thu Jun 11 16:31:50 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Attempt to build with wayland/ozone enabled ------------------------------------------------------------------- Thu Jun 11 12:14:32 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Enable more system libs on 15.2+ - Remove the chromium-83-gcc-location-revert.patch as it is wrong approach to fix the problem ------------------------------------------------------------------- Thu Jun 11 09:05:00 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update _constraints to match up LTO enablement ------------------------------------------------------------------- Wed Jun 10 12:20:57 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - With GCC 10 released we should be able to enable LTO again ------------------------------------------------------------------- Thu Jun 4 06:28:45 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 83.0.4103.97 bsc#1172496: * CVE-2020-6493: Use after free in WebAuthentication. * CVE-2020-6494: Incorrect security UI in payments. * CVE-2020-6495: Insufficient policy enforcement in developer tools. * CVE-2020-6496: Use after free in payments. ------------------------------------------------------------------- Thu May 28 09:18:05 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add patch to not use bundled unrar: * chromium-norar.patch ------------------------------------------------------------------- Thu May 28 08:59:02 UTC 2020 - Fabian Vogt <fvogt@suse.com> - Amend chromium-prop-codecs.patch to allow proprietary_codecs without building third_party/openh264 ------------------------------------------------------------------- Wed May 27 12:03:31 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add revert of location setting commit that broke build on openSUSE Leap 15.1: * chromium-83-gcc-location-revert.patch ------------------------------------------------------------------- Mon May 25 09:16:54 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Swtich to GCC 9.x on Leaps to avoid gcc bug exposed in gcc8 ------------------------------------------------------------------- Fri May 22 09:44:37 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add patch to fix building with new re2: * chromium-81-re2-0.2020.05.01.patch ------------------------------------------------------------------- Wed May 20 16:35:28 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Update _constraints to avoid very slow builds seen on obs-arm-4 (probably due to swap) ------------------------------------------------------------------- Wed May 20 09:35:32 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 83.0.4103.61 bsc#1171910: * CVE-2020-6465: Use after free in reader mode. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-04-21 * CVE-2020-6466: Use after free in media. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-04-26 * CVE-2020-6467: Use after free in WebRTC. Reported by ZhanJia Song on 2020-04-06 * CVE-2020-6468: Type Confusion in V8. Reported by Chris Salls and Jake Corina of Seaside Security, Chani Jindal of Shellphish on 2020-04-30 * CVE-2020-6469: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-04-02 * CVE-2020-6470: Insufficient validation of untrusted input in clipboard. Reported by Michał Bentkowski of Securitum on 2020-03-30 * CVE-2020-6471: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-08 * CVE-2020-6472: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-03-25 * CVE-2020-6473: Insufficient policy enforcement in Blink. Reported by Soroush Karami and Panagiotis Ilia on 2020-02-06 * CVE-2020-6474: Use after free in Blink. Reported by Zhe Jin from cdsrc of Qihoo 360 on 2020-03-07 * CVE-2020-6475: Incorrect security UI in full screen. Reported by Khalil Zhani on 2019-10-31 * CVE-2020-6476: Insufficient policy enforcement in tab strip. Reported by Alexandre Le Borgne on 2019-12-18 * CVE-2020-6477: Inappropriate implementation in installer. Reported by RACK911 Labs on 2019-03-26 * CVE-2020-6478: Inappropriate implementation in full screen. Reported by Khalil Zhani on 2019-12-24 * CVE-2020-6479: Inappropriate implementation in sharing. Reported by Zhong Zhaochen of andsecurity.cn on 2020-01-14 * CVE-2020-6480: Insufficient policy enforcement in enterprise. Reported by Marvin Witt on 2020-02-21 * CVE-2020-6481: Insufficient policy enforcement in URL formatting. Reported by Rayyan Bijoora on 2020-04-07 * CVE-2020-6482: Insufficient policy enforcement in developer tools. Reported by Abdulrahman Alqabandi (@qab) on 2017-12-17 * CVE-2020-6483: Insufficient policy enforcement in payments. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-05-23 * CVE-2020-6484: Insufficient data validation in ChromeDriver. Reported by Artem Zinenko on 2020-01-26 * CVE-2020-6485: Insufficient data validation in media router. Reported by Sergei Glazunov of Google Project Zero on 2020-01-30 * CVE-2020-6486: Insufficient policy enforcement in navigations. Reported by David Erceg on 2020-02-24 * CVE-2020-6487: Insufficient policy enforcement in downloads. Reported by Jun Kokatsu (@shhnjk) on 2015-10-06 * CVE-2020-6488: Insufficient policy enforcement in downloads. Reported by David Erceg on 2020-01-21 * CVE-2020-6489: Inappropriate implementation in developer tools. Reported by @lovasoa (Ophir LOJKINE) on 2020-02-10 * CVE-2020-6490: Insufficient data validation in loader. Reported by Twitter on 2019-12-19 * CVE-2020-6491: Incorrect security UI in site information. Reported by Sultan Haikal M.A on 2020-02-07 - Rebase patch: * chromium-vaapi.patch - Remove merged patches: * icu-v67.patch * chromium-80-gcc-blink.patch * chromium-80.0.3987.106-missing-cstddef-header.patch * chromium-80.0.3987.87-missing-cstdint-header.patch * chromium-80.0.3987.87-missing-string-header.patch * chromium-81-gcc-constexpr.patch * chromium-81-gcc-noexcept.patch * chromium-old-glibc-noexcept.patch * fix-vaapi-with-glx.patch - Add new patches: * chromium-82-gcc-constexpr.patch * chromium-82-gcc-incomplete-type.patch * chromium-82-gcc-iterator.patch * chromium-82-gcc-noexcept.patch * chromium-82-gcc-template.patch * chromium-83-gcc-10.patch * chromium-83-gcc-include.patch * chromium-83-gcc-iterator.patch * chromium-83-gcc-permissive.patch * chromium-83-gcc-serviceworker.patch * chromium-83-gcc-template.patch * chromium-83-icu67.patch ------------------------------------------------------------------- Wed May 6 07:53:39 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - update to 81.0.4044.138 bsc#1171247: * CVE-2020-6831: Stack buffer overflow in SCTP * CVE-2020-6464: Type Confusion in Blink. ------------------------------------------------------------------- Tue May 5 07:39:22 UTC 2020 - Ismail Dönmez <idonmez@suse.com> - Add icu-v67.patch from upstream to fix build with icu v67 ------------------------------------------------------------------- Wed Apr 29 06:53:20 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de> - update to 81.0.4044.129 (boo#1170707): * CVE-2020-0561: Use after free in storage * CVE-2020-6462: Use after free in task scheduling ------------------------------------------------------------------- Tue Apr 28 09:05:34 UTC 2020 - Martin Liška <mliska@suse.cz> - Add chromium-80.0.3987.87-missing-cstdint-header.patch, chromium-80.0.3987.87-missing-string-header.patch and chromium-80.0.3987.106-missing-cstddef-header.patch in order to fix build with GCC 10. ------------------------------------------------------------------- Tue Apr 21 23:24:11 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de> - Update to 81.0.4044.122 (boo#1170107 bsc#1171975): * CVE-2020-6459: Use after free in payments * CVE-2020-6460: Insufficient data validation in URL formatting * CVE-2020-6458: Out of bounds read and write in PDFium * CVE-2020-6463: Use after free in ANGLE ------------------------------------------------------------------- Fri Apr 17 08:12:35 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 81.0.4044.113 bsc#1169729: * CVE-2020-6457: Use after free in speech recognizer ------------------------------------------------------------------- Tue Apr 14 13:38:06 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Try to use system version of xdg-utils ------------------------------------------------------------------- Wed Apr 8 08:41:17 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 81.0.4044.92 bsc#1168911: * CVE-2020-6454: Use after free in extensions * CVE-2020-6423: Use after free in audio * CVE-2020-6455: Out of bounds read in WebSQL * CVE-2020-6430: Type Confusion in V8 * CVE-2020-6456: Insufficient validation of untrusted input in clipboard * CVE-2020-6431: Insufficient policy enforcement in full screen * CVE-2020-6432: Insufficient policy enforcement in navigations * CVE-2020-6433: Insufficient policy enforcement in extensions * CVE-2020-6434: Use after free in devtools * CVE-2020-6435: Insufficient policy enforcement in extensions * CVE-2020-6436: Use after free in window management * CVE-2020-6437: Inappropriate implementation in WebView * CVE-2020-6438: Insufficient policy enforcement in extensions * CVE-2020-6439: Insufficient policy enforcement in navigations * CVE-2020-6440: Inappropriate implementation in extensions * CVE-2020-6441: Insufficient policy enforcement in omnibox * CVE-2020-6442: Inappropriate implementation in cache * CVE-2020-6443: Insufficient data validation in developer tools * CVE-2020-6444: Uninitialized Use in WebRTC * CVE-2020-6445: Insufficient policy enforcement in trusted types * CVE-2020-6446: Insufficient policy enforcement in trusted types * CVE-2020-6447: Inappropriate implementation in developer tools * CVE-2020-6448: Use after free in V8 - Add new patches: * chromium-81-gcc-constexpr.patch * chromium-81-gcc-noexcept.patch * fix-vaapi-with-glx.patch - Remove no longer needed patches: * chromium-80-gcc-abstract.patch * chromium-80-gcc-incomplete-type.patch * chromium-80-gcc-permissive.patch * chromium-80-include.patch * chromium-80-unbundle-libxml.patch * chromium-missing-cstddef-header.patch * chromium-missing-cstdint-header.patch * chromium-missing-cstring-header.patch * chromium-missing-cstring-header2.patch * chromium-system-icu.patch * chromium-unbundle-zlib.patch * webrtc-pulse.patch - Rebase patches: * build-with-pipewire-0.3.patch * chromium-vaapi-fix.patch * chromium-vaapi.patch * gpu-timeout.patch * old-libva.patch ------------------------------------------------------------------- Thu Apr 2 09:21:02 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.162 bsc#1168421: * CVE-2020-6450: Use after free in WebAudio. * CVE-2020-6451: Use after free in WebAudio. * CVE-2020-6452: Heap buffer overflow in media. ------------------------------------------------------------------- Sun Mar 29 08:29:41 UTC 2020 - Martin Liška <mliska@suse.cz> - Rebase build-with-pipewire-0.3.patch in order to fix patch collision. ------------------------------------------------------------------- Sat Mar 28 18:41:02 UTC 2020 - Martin Liška <mliska@suse.cz> - Add chromium-missing-cstdint-header.patch, chromium-missing-cstring-header.patch, chromium-missing-cstring-header2.patch and chromium-missing-cstddef-header.patch in order to fix boo#1167465. ------------------------------------------------------------------- Fri Mar 27 11:48:36 UTC 2020 - Stasiek Michalski <stasiek@michalski.cc> - Use a symbolic icon for GNOME ------------------------------------------------------------------- Mon Mar 23 16:49:16 UTC 2020 - Antonio Larrosa <alarrosa@suse.com> - Add patch to allow building with pipewire 0.3: * build-with-pipewire-0.3.patch - Use pipewire in Leap 15.2 ------------------------------------------------------------------- Thu Mar 19 11:13:24 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.149: * High CVE-2020-6422: Use after free in WebGL. * High CVE-2020-6424: Use after free in media. * High CVE-2020-6425: Insufficient policy enforcement in extensions. * High CVE-2020-6426: Inappropriate implementation in V8. * High CVE-2020-6427: Use after free in audio. * High CVE-2020-6428: Use after free in audio. * High CVE-2020-6429: Use after free in audio. * High CVE-2019-20503: Out of bounds read in usersctplib. * High CVE-2020-6449: Use after free in audio. * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Sat Mar 14 09:18:06 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Do not pull in python deps except interpreter, the bundles are patched anwyays ------------------------------------------------------------------- Thu Mar 5 18:15:45 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.132 bsc#1165826: * CVE-2020-6420: Insufficient policy enforcement in media. * Various fixes from internal audits, fuzzing and other initiatives [2]. ------------------------------------------------------------------- Tue Mar 3 16:45:10 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add patch trying to fix pulse audio issues with webrtc: * webrtc-pulse.patch ------------------------------------------------------------------- Tue Feb 25 12:25:51 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.122 bsc#1164828: * CVE-2020-6418: Type confusion in V8 * CVE-2020-6407: Out of bounds memory access in streams. * Integer overflow in ICU ------------------------------------------------------------------- Mon Feb 17 12:18:23 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Add chromedriver binary to bindir ------------------------------------------------------------------- Thu Feb 13 14:51:34 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Drop sandbox binary as it should not be needed really bsc#1163588 - Remove unused patch: * chromium-sandbox-pie.patch ------------------------------------------------------------------- Wed Feb 12 13:16:28 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.100 bsc#1163484: * feature fixes only ------------------------------------------------------------------- Wed Feb 5 13:04:03 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 80.0.3987.87 bsc#1162833: * CVE-2020-6381: Integer overflow in JavaScript * CVE-2020-6382: Type Confusion in JavaScript * CVE-2019-18197: Multiple vulnerabilities in XML * CVE-2019-19926: Inappropriate implementation in SQLite * CVE-2020-6385: Insufficient policy enforcement in storage * CVE-2019-19880, CVE-2019-19925: Multiple vulnerabilities in SQLite * CVE-2020-6387: Out of bounds write in WebRTC * CVE-2020-6388: Out of bounds memory access in WebAudio * CVE-2020-6389: Out of bounds write in WebRTC * CVE-2020-6390: Out of bounds memory access in streams * CVE-2020-6391: Insufficient validation of untrusted input in Blink * CVE-2020-6392: Insufficient policy enforcement in extensions * CVE-2020-6393: Insufficient policy enforcement in Blink * CVE-2020-6394: Insufficient policy enforcement in Blink * CVE-2020-6395: Out of bounds read in JavaScript * CVE-2020-6396: Inappropriate implementation in Skia * CVE-2020-6397: Incorrect security UI in sharing * CVE-2020-6398: Uninitialized use in PDFium * CVE-2020-6399: Insufficient policy enforcement in AppCache * CVE-2020-6400: Inappropriate implementation in CORS * CVE-2020-6401: Insufficient validation of untrusted input in Omnibox * CVE-2020-6402: Insufficient policy enforcement in downloads * CVE-2020-6403: Incorrect security UI in Omnibox * CVE-2020-6404: Inappropriate implementation in Blink * CVE-2020-6405: Out of bounds read in SQLite * CVE-2020-6406: Use after free in audio * CVE-2019-19923: Out of bounds memory access in SQLite * CVE-2020-6408: Insufficient policy enforcement in CORS * CVE-2020-6409: Inappropriate implementation in Omnibox * CVE-2020-6410: Insufficient policy enforcement in navigation * CVE-2020-6411: Insufficient validation of untrusted input in Omnibox * CVE-2020-6412: Insufficient validation of untrusted input in Omnibox * CVE-2020-6413: Inappropriate implementation in Blink * CVE-2020-6414: Insufficient policy enforcement in Safe Browsing * CVE-2020-6415: Inappropriate implementation in JavaScript * CVE-2020-6416: Insufficient data validation in streams * CVE-2020-6417: Inappropriate implementation in installer - Disable lto for now as it consumes >16GB ram - Added patches: * chromium-80-gcc-abstract.patch * chromium-80-gcc-blink.patch * chromium-80-gcc-incomplete-type.patch * chromium-80-gcc-permissive.patch * chromium-80-gcc-quiche.patch * chromium-80-include.patch * chromium-80-unbundle-libxml.patch * chromium-80.0.3987.87.tar.xz * chromium-fix-char_traits.patch * gpu-timeout.patch - Removed patches: * chromium-79-gcc-ambiguous-nodestructor.patch * chromium-79-gcc-name-clash.patch * chromium-79-gcc-permissive.patch * chromium-79-icu-65.patch * chromium-79-include.patch * chromium-79-system-hb.patch - Rebased patches: * chromium-old-glibc-noexcept.patch * chromium-vaapi-fix.patch * chromium-vaapi.patch ------------------------------------------------------------------- Sat Jan 18 20:04:05 UTC 2020 - Andreas Stieger <andreas.stieger@gmx.de> - Update to 79.0.3945.130 boo#1161252: * CVE-2020-6378: Use-after-free in speech recognizer * CVE-2020-6379: Use-after-free in speech recognizer * CVE-2020-6380: Extension message verification error * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Wed Jan 8 07:48:01 UTC 2020 - Tomáš Chvátal <tchvatal@suse.com> - Update to 79.0.3945.117 bsc#1160337: * CVE-2020-6377: Use after free in audio * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Mon Dec 30 17:31:38 UTC 2019 - Stefan Brüns <stefan.bruens@rwth-aachen.de> - Drop obsolete liboil BuildRequires. ------------------------------------------------------------------- Thu Dec 19 21:58:01 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de> - update to 79.0.3945.88: * CVE-2019-13767: Use after free in media picker (boo#1159498) ------------------------------------------------------------------- Wed Dec 11 09:34:00 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 79.0.3945.79: * CVE-2019-13725: Use after free in Bluetooth * CVE-2019-13726: Heap buffer overflow in password manager * CVE-2019-13727: Insufficient policy enforcement in WebSockets * CVE-2019-13728: Out of bounds write in V8 * CVE-2019-13729: Use after free in WebSockets * CVE-2019-13730: Type Confusion in V8 * CVE-2019-13732: Use after free in WebAudio * CVE-2019-13734: Out of bounds write in SQLite * CVE-2019-13735: Out of bounds write in V8 * CVE-2019-13764: Type Confusion in V8 * CVE-2019-13736: Integer overflow in PDFium * CVE-2019-13737: Insufficient policy enforcement in autocomplete * CVE-2019-13738: Insufficient policy enforcement in navigation * CVE-2019-13739: Incorrect security UI in Omnibox * CVE-2019-13740: Incorrect security UI in sharing * CVE-2019-13741: Insufficient validation of untrusted input in Blink * CVE-2019-13742: Incorrect security UI in Omnibox * CVE-2019-13743: Incorrect security UI in external protocol handling * CVE-2019-13744: Insufficient policy enforcement in cookies * CVE-2019-13745: Insufficient policy enforcement in audio * CVE-2019-13746: Insufficient policy enforcement in Omnibox * CVE-2019-13747: Uninitialized Use in rendering * CVE-2019-13748: Insufficient policy enforcement in developer tools * CVE-2019-13749: Incorrect security UI in Omnibox * CVE-2019-13750: Insufficient data validation in SQLite * CVE-2019-13751: Uninitialized Use in SQLite * CVE-2019-13752: Out of bounds read in SQLite * CVE-2019-13753: Out of bounds read in SQLite * CVE-2019-13754: Insufficient policy enforcement in extensions * CVE-2019-13755: Insufficient policy enforcement in extensions * CVE-2019-13756: Incorrect security UI in printing * CVE-2019-13757: Incorrect security UI in Omnibox * CVE-2019-13758: Insufficient policy enforcement in navigation * CVE-2019-13759: Incorrect security UI in interstitials * CVE-2019-13761: Incorrect security UI in Omnibox * CVE-2019-13762: Insufficient policy enforcement in downloads * CVE-2019-13763: Insufficient policy enforcement in payments - Remove merged patches: * chromium-77-clang.patch * chromium-78-gcc-enum-range.patch * chromium-78-gcc-noexcept.patch * chromium-78-gcc-std-vector.patch * chromium-78-icon.patch * chromium-78-include.patch * chromium-78-noexcept.patch * chromium-78-pm-crash.patch * chromium-78-protobuf-export.patch - Add new patches: * chromium-79-gcc-alignas.patch * chromium-79-gcc-ambiguous-nodestructor.patch * chromium-79-gcc-name-clash.patch * chromium-79-gcc-permissive.patch * chromium-79-include.patch * chromium-79-system-hb.patch - Rebase patches: * chromium-dma-buf.patch * chromium-old-glibc-noexcept.patch * chromium-vaapi-fix.patch * fix_building_widevinecdm_with_chromium.patch * old-libva.patch ------------------------------------------------------------------- Wed Nov 20 10:51:40 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 78.0.3904.108 bsc#1157269: * CVE-2019-13723: Use-after-free in Bluetooth * CVE-2019-13724: Out-of-bounds access in Bluetooth * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Mon Nov 18 07:53:32 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Fix build on aarch64 with: * chromium-79-icu-65.patch ------------------------------------------------------------------- Fri Nov 8 12:46:23 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de> - Update to 78.0.3904.97 boo#1156172: * Various security fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Wed Nov 6 13:15:18 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Keep just one conditional for vaapi enablement ------------------------------------------------------------------- Mon Nov 4 11:25:23 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Add more magic for zlib handling for SLE12 build ------------------------------------------------------------------- Mon Nov 4 10:30:40 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Add patch trying to build on SLE12: * chromium-old-glibc-noexcept.patch ------------------------------------------------------------------- Fri Nov 1 10:55:52 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 78.0.3904.87 bsc#1155643: * CVE-2019-13721: Use-after-free in PDFium * CVE-2019-13720: Use-after-free in audio ------------------------------------------------------------------- Wed Oct 30 12:51:06 UTC 2019 - Martin Liška <mliska@suse.cz> - Enable LTO again with disabled parallel LTO WPA streaming. ------------------------------------------------------------------- Fri Oct 25 10:50:35 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Disable LTO for now as it consumes ~20GB of RAM, we will reenable the feature later when some memory consumption fixes land in GCC ------------------------------------------------------------------- Thu Oct 24 12:43:15 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Adjust LDFLAGS settings for LTO to take memory-constraints into consideration ------------------------------------------------------------------- Wed Oct 23 12:53:22 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 78.0.3904.70 bsc#1154806: * CVE-2019-13699: Use-after-free in media * CVE-2019-13700: Buffer overrun in Blink * CVE-2019-13701: URL spoof in navigation * CVE-2019-13702: Privilege elevation in Installer * CVE-2019-13703: URL bar spoofing * CVE-2019-13704: CSP bypass * CVE-2019-13705: Extension permission bypass * CVE-2019-13706: Out-of-bounds read in PDFium * CVE-2019-13707: File storage disclosure * CVE-2019-13708: HTTP authentication spoof * CVE-2019-13709: File download protection bypass * CVE-2019-13710: File download protection bypass * CVE-2019-13711: Cross-context information leak * CVE-2019-15903: Buffer overflow in expat * CVE-2019-13713: Cross-origin data leak * CVE-2019-13714: CSS injection * CVE-2019-13715: Address bar spoofing * CVE-2019-13716: Service worker state error * CVE-2019-13717: Notification obscured * CVE-2019-13718: IDN spoof * CVE-2019-13719: Notification obscured * Various fixes from internal audits, fuzzing and other initiatives - Add patches: * chromium-78-gcc-enum-range.patch * chromium-78-gcc-noexcept.patch * chromium-78-gcc-std-vector.patch * chromium-78-icon.patch * chromium-78-include.patch * chromium-78-noexcept.patch * chromium-78-pm-crash.patch * chromium-78-protobuf-export.patch - Remove patches: * chromium-77-blink-include.patch * chromium-77-fix-gn-gen.patch * chromium-77-gcc-abstract.patch * chromium-77-gcc-include.patch * chromium-77-gcc-no-opt-safe-math.patch * chromium-77-no-cups.patch * chromium-77-std-string.patch * chromium-77-system-hb.patch * chromium-77.0.3865.120.tar.xz * chromium-77.0.3865.75-certificate-transparency.patch - Rebase patches: * chromium-system-icu.patch * chromium-unbundle-zlib.patch * chromium-vaapi-fix.patch * chromium-vaapi.patch * old-libva.patch At revision 0ad55cb9e188d5926db26003b443eec9. ------------------------------------------------------------------- Fri Oct 18 09:37:21 UTC 2019 - Stasiek Michalski <hellcp@mailbox.org> - Use internal resources for icon and appdata ------------------------------------------------------------------- Fri Oct 11 08:05:49 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 77.0.3865.120 bsc#1153660: * CVE-2019-13693: Use-after-free in IndexedDB * CVE-2019-13694: Use-after-free in WebRTC * CVE-2019-13695: Use-after-free in audio * CVE-2019-13696: Use-after-free in V8 * CVE-2019-13697: Cross-origin size leak. * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Thu Sep 19 12:55:15 UTC 2019 - Jan Ritzerfeld <suse@bugs.jan.ritzerfeld.org> - Added patch chromium-vaapi-fix.patch again to fix boo#1146219 ------------------------------------------------------------------- Wed Sep 18 19:45:29 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de> - update to chromium 77.0.3865.90 boo#1151229: * CVE-2019-13685: Use-after-free in UI * CVE-2019-13688: Use-after-free in media * CVE-2019-13687: Use-after-free in media * CVE-2019-13686: Use-after-free in offline pages ------------------------------------------------------------------- Mon Sep 16 09:11:11 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Add patch from Fedora for cert transparency: * chromium-77.0.3865.75-certificate-transparency.patch ------------------------------------------------------------------- Mon Sep 16 08:06:10 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Add patches from gentoo: * chromium-77-clang.patch * chromium-77-gcc-no-opt-safe-math.patch * chromium-77-no-cups.patch * chromium-77-std-string.patch ------------------------------------------------------------------- Thu Sep 12 10:29:13 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update patch old-libva.patch to build on openSUSE Leap 15.0 ------------------------------------------------------------------- Thu Sep 12 08:34:01 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to chromium 77.0.3865.75 bsc#1150425: * CVE-2019-5870: Use-after-free in media * CVE-2019-5871: Heap overflow in Skia * CVE-2019-5872: Use-after-free in Mojo * CVE-2019-5874: External URIs may trigger other browsers * CVE-2019-5875: URL bar spoof via download redirect * CVE-2019-5876: Use-after-free in media * CVE-2019-5877: Out-of-bounds access in V8 * CVE-2019-5878: Use-after-free in V8 * CVE-2019-5879: Extension can bypass same origin policy * CVE-2019-5880: SameSite cookie bypass * CVE-2019-5881: Arbitrary read in SwiftShader * CVE-2019-13659: URL spoof * CVE-2019-13660: Full screen notification overlap * CVE-2019-13661: Full screen notification spoof * CVE-2019-13662: CSP bypass * CVE-2019-13663: IDN spoof * CVE-2019-13664: CSRF bypass * CVE-2019-13665: Multiple file download protection bypass * CVE-2019-13666: Side channel using storage size estimate * CVE-2019-13667: URI bar spoof when using external app URIs * CVE-2019-13668: Global window leak via console * CVE-2019-13669: HTTP authentication spoof * CVE-2019-13670: V8 memory corruption in regex * CVE-2019-13671: Dialog box fails to show origin * CVE-2019-13673: Cross-origin information leak using devtools * CVE-2019-13674: IDN spoofing * CVE-2019-13675: Extensions can be disabled by trailing slash * CVE-2019-13676: Google URI shown for certificate warning * CVE-2019-13677: Chrome web store origin needs to be isolated * CVE-2019-13678: Download dialog spoofing * CVE-2019-13679: User gesture needed for printing * CVE-2019-13680: IP address spoofing to servers * CVE-2019-13681: Bypass on download restrictions * CVE-2019-13682: Site isolation bypass * CVE-2019-13683: Exceptions leaked by devtools - Added patches: * chromium-77-blink-include.patch * chromium-77-fix-gn-gen.patch * chromium-77-gcc-abstract.patch * chromium-77-gcc-include.patch * chromium-77-system-hb.patch * chromium-unbundle-zlib.patch - Removed merged patches: * chromium-76-gcc-ambiguous-nodestructor.patch * chromium-76-gcc-blink-constexpr.patch * chromium-76-gcc-blink-namespace1.patch * chromium-76-gcc-blink-namespace2.patch * chromium-76-gcc-gl-init.patch * chromium-76-gcc-include.patch * chromium-76-gcc-noexcept.patch * chromium-76-gcc-private.patch * chromium-76-gcc-pure-virtual.patch * chromium-76-gcc-uint32.patch * chromium-76-gcc-vulkan.patch * chromium-76-quiche.patch * chromium-angle-inline.patch * chromium-fix-char_traits.patch * chromium-skia-aarch64-buildfix.patch * chromium-vaapi-fix.patch * gcc-lto-rsp-clobber.patch - Refreshed patches: * chromium-prop-codecs.patch * chromium-system-icu.patch * chromium-vaapi.patch * old-libva.patch ------------------------------------------------------------------- Tue Sep 3 12:52:13 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 76.0.3809.132 bsc#1149143 CVE-2019-5869: * CVE-2019-5869: Use-after-free in Blink * Various fixes from internal audits, fuzzing and other initiatives - Refresh patch chromium-76-gcc-ambiguous-nodestructor.patch ------------------------------------------------------------------- Mon Aug 19 17:44:00 UTC 2019 - Jan Ritzerfeld <suse@bugs.jan.ritzerfeld.org> - Added patch chromium-vaapi-fix.patch to fix boo#1146219 ------------------------------------------------------------------- Mon Aug 12 10:25:15 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 76.0.3809.100 bsc#1145242: * CVE-2019-5868: Use-after-free in PDFium ExecuteFieldAction * CVE-2019-5867: Out-of-bounds read in V8 ------------------------------------------------------------------- Thu Aug 8 07:27:14 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Add patches to fix few compilation issues: * chromium-angle-inline.patch * chromium-fix-char_traits.patch bsc#1144625 - Remove not properly applying old-glibc patch: * chromium-old-glibc.patch - Disable various gcc warnings as upstream does not care and it just bloats the buildlog (from debian) ------------------------------------------------------------------- Fri Aug 2 08:41:33 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 76.0.3809.87 bsc#1143492: * CVE-2019-5850: Use-after-free in offline page fetcher * CVE-2019-5860: Use-after-free in PDFium * CVE-2019-5853: Memory corruption in regexp length check * CVE-2019-5851: Use-after-poison in offline audio context * CVE-2019-5859: res: URIs can load alternative browsers * CVE-2019-5856: Insufficient checks on filesystem: URI permissions * CVE-2019-5855: Integer overflow in PDFium * CVE-2019-5865: Site isolation bypass from compromised renderer * CVE-2019-5858: Insufficient filtering of Open URL service parameters * CVE-2019-5864: Insufficient port filtering in CORS for extensions * CVE-2019-5862: AppCache not robust to compromised renderers * CVE-2019-5861: Click location incorrectly checked * CVE-2019-5857: Comparison of -0 and null yields crash * CVE-2019-5854: Integer overflow in PDFium text rendering * CVE-2019-5852: Object leak of utility functions * Various fixes from internal audits, fuzzing and other initiatives * Not affected: + CVE-2019-5863: Use-after-free in WebUSB on Windows - Added patches: * chromium-76-gcc-ambiguous-nodestructor.patch * chromium-76-gcc-blink-constexpr.patch * chromium-76-gcc-blink-namespace1.patch * chromium-76-gcc-blink-namespace2.patch * chromium-76-gcc-gl-init.patch * chromium-76-gcc-include.patch * chromium-76-gcc-noexcept.patch * chromium-76-gcc-private.patch * chromium-76-gcc-pure-virtual.patch * chromium-76-gcc-uint32.patch * chromium-76-gcc-vulkan.patch * chromium-76-quiche.patch - Removed patches: * chromium-non-void-return.patch * chromium-75.0.3770.80-SIOCGSTAMP.patch * chromium-75.0.3770.80-pure-virtual-crash-fix.patch * chromium-gcc.patch * chromium-renderprocess-crash.patch * chromium-skia-system-fontconfig.patch - Refreshed patches: * chromium-dma-buf.patch * chromium-drm.patch * chromium-libusb_interrupt_event_handler.patch * chromium-skia-aarch64-buildfix.patch * chromium-system-icu.patch * chromium-vaapi.patch * old-libva.patch ------------------------------------------------------------------- Tue Jul 30 12:47:02 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Do not use lto flags from prjconf, we need to set them using gn buildsystem ------------------------------------------------------------------- Tue Jul 30 10:07:34 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Drop patch chromium-non-void-return.patch and just pass a cxxflags disabler for the check ------------------------------------------------------------------- Wed Jul 17 08:31:56 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update gcc-enable-lto.patch to work on systems without the lto ------------------------------------------------------------------- Tue Jul 16 14:26:18 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 75.0.3770.142 bsc#1141649: * CVE-2019-5847: V8 sealed/frozen elements cause crash * CVE-2019-5848: Font sizes may expose sensitive information - Add patch chromium-renderprocess-crash.patch to hopefully fix bsc#1141102 ------------------------------------------------------------------- Tue Jul 2 08:55:22 UTC 2019 - Martin Liška <mliska@suse.cz> - Enable LTO for x86_64 - add gcc-enable-lto.patch and gcc-lto-rsp-clobber.patch patches. ------------------------------------------------------------------- Tue Jul 2 07:35:44 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Install manpage ------------------------------------------------------------------- Wed Jun 19 11:55:13 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 75.0.3770.100: * This is just feature fixes update ------------------------------------------------------------------- Fri Jun 14 10:56:48 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 75.0.3770.90 bsc#1137332 bsc#1138287: * CVE-2019-5842: Use-after-free in Blink. ------------------------------------------------------------------- Tue Jun 11 06:47:26 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Fix build with kernel 5.2 and avoid runtime crash due to pure virtual declaration: * chromium-75.0.3770.80-SIOCGSTAMP.patch * chromium-75.0.3770.80-pure-virtual-crash-fix.patch ------------------------------------------------------------------- Sat Jun 8 06:53:44 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update old-libva.patch to make sure we build on Leap 42.3 ------------------------------------------------------------------- Fri Jun 7 19:49:23 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 75.0.3770.80 bsc#1137332: * CVE-2019-5828: Use after free in ServiceWorker * CVE-2019-5829: Use after free in Download Manager * CVE-2019-5830: Incorrectly credentialed requests in CORS * CVE-2019-5831: Incorrect map processing in V8 * CVE-2019-5832: Incorrect CORS handling in XHR * CVE-2019-5833: Inconsistent security UI placemen * CVE-2019-5835: Out of bounds read in Swiftshader * CVE-2019-5836: Heap buffer overflow in Angle * CVE-2019-5837: Cross-origin resources size disclosure in Appcache * CVE-2019-5838: Overly permissive tab access in Extensions * CVE-2019-5839: Incorrect handling of certain code points in Blink * CVE-2019-5840: Popup blocker bypass * Various fixes from internal audits, fuzzing and other initiatives * CVE-2019-5834: URL spoof in Omnibox on iOS - Remove merged patchsets: * 00-basevalue.patch * 01-basevalue.patch * 02-basevalue.patch * 03-basevalue.patch * 04-basevalue.patch * 05-basevalue.patch * 06-basevalue.patch * chromium-fix-crc32-for-aarch64.patch * quic.patch - Update patches: * chromium-gcc.patch * chromium-non-void-return.patch * chromium-vaapi.patch * old-libva.patch ------------------------------------------------------------------- Tue May 28 07:48:51 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 74.0.3729.169: * Feature fixes update only ------------------------------------------------------------------- Sun May 19 09:53:53 UTC 2019 - Andreas Stieger <andreas.stieger@gmx.de> - Update to 74.0.3729.157: * Various security fixes from internal audits, fuzzing and other initiatives - includes security fixes from 74.0.3729.131 (boo#1134218): * CVE-2019-5827: Out-of-bounds access in SQLite * CVE-2019-5824: Parameter passing error in media player ------------------------------------------------------------------- Tue May 7 09:18:05 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Add patch to fix build on aarch64: * chromium-fix-crc32-for-aarch64.patch ------------------------------------------------------------------- Tue Apr 30 09:04:56 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 74.0.3729.108 bsc#1133313: * CVE-2019-5805: Use after free in PDFium * CVE-2019-5806: Integer overflow in Angle * CVE-2019-5807: Memory corruption in V8 * CVE-2019-5808: Use after free in Blink * CVE-2019-5809: Use after free in Blink * CVE-2019-5810: User information disclosure in Autofill * CVE-2019-5811: CORS bypass in Blink * CVE-2019-5813: Out of bounds read in V8 * CVE-2019-5814: CORS bypass in Blink * CVE-2019-5815: Heap buffer overflow in Blink * CVE-2019-5818: Uninitialized value in media reader * CVE-2019-5819: Incorrect escaping in developer tools * CVE-2019-5820: Integer overflow in PDFium * CVE-2019-5821: Integer overflow in PDFium * CVE-2019-5822: CORS bypass in download manager * CVE-2019-5823: Forced navigation from service worker * CVE-2019-5812: URL spoof in Omnibox on iOS * CVE-2019-5816: Exploit persistence extension on Android * CVE-2019-5817: Heap buffer overflow in Angle on Windows - Add patches: * 00-basevalue.patch * 01-basevalue.patch * 02-basevalue.patch * 03-basevalue.patch * 04-basevalue.patch * 05-basevalue.patch * 06-basevalue.patch * old-libva.patch * quic.patch - Remove patches: * chromium-73.0.3683.75-pipewire-cstring-fix.patch * chromium-fix_crashpad.patch * chromium-fix_swiftshader.patch * chromium-old-libva.patch - Rebase patches: * chromium-gcc.patch * chromium-non-void-return.patch * chromium-old-glibc.patch ------------------------------------------------------------------- Fri Apr 5 08:47:35 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 73.0.3686.103: * Various feature fixes ------------------------------------------------------------------- Mon Mar 25 13:49:17 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Add patch for pipewire build: * chromium-73.0.3683.75-pipewire-cstring-fix.patch ------------------------------------------------------------------- Mon Mar 25 10:54:06 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 73.0.3683.86: * Just feature fixes around - Refresh patch: * chromium-non-void-return.patch ------------------------------------------------------------------- Thu Mar 21 11:00:28 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update conditions to use system harfbuzz on TW+ - Require java during build - Enable using pipewire when available - Rebase chromium-vaapi.patch to match up the Fedora one ------------------------------------------------------------------- Wed Mar 13 10:19:38 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 73.0.3683.75 bsc#1129059: * CVE-2019-5844 CVE-2019-5845 CVE-2019-5846 * CVE-2019-5787: Use after free in Canvas. * CVE-2019-5788: Use after free in FileAPI. * CVE-2019-5789: Use after free in WebMIDI. * CVE-2019-5790: Heap buffer overflow in V8. * CVE-2019-5791: Type confusion in V8. * CVE-2019-5792: Integer overflow in PDFium. * CVE-2019-5793: Excessive permissions for private API in Extensions. * CVE-2019-5794: Security UI spoofing. * CVE-2019-5795: Integer overflow in PDFium. * CVE-2019-5796: Race condition in Extensions. * CVE-2019-5797: Race condition in DOMStorage. * CVE-2019-5798: Out of bounds read in Skia. * CVE-2019-5799: CSP bypass with blob URL. * CVE-2019-5800: CSP bypass with blob URL. * CVE-2019-5801: Incorrect Omnibox display on iOS. * CVE-2019-5802: Security UI spoofing. * CVE-2019-5803: CSP bypass with Javascript URLs'. * CVE-2019-5804: Command line command injection on Windows. - Update patches: * chromium-buildname.patch * chromium-non-void-return.patch * chromium-old-glibc.patch * chromium-old-libva.patch * chromium-vaapi.patch - Removed patches: * chromium-crashpad-fix_aarch64.patch * chromium-webrtc-includes.patch - Added patches: * chromium-gcc.patch * chromium-fix_crashpad.patch ------------------------------------------------------------------- Mon Mar 4 09:31:41 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Drop direct dependency on libgsm, we just need the devel ------------------------------------------------------------------- Sat Mar 2 14:46:23 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.121: * fixes bsc#1127602 CVE-2019-5786 ------------------------------------------------------------------- Mon Feb 25 10:25:40 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.119: * Feature fixes update only ------------------------------------------------------------------- Wed Feb 20 14:07:27 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.109 bsc#1120892 CVE-2018-20073: * This is just feature fixes update ------------------------------------------------------------------- Mon Feb 11 08:42:01 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.96 bsc#1124936: * CVE-2019-5784: Inappropriate implementation in V8 ------------------------------------------------------------------- Mon Feb 11 04:35:53 UTC 2019 - Simon Lees <sflees@suse.de> - Provide web_browser so chromium can be installed instead of firefox. ------------------------------------------------------------------- Wed Jan 30 08:58:19 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Update to 72.0.3626.81 bsc#1123641: * CVE-2019-5754: Inappropriate implementation in QUIC Networking. Reported by Klzgrad on 2018-12-12 * CVE-2019-5782: Inappropriate implementation in V8. Reported by Qixun Zhao of Qihoo 360 Vulcan Team via Tianfu Cup on 2018-11-16 * CVE-2019-5755: Inappropriate implementation in V8. Reported by Jay Bosamiya on 2018-12-10 * CVE-2019-5756: Use after free in PDFium. Reported by Anonymous on 2018-10-14 * CVE-2019-5757: Type Confusion in SVG. Reported by Alexandru Pitis, Microsoft Browser Vulnerability Research on 2018-12-15 * CVE-2019-5758: Use after free in Blink. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-11 * CVE-2019-5759: Use after free in HTML select elements. Reported by Almog Benin on 2018-12-05 * CVE-2019-5760: Use after free in WebRTC. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-12-05 * CVE-2019-5761: Use after free in SwiftShader. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-13 * CVE-2019-5762: Use after free in PDFium. Reported by Anonymous on 2018-10-31 * CVE-2019-5763: Insufficient validation of untrusted input in V8. Reported by Guang Gong of Alpha Team, Qihoo 360 on 2018-12-13 * CVE-2019-5764: Use after free in WebRTC. Reported by Eyal Itkin from Check Point Software Technologies on 2018-12-09 * CVE-2019-5765: Insufficient policy enforcement in the browser. Reported by Sergey Toshin (@bagipro) on 2019-01-16 * CVE-2019-5766: Insufficient policy enforcement in Canvas. Reported by David Erceg on 2018-11-20 * CVE-2019-5767: Incorrect security UI in WebAPKs. Reported by Haoran Lu, Yifan Zhang, Luyi Xing, and Xiaojing Liao from Indiana University Bloomington on 2018-11-06 * CVE-2019-5768: Insufficient policy enforcement in DevTools. Reported by Rob Wu on 2018-01-24 * CVE-2019-5769: Insufficient validation of untrusted input in Blink. Reported by Guy Eshel on 2018-12-11 * CVE-2019-5770: Heap buffer overflow in WebGL. Reported by hemidallt@ on 2018-11-27 * CVE-2019-5771: Heap buffer overflow in SwiftShader. Reported by Zhe Jin(金哲),Luyao Liu(刘路遥) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd on 2018-11-12 * CVE-2019-5772: Use after free in PDFium. Reported by Zhen Zhou of NSFOCUS Security Team on 2018-11-26 * CVE-2019-5773: Insufficient data validation in IndexedDB. Reported by Yongke Wang of Tencent's Xuanwu Lab (xlab.tencent.com) on 2018-12-24 * CVE-2019-5774: Insufficient validation of untrusted input in SafeBrowsing. Reported by Junghwan Kang (ultract) and Juno Im on 2018-11-11 * CVE-2019-5775: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18 * CVE-2019-5776: Insufficient policy enforcement in Omnibox. Reported by Lnyas Zhang on 2018-07-14 * CVE-2019-5777: Insufficient policy enforcement in Omnibox. Reported by Khalil Zhani on 2018-06-04 * CVE-2019-5778: Insufficient policy enforcement in Extensions. Reported by David Erceg on 2019-01-02 * CVE-2019-5779: Insufficient policy enforcement in ServiceWorker. Reported by David Erceg on 2018-11-11 * CVE-2019-5780: Insufficient policy enforcement. Reported by Andreas Hegenberg (folivora.AI GmbH) on 2018-10-03 * CVE-2019-5781: Insufficient policy enforcement in Omnibox. Reported by evi1m0 of Bilibili Security Team on 2018-10-18 - Added patches: * chromium-crashpad-fix_aarch64.patch * chromium-fix_swiftshader.patch * chromium-webrtc-includes.patch - Obsoleted patches: * chromium-gcc8-alignof.patch * chromium-initialize-list.patch - Updated patches: * chromium-dma-buf.patch * chromium-non-void-return.patch * chromium-skia-system-fontconfig.patch * chromium-system-icu.patch * chromium-vaapi.patch - Try to reduce constraints to avoid being so much just in scheduled state ------------------------------------------------------------------- Wed Jan 2 08:30:23 UTC 2019 - Tomáš Chvátal <tchvatal@suse.com> - Tweak fix_building_widevinecdm_with_chromium.patch to make it work again bsc#1120429 ------------------------------------------------------------------- Fri Dec 14 08:51:26 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Update %arm build, but keep it disabled for now, as ld requires lots of RAM ------------------------------------------------------------------- Thu Dec 13 11:22:25 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Version update to 71.0.3578.98 bsc#1119364: * CVE-2018-17481: Use after free in PDFium - Redo chromium-old-libva.patch ------------------------------------------------------------------- Fri Dec 7 14:32:25 UTC 2018 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Increase %limit_build value to avoid OOM ------------------------------------------------------------------- Thu Dec 6 14:13:10 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Add patch to build on Leap 42.x: * chromium-old-libva.patch ------------------------------------------------------------------- Thu Dec 6 08:41:53 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Version update to 71.0.3578.80 bsc#1118529: - CVE-2018-17480: Out of bounds write in V8 - CVE-2018-17481: Use after frees in PDFium - CVE-2018-18335: Heap buffer overflow in Skia - CVE-2018-18336: Use after free in PDFium - CVE-2018-18337: Use after free in Blink - CVE-2018-18338: Heap buffer overflow in Canvas - CVE-2018-18339: Use after free in WebAudio - CVE-2018-18340: Use after free in MediaRecorder - CVE-2018-18341: Heap buffer overflow in Blink - CVE-2018-18342: Out of bounds write in V8 - CVE-2018-18343: Use after free in Skia - CVE-2018-18344: Inappropriate implementation in Extensions - Multiple issues in SQLite via WebSQL - CVE-2018-18345: Inappropriate implementation in Site Isolation - CVE-2018-18346: Incorrect security UI in Blink - CVE-2018-18347: Inappropriate implementation in Navigation - CVE-2018-18348: Inappropriate implementation in Omnibox - CVE-2018-18349: Insufficient policy enforcement in Blink - CVE-2018-18350: Insufficient policy enforcement in Blink - CVE-2018-18351: Insufficient policy enforcement in Navigation - CVE-2018-18352: Inappropriate implementation in Media - CVE-2018-18353: Inappropriate implementation in Network Authentication - CVE-2018-18354: Insufficient data validation in Shell Integration - CVE-2018-18355: Insufficient policy enforcement in URL Formatter - CVE-2018-18356: Use after free in Skia - CVE-2018-18357: Insufficient policy enforcement in URL Formatter - CVE-2018-18358: Insufficient policy enforcement in Proxy. - CVE-2018-18359: Out of bounds read in V8 - Inappropriate implementation in PDFium - Use after free in Extensions - Inappropriate implementation in Navigation - Insufficient policy enforcement in Navigation - Insufficient policy enforcement in URL Formatter - Various fixes from internal audits, fuzzing and other initiatives - Updated/refreshed patches: * fix_building_widevinecdm_with_chromium.patch * chromium-vaapi.patch * chromium-skia-aarch64-buildfix.patch * chromium-prop-codecs.patch * chromium-non-void-return.patch - Removed patches: * chromium-gcc8-constexpr.patch * chromium-libva1.patch * chromium-pdfium-include.patch * chromium-warnings.patch - Added patches: * chromium-initialize-list.patch ------------------------------------------------------------------- Wed Nov 21 09:09:28 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Version update to 70.0.3538.110 bsc#1116608: * CVE-2018-17479: Use-after-free in GPU ------------------------------------------------------------------- Wed Nov 14 09:42:33 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Version update to 70.0.3538.102 bsc#1115537 CVE-2018-17478 * CVE-2018-17478: Out of bounds memory access in V8 ------------------------------------------------------------------- Sat Nov 3 21:18:07 UTC 2018 - Yunhe Guo <i@guoyunhe.me> - Remove noto-emoji-fonts recommends. noto-emoji-fonts has been inactive for a long time. noto-coloremoji-fonts is the current recommended emoji fonts from noto. And noto-emoji-fonts (monochrome) disables noto-coloremoji-fonts (colorful). ------------------------------------------------------------------- Thu Oct 25 09:07:47 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Update to 70.0.3538.77: * Few feature fixes only - Do not meintion armv6 and armv7 in the constraints - Update patch chromium-non-void-return.patch ------------------------------------------------------------------- Mon Oct 22 11:43:26 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Add patch trying to get the pkg to build with libva 1.x releases: * chromium-libva1.patch - Update chromium-old-glibc.patch to contain more tweaked locations ------------------------------------------------------------------- Fri Oct 19 12:43:06 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Add back chromium-old-glibc.patch to make sure we build on 42.3 - Reduce the merge number on jumbo files to reduce memory usage bit ------------------------------------------------------------------- Fri Oct 19 09:58:46 UTC 2018 - astieger@suse.com - remove trigger word from spec that trips up legal-auto ------------------------------------------------------------------- Wed Oct 17 08:07:37 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Update to 70.0.3538.67 bsc#1112111: * CVE-2018-17462: Sandbox escape in AppCache * CVE-2018-17463: Remote code execution in V8 * CVE to be assigned: Heap buffer overflow in Little CMS in PDFium * CVE-2018-17464: URL spoof in Omnibox * CVE-2018-17465: Use after free in V8 * CVE-2018-17466: Memory corruption in Angle * CVE-2018-17467: URL spoof in Omnibox * CVE-2018-17468: Cross-origin URL disclosure in Blink * CVE-2018-17469: Heap buffer overflow in PDFium * CVE-2018-17470: Memory corruption in GPU Internals * CVE-2018-17471: Security UI occlusion in full screen mode * CVE-2018-17472: iframe sandbox escape on iOS * CVE-2018-17473: URL spoof in Omnibox * CVE-2018-17474: Use after free in Blink * CVE-2018-17475: URL spoof in Omnibox * CVE-2018-17476: Security UI occlusion in full screen mode * CVE-2018-5179: Lack of limits on update() in ServiceWorker * CVE-2018-17477: UI spoof in Extensions - Added patches: * chromium-gcc8-constexpr.patch * chromium-libusb_interrupt_event_handler.patch * chromium-pdfium-include.patch * chromium-system-libusb.patch - Removed patches: * chromium-old-glibc.patch * chromium-vpx-aarch64.patch - Updated patches: * chromium-gcc8-alignof.patch * chromium-non-void-return.patch * chromium-prop-codecs.patch * chromium-sandbox-pie.patch * chromium-skia-system-fontconfig.patch * chromium-vaapi.patch - Redo the vaapi patch to be default on as there are no reports of issues with it - Use system libusb-1.0 - Use jumbo build to speed things up - Use bundled harfbuzz because we need newer than latest release - Disable gnome-keyring as it crashes the chromium quite often ------------------------------------------------------------------- Tue Sep 18 09:29:55 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Keep blank line after autopatch to make SLE12 rpm macros happy ------------------------------------------------------------------- Tue Sep 18 07:27:09 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Update to 69.0.3497.100 bsc#1108774 * Fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Wed Sep 12 12:52:08 UTC 2018 - astieger@suse.com - Chromium 69.0.3497.92 (boo#1108114), containing 2 security fixes: * Function signature mismatch in WebAssembly * URL Spoofing in Omnibox - the rpm should not provide swiftshader libs boo#1108175 - make jumbo build configurable, default off ------------------------------------------------------------------- Sat Sep 8 11:12:43 UTC 2018 - tchvatal@suse.com - Enable jumbo build to speed things up - Enable vulkan integration ------------------------------------------------------------------- Thu Sep 6 13:27:18 UTC 2018 - tchvatal@suse.com - Add patch to fix mojo build on 32bit: * chromium-gcc8-alignof.patch ------------------------------------------------------------------- Thu Sep 6 09:13:49 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Split out the gn from this package, obsoletes patches: * fix-gn-bootstrap.patch * chromium-last-commit-position-r0.patch ------------------------------------------------------------------- Thu Sep 6 09:09:57 UTC 2018 - Tomáš Chvátal <tchvatal@suse.com> - Version update to 69.0.3497.81 bsc#1107235: * CVE-2018-16065: Out of bounds write in V8 * CVE-2018-16066:Out of bounds read in Blink * CVE-2018-16067: Out of bounds read in WebAudio * CVE-2018-16068: Out of bounds write in Mojo * CVE-2018-16069:Out of bounds read in SwiftShader * CVE-2018-16070: Integer overflow in Skia * CVE-2018-16071: Use after free in WebRTC * CVE-2018-16073: Site Isolation bypass after tab restore * CVE-2018-16074: Site Isolation bypass using Blob URLS * Out of bounds read in Little-CMS * CVE-2018-16075: Local file access in Blink * CVE-2018-16076: Out of bounds read in PDFium * CVE-2018-16077: Content security policy bypass in Blink * CVE-2018-16078: Credit card information leak in Autofill * CVE-2018-16079: URL spoof in permission dialogs * CVE-2018-16080: URL spoof in full screen mode * CVE-2018-16081: Local file access in DevTools * CVE-2018-16082: Stack buffer overflow in SwiftShader * CVE-2018-16083: Out of bounds read in WebRTC * CVE-2018-16084: User confirmation bypass in external protocol handling * CVE-2018-16085: Use after free in Memory Instrumentation * CVE-2018-16086: Script injection in New Tab Page. * CVE-2018-16087: Multiple download restriction bypass. * CVE-2018-16088: User gesture requirement bypass. - Added patches: * chromium-old-glibc.patch * chromium-system-icu.patch * chromium-warnings.patch - Removed patches: * chromium-cors-string.patch * chromium-crashpad-aarch64-fix.patch * chromium-ffmpeg.patch * chromium-gcc.patch * chromium-gcc7.patch * chromium-libjpeg.patch * chromium-libwebp-shim.patch - Rebased patches: * chromium-last-commit-position-r0.patch * chromium-non-void-return.patch * chromium-sandbox-pie.patch * chromium-skia-system-fontconfig.patch * chromium-vaapi.patch ------------------------------------------------------------------- Wed Aug 8 21:14:43 UTC 2018 - tchvatal@suse.com - Update to chromium-68.0.3440.106: * Various feature fixes ------------------------------------------------------------------- Wed Aug 1 10:12:25 UTC 2018 - tchvatal@suse.com - Version update to 68.0.3440.84: * Various small feature fixes only ------------------------------------------------------------------- Wed Jul 25 15:56:24 UTC 2018 - guillaume.gardet@opensuse.org - Add patch to fix aarch64 build: * chromium-vpx-aarch64.patch ------------------------------------------------------------------- Wed Jul 25 14:29:16 UTC 2018 - tchvatal@suse.com - Add patch trying to build chromium on Leap 42.3: * chromium-gcc7.patch ------------------------------------------------------------------- Wed Jul 25 13:08:17 UTC 2018 - tchvatal@suse.com - Raise libvpx requirement to match what we really need ------------------------------------------------------------------- Wed Jul 25 09:53:23 UTC 2018 - tchvatal@suse.com - Version update to 68.0.3440.75 bsc#1102530: * CVE-2018-6153: Stack buffer overflow in Skia. * CVE-2018-6154: Heap buffer overflow in WebGL. * CVE-2018-6155: Use after free in WebRTC. * CVE-2018-6156: Heap buffer overflow in WebRTC. * CVE-2018-6157: Type confusion in WebRTC. * CVE-2018-6158: Use after free in Blink. * CVE-2018-6159: Same origin policy bypass in ServiceWorker. * CVE-2018-6160: URL spoof in Chrome on iOS. * CVE-2018-6161: Same origin policy bypass in WebAudio. * CVE-2018-6162: Heap buffer overflow in WebGL. * CVE-2018-6163: URL spoof in Omnibox. * CVE-2018-6164: Same origin policy bypass in ServiceWorker. * CVE-2018-6165: URL spoof in Omnibox. * CVE-2018-6166: URL spoof in Omnibox. * CVE-2018-6167: URL spoof in Omnibox. * CVE-2018-6168: CORS bypass in Blink. * CVE-2018-6169: Permissions bypass in extension installation. * CVE-2018-6170: Type confusion in PDFium. * CVE-2018-6171: Use after free in WebBluetooth. * CVE-2018-6172: URL spoof in Omnibox. * CVE-2018-6173: URL spoof in Omnibox. * CVE-2018-6174: Integer overflow in SwiftShader. * CVE-2018-6175: URL spoof in Omnibox. * CVE-2018-6176: Local user privilege escalation in Extensions. * CVE-2018-6177: Cross origin information leak in Blink. * CVE-2018-6178: UI spoof in Extensions. * CVE-2018-6179: Local file information leak in Extensions. * CVE-2018-6044: Request privilege escalation in Extensions. * CVE-2018-4117: Cross origin information leak in Blink. - Rebase patches: * chromium-master-prefs-path.patch * chromium-non-void-return.patch * chromium-vaapi.patch - Add patches: * chromium-cors-string.patch * chromium-gcc.patch * chromium-libjpeg.patch * chromium-libwebp-shim.patch - Remove patches: * chromium-gcc8.patch ------------------------------------------------------------------- Tue Jul 10 11:40:21 UTC 2018 - tchvatal@suse.com - Version update to 67.0.3396.99: * Various small feature fixes, no security ------------------------------------------------------------------- Fri Jun 15 19:51:32 UTC 2018 - tchvatal@suse.com - Add patch to build under gcc8: * chromium-gcc8.patch ------------------------------------------------------------------- Wed Jun 13 09:26:43 UTC 2018 - security@suse.com - Chromium 67.0.3396.87: * CVE-2018-6149: Out of bounds write in V8 (boo#1097452) ------------------------------------------------------------------- Thu Jun 7 12:23:26 UTC 2018 - astieger@suse.com - Chromium 67.0.3396.79: * CVE-2018-6148: Incorrect handling of CSP header (boo#1096508) ------------------------------------------------------------------- Fri Jun 1 17:45:46 UTC 2018 - tchvatal@suse.com - Require ffmpeg >= 4.0 bsc#1095545 ------------------------------------------------------------------- Wed May 30 11:18:13 UTC 2018 - tchvatal@suse.com - Update to 67.0.3396.62 bsc#1095163 * CVE-2018-6123: Use after free in Blink. * CVE-2018-6124: Type confusion in Blink. * CVE-2018-6125: Overly permissive policy in WebUSB. * CVE-2018-6126: Heap buffer overflow in Skia. * CVE-2018-6127: Use after free in indexedDB. * CVE-2018-6128: uXSS in Chrome on iOS. * CVE-2018-6129: Out of bounds memory access in WebRTC. * CVE-2018-6130: Out of bounds memory access in WebRTC. * CVE-2018-6131: Incorrect mutability protection in WebAssembly. * CVE-2018-6132: Use of uninitialized memory in WebRTC. * CVE-2018-6133: URL spoof in Omnibox. * CVE-2018-6134: Referrer Policy bypass in Blink. * CVE-2018-6135: UI spoofing in Blink. * CVE-2018-6136: Out of bounds memory access in V8. * CVE-2018-6137: Leak of visited status of page in Blink. * CVE-2018-6138: Overly permissive policy in Extensions. * CVE-2018-6139: Restrictions bypass in the debugger extension API. * CVE-2018-6140: Restrictions bypass in the debugger extension API. * CVE-2018-6141: Heap buffer overflow in Skia. * CVE-2018-6142: Out of bounds memory access in V8. * CVE-2018-6143: Out of bounds memory access in V8. * CVE-2018-6144: Out of bounds memory access in PDFium. * CVE-2018-6145: Incorrect escaping of MathML in Blink. * CVE-2018-6147: Password fields not taking advantage of OS protections in Views. - Add patches to build on aarch and remove obsolete one: * chromium-crashpad-aarch64-fix.patch * chromium-skia-aarch64-buildfix.patch * chromium-65.0.3325.162-skia-aarch64-buildfix.patch * chromium-skia-neon.patch - Remove no longer needed gcc patch: * chromium-gcc7.patch - Rebase patches: * chromium-non-void-return.patch * chromium-vaapi.patch * exclude_ymp.patch * fix_building_widevinecdm_with_chromium.patch ------------------------------------------------------------------- Sat May 26 23:01:20 UTC 2018 - astieger@suse.com - on SLE 12 with SUSE PackageHub 12, do not require the SDK for libwebpmux1 (bsc#1070421) ------------------------------------------------------------------- Sat May 26 07:08:04 UTC 2018 - astieger@suse.com - Fix installation issue on SUSE PackageHub 12 with libminizip1 (bsc#1093031) ------------------------------------------------------------------- Wed May 16 07:05:32 UTC 2018 - astieger@suse.com - Chromium 66.0.3359.181: * Autoplay: Force enable on desktop for Web Audio ------------------------------------------------------------------- Fri May 11 12:10:44 UTC 2018 - astieger@suse.com - Chromium 66.0.3359.170 (bsc#1092923): * Chain leading to sandbox escape: CVE-2018-6121: Privilege Escalation in extensions CVE-2018-6122: Type confusion in V8 * CVE-2018-6120: Heap buffer overflow in PDFium * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Wed May 9 08:36:30 UTC 2018 - tchvatal@suse.com - Add patch chromium-skia-system-fontconfig.patch to fix bsc#1092272 ------------------------------------------------------------------- Fri May 4 06:53:49 UTC 2018 - guillaume.gardet@opensuse.org - Enable build on AArch64 - Fix build on AArch64: * set target_cpu to arm64 * disable tcmalloc and swiftshader for aarch64 * Add new patches: - chromium-65.0.3325.162-skia-aarch64-buildfix.patch - chromium-skia-neon.patch ------------------------------------------------------------------- Fri Apr 27 08:22:18 UTC 2018 - tchvatal@suse.com - chromium 66.0.3359.139: * CVE-2018-6118: Use after free in Media Cache (bsc#1091288) * drop add-missing-blink-tools.patch, now in tarball again ------------------------------------------------------------------- Wed Apr 18 09:14:21 UTC 2018 - tchvatal@suse.com - Version bump to chromium 66.0.3359.117 bsc#1090000: * CVE-2018-6085: Use after free in Disk Cache * CVE-2018-6086: Use after free in Disk Cache * CVE-2018-6087: Use after free in WebAssembly * CVE-2018-6088: Use after free in PDFium * CVE-2018-6089: Same origin policy bypass in Service Worker * CVE-2018-6090: Heap buffer overflow in Skia * CVE-2018-6091: Incorrect handling of plug-ins by Service Worker * CVE-2018-6092: Integer overflow in WebAssembly * CVE-2018-6093: Same origin bypass in Service Worker * CVE-2018-6094: Exploit hardening regression in Oilpan * CVE-2018-6095: Lack of meaningful user interaction requirement before file upload * CVE-2018-6096: Fullscreen UI spoof * CVE-2018-6097: Fullscreen UI spoof * CVE-2018-6098: URL spoof in Omnibox * CVE-2018-6099: CORS bypass in ServiceWorker * CVE-2018-6100: URL spoof in Omnibox * CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools * CVE-2018-6102: URL spoof in Omnibox * CVE-2018-6103: UI spoof in Permissions * CVE-2018-6104: URL spoof in Omnibox * CVE-2018-6105: URL spoof in Omnibox * CVE-2018-6106: Incorrect handling of promises in V8 * CVE-2018-6107: URL spoof in Omnibox * CVE-2018-6108: URL spoof in Omnibox * CVE-2018-6109: Incorrect handling of files by FileAPI * CVE-2018-6110: Incorrect handling of plaintext files via file:// * CVE-2018-6111: Heap-use-after-free in DevTools * CVE-2018-6112: Incorrect URL handling in DevTools * CVE-2018-6113: URL spoof in Navigation * CVE-2018-6114: CSP bypass * CVE-2018-6115: SmartScreen bypass in downloads * CVE-2018-6116: Incorrect low memory handling in WebAssembly * CVE-2018-6117: Confusing autofill settings * Various fixes from internal audits, fuzzing and other initiatives - Remove obsolete patches: * chromium-compiler.patch * chromium-glibc-2.27.patch * chromium-vaapi-init.patch * exclude_ymp.diff * fix-gn-bootstrap.diff * fix_network_api_crash.patch * mojo.patch - Add new patches: * chromium-ffmpeg.patch * chromium-gcc7.patch * exclude_ymp.patch * fix-gn-bootstrap.patch - Rebase patches: * chromium-master-prefs-path.patch * chromium-non-void-return.patch * chromium-sandbox-pie.patch * chromium-vaapi.patch - Add patch to fix missing folder from tarball: * add-missing-blink-tools.patch ------------------------------------------------------------------- Sun Apr 8 10:49:06 UTC 2018 - tchvatal@suse.com - Add vaapi patches: * chromium-vaapi-init.patch * chromium-vaapi.patch ------------------------------------------------------------------- Fri Apr 6 12:54:24 UTC 2018 - tchvatal@suse.com - Use memory-constraints package to limit threads as needed ------------------------------------------------------------------- Wed Mar 21 06:31:27 UTC 2018 - astieger@suse.com - Update to Chromium 65.0.3325.181: * Various security relevant fixes from internal audits, fuzzing and other initiatives (boo#1086124) ------------------------------------------------------------------- Tue Mar 20 12:33:53 UTC 2018 - tchvatal@suse.com - Use both freetype and harfbuzz either bundled or system ------------------------------------------------------------------- Wed Mar 14 14:18:35 UTC 2018 - tchvatal@suse.com - Version update to 65.0.3325.162: * Various stability fixes only ------------------------------------------------------------------- Wed Mar 14 09:00:37 UTC 2018 - tchvatal@suse.com - Bundle the harfbuzz on < 15.0 release as we would have to use requires_ge for the library itself later on otherwise ------------------------------------------------------------------- Fri Mar 9 09:10:01 UTC 2018 - tchvatal@suse.com - Make sure to require gcc7 - Add patch chromium-drm.patch to make sure to build with Leap 42.3 variant of libdrm ------------------------------------------------------------------- Thu Mar 8 09:00:54 UTC 2018 - tchvatal@suse.com - Version update to 65.0.3325.146 bsc#1084296: * High CVE-2017-11215: Use after free in Flash. * High CVE-2017-11225: Use after free in Flash. * High CVE-2018-6060: Use after free in Blink. * High CVE-2018-6061: Race condition in V8. * High CVE-2018-6062: Heap buffer overflow in Skia. * High CVE-2018-6057: Incorrect permissions on shared memory. * High CVE-2018-6063: Incorrect permissions on shared memory. * High CVE-2018-6064: Type confusion in V8. * High CVE-2018-6065: Integer overflow in V8. * Medium CVE-2018-6066: Same Origin Bypass via canvas. * Medium CVE-2018-6067: Buffer overflow in Skia. * Medium CVE-2018-6068: Object lifecycle issues in Chrome Custom Tab. * Medium CVE-2018-6069: Stack buffer overflow in Skia. * Medium CVE-2018-6070: CSP bypass through extensions. * Medium CVE-2018-6071: Heap bufffer overflow in Skia. * Medium CVE-2018-6072: Integer overflow in PDFium. * Medium CVE-2018-6073: Heap bufffer overflow in WebGL. * Medium CVE-2018-6074: Mark-of-the-Web bypass. * Medium CVE-2018-6075: Overly permissive cross origin downloads. * Medium CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink. * Medium CVE-2018-6077: Timing attack using SVG filters. * Medium CVE-2018-6078: URL Spoof in OmniBox. * Medium CVE-2018-6079: Information disclosure via texture data in WebGL. * Medium CVE-2018-6080: Information disclosure in IPC call. * Low CVE-2018-6081: XSS in interstitials. * Low CVE-2018-6082: Circumvention of port blocking. * Low CVE-2018-6083: Incorrect processing of AppManifests. - Add new patches: * chromium-compiler.patch * chromium-glibc-2.27.patch * mojo.patch - Drop patches: * chromium-angle.patch * chromium-memcpy.patch - Update constraints - Refresh patch chromium-non-void-return.patch to include more fixes ------------------------------------------------------------------- Sat Feb 24 19:02:51 UTC 2018 - astieger@suse.com - Chromium 64.0.3282.186: * Various minor bug fixes ------------------------------------------------------------------- Wed Feb 14 08:16:34 UTC 2018 - astieger@suse.com - update to 64.0.3282.167 (bsc#1080920): * CVE-2018-6056: Incorrect derived class instantiation in V8 ------------------------------------------------------------------- Fri Feb 2 11:16:23 UTC 2018 - tchvatal@suse.com - Version update to 64.0.3282.140 bsc#1079021: * Various asan fixes bsc#1078463 CVE-2018-6406 ------------------------------------------------------------------- Fri Feb 2 10:43:48 UTC 2018 - dimstar@opensuse.org - Eliminate build dependency on procps: we only used it to run 'free', in order to find out how much RAM we have available. We can get this information directly from the kernel, from /proc/meminfo. ------------------------------------------------------------------- Mon Jan 29 13:07:38 UTC 2018 - tchvatal@suse.com - Fix default page to not point to 404 ------------------------------------------------------------------- Mon Jan 29 12:36:31 UTC 2018 - tchvatal@suse.com - Install swiftshader objects too as they are needed ------------------------------------------------------------------- Fri Jan 26 10:11:22 UTC 2018 - tchvatal@suse.com - Disable ozone stuff conditions for now as the headless mode breaks up runtime bsc#1077722 ------------------------------------------------------------------- Thu Jan 25 09:51:59 UTC 2018 - tchvatal@suse.com - Switch to gcc7 on Leap builds ------------------------------------------------------------------- Thu Jan 25 09:42:51 UTC 2018 - tchvatal@suse.com - Version update to 64.0.3282.119 bsc#1077571: * High CVE-2018-6031: Use after free in PDFium. Reported by Anonymous on 2017-11-01 * High CVE-2018-6032: Same origin bypass in Shared Worker. Reported by Jun Kokatsu (@shhnjk) on 2017-11-20 * High CVE-2018-6033: Race when opening downloaded files. Reported by Juho Nurminen on 2017-12-09 * Medium CVE-2018-6034: Integer overflow in Blink. Reported by Tobias Klein (www.trapkit.de) on 2017-11-12 * Medium CVE-2018-6035: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23 * Medium CVE-2018-6036: Integer underflow in WebAssembly. Reported by The UK's National Cyber Security Centre (NCSC) on 2017-11-30 * Medium CVE-2018-6037: Insufficient user gesture requirements in autofill. Reported by Paul Stone of Context Information Security on 2017-08-09 * Medium CVE-2018-6038: Heap buffer overflow in WebGL. Reported by cloudfuzzer on 2017-10-12 * Medium CVE-2018-6039: XSS in DevTools. Reported by Juho Nurminen on 2017-10-17 * Medium CVE-2018-6040: Content security policy bypass. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-26 * Medium CVE-2018-6041: URL spoof in Navigation. Reported by Luan Herrera on 2017-08-29 * Medium CVE-2018-6042: URL spoof in OmniBox. Reported by Khalil Zhani on 2017-10-12 * Medium CVE-2018-6043: Insufficient escaping with external URL handlers. Reported by 0x09AL on 2017-11-16 * Medium CVE-2018-6045: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-23 * Medium CVE-2018-6046: Insufficient isolation of devtools from extensions. Reported by Rob Wu on 2017-12-31 * Medium CVE-2018-6047: Cross origin URL leak in WebGL. Reported by Masato Kinugawa on 2018-01-08 * Low CVE-2018-6048: Referrer policy bypass in Blink. Reported by Jun Kokatsu (@shhnjk) on 2017-09-08 * Low CVE-2017-15420: URL spoofing in Omnibox. Reported by Drew Springall (@_aaspring_) on 2017-10-05 * Low CVE-2018-6049: UI spoof in Permissions. Reported by WenXu Wu of Tencent's Xuanwu Lab on 2017-10-13 * Low CVE-2018-6050: URL spoof in OmniBox. Reported by Jonathan Kew on 2017-10-15 * Low CVE-2018-6051: Referrer leak in XSS Auditor. Reported by Antonio Sanso (@asanso) on 2014-12-11 * Low CVE-2018-6052: Incomplete no-referrer policy implementation. Reported by Tanner Emek on 2016-05-28 * Low CVE-2018-6053: Leak of page thumbnails in New Tab Page. Reported by Asset Kabdenov on 2017-08-23 * Low CVE-2018-6054: Use after free in WebUI. Reported by Rob Wu on 2017-12-24 - Add patches: * chromium-angle.patch * chromium-memcpy.patch - Drop patch: * chromium-gcc.patch - Change desktop file name to fit bellow the icon on ie KDE desktop ------------------------------------------------------------------- Thu Jan 4 20:59:31 UTC 2018 - astieger@suse.com - Chromium 63.0.3239.132: * DevTools: do not report raw headers and cookies for protected subresources * Various other fixes and updates ------------------------------------------------------------------- Fri Dec 15 09:28:07 UTC 2017 - tchvatal@suse.com - Version update to 63.0.3239.108 bsc#1072976: * CVE-2017-15429: UXSS in V8 * Various fuzzing fixes ------------------------------------------------------------------- Thu Dec 7 09:41:13 UTC 2017 - tchvatal@suse.com - Version update to 63.0.3239.84 bsc#1071691: * bsc#1106341 CVE-2017-15430 Unsafe navigation in Chromecast * Critical CVE-2017-15407: Out of bounds write in QUIC. * High CVE-2017-15408: Heap buffer overflow in PDFium. * High CVE-2017-15409: Out of bounds write in Skia. * High CVE-2017-15410: Use after free in PDFium. * High CVE-2017-15411: Use after free in PDFium. * High CVE-2017-15412: Use after free in libXML. * High CVE-2017-15413: Type confusion in WebAssembly. * Medium CVE-2017-15415: Pointer information disclosure in IPC call. * Medium CVE-2017-15416: Out of bounds read in Blink. * Medium CVE-2017-15417: Cross origin information disclosure in Skia. * Medium CVE-2017-15418: Use of uninitialized value in Skia. * Medium CVE-2017-15419: Cross origin leak of redirect URL in Blink. * Medium CVE-2017-15420: URL spoofing in Omnibox. * Medium CVE-2017-15422: Integer overflow in ICU. * Low CVE-2017-15423: Issue with SPAKE implementation in BoringSSL. * Low CVE-2017-15424: URL Spoof in Omnibox. * Low CVE-2017-15425: URL Spoof in Omnibox. * Low CVE-2017-15426: URL Spoof in Omnibox. * Low CVE-2017-15427: Insufficient blocking of JavaScript in Omnibox. - Rebase fix-gn-bootstrap.diff - Drop merged patches: * chromium-gcc5.patch * chromium-60.0.3112.113-breakpad-ucontext.patch * chromium-62.0.3202.62-correct-cplusplus-check.patch - Add new patches: * chromium-non-void-return.patch * chromium-gcc.patch ------------------------------------------------------------------- Wed Nov 22 11:05:42 UTC 2017 - idonmez@suse.com - BuildRequire nodejs8 instead of nodejs6 for suse_version >= 1330 ------------------------------------------------------------------- Wed Nov 15 14:56:24 UTC 2017 - astieger@suse.com - Update to 62.0.3202.94: * multiple minor rendering related fixes - fix rebuilds in same chroot ------------------------------------------------------------------- Tue Nov 7 10:12:28 UTC 2017 - tchvatal@suse.com - Version update to 62.0.3202.89 bsc#1066851: * CVE-2017-15398: Stack buffer overflow in QUIC * CVE-2017-15399: Use after free in V8 - Drop upstream merged chromium-sandbox.patch ------------------------------------------------------------------- Fri Nov 3 12:40:33 UTC 2017 - tchvatal@suse.com - Restrict the version on jpeg to not waste build power ------------------------------------------------------------------- Sun Oct 29 08:18:37 UTC 2017 - tchvatal@suse.com - Add patch to fix sandbox crashes wrt bsc#1064298 * chromium-sandbox.patch ------------------------------------------------------------------- Fri Oct 27 09:17:02 UTC 2017 - tchvatal@suse.com - Version update to 62.0.3202.75 bsc#1065405 CVE-2017-15396 * CVE-2017-15396: Stack overflow in V8 ------------------------------------------------------------------- Thu Oct 26 12:09:53 UTC 2017 - astieger@suse.com - BuildRequire nodejs6 required for polymer-bundler.js ------------------------------------------------------------------- Thu Oct 26 09:19:09 UTC 2017 - tchvatal@suse.com - Try to export properly CXX/CC variable to fix leap builds ------------------------------------------------------------------- Wed Oct 25 17:52:44 UTC 2017 - tchvatal@suse.com - Apply patch to fix building crc32 with gcc7: * chromium-62.0.3202.62-correct-cplusplus-check.patch ------------------------------------------------------------------- Thu Oct 19 03:29:56 UTC 2017 - tchvatal@suse.com - Update to 62.0.3202.62 bsc#1064066: * CVE-2017-5124: UXSS with MHTML. * CVE-2017-5125: Heap overflow in Skia. * CVE-2017-5126: Use after free in PDFium. * CVE-2017-5127: Use after free in PDFium. * CVE-2017-5128: Heap overflow in WebGL. * CVE-2017-5129: Use after free in WebAudio. * CVE-2017-5132: Incorrect stack manipulation in WebAssembly. * CVE-2017-5130: Heap overflow in libxml2. * CVE-2017-5131: Out of bounds write in Skia. * CVE-2017-5133: Out of bounds write in Skia. * CVE-2017-15386: UI spoofing in Blink. * CVE-2017-15387: Content security bypass. * CVE-2017-15388: Out of bounds read in Skia. * CVE-2017-15389: URL spoofing in OmniBox. * CVE-2017-15390: URL spoofing in OmniBox. * CVE-2017-15391: Extension limitation bypass in Extensions. * CVE-2017-15392: Incorrect registry key handling in PlatformIntegration. * CVE-2017-15393: Referrer leak in Devtools. * CVE-2017-15394: URL spoofing in extensions UI. * CVE-2017-15395: Null pointer dereference in ImageCapture. - Drop unused patches: * arm-webrtc-fix.patch * arm_use_right_compiler.patch * chromium-46.0.2490.71-fix-missing-i18n_process_css_test.patch * chromium-atk.patch * chromium-mojo-dep.patch * gcc60-fixes.diff - Refresh patches: * chromium-gcc5.patch * chromium-prop-codecs.patch * exclude_ymp.diff * fix-gn-bootstrap.diff ------------------------------------------------------------------- Fri Sep 22 14:50:40 UTC 2017 - astieger@suse.com - Update to 61.0.3163.100 (boo#1060019): * CVE-2017-5121: Out-of-bounds access in V8 * CVE-2017-5122: Out-of-bounds access in V8 * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Sat Sep 16 15:50:19 UTC 2017 - tchvatal@suse.com - Update to 61.0.3163.91: * Various bugfixes ------------------------------------------------------------------- Mon Sep 11 08:45:35 UTC 2017 - tchvatal@suse.com - Update to 61.0.3163.79 bsc#1057364: * CVE-2017-5111: Use after free in PDFium. * CVE-2017-5112: Heap buffer overflow in WebGL. * CVE-2017-5113: Heap buffer overflow in Skia. * CVE-2017-5114: Memory lifecycle issue in PDFium. * CVE-2017-5115: Type confusion in V8. * CVE-2017-5116: Type confusion in V8. * CVE-2017-5117: Use of uninitialized value in Skia. * CVE-2017-5118: Bypass of Content Security Policy in Blink. * CVE-2017-5119: Use of uninitialized value in Skia. * CVE-2017-5120: Potential HTTPS downgrade during redirect navigation. - Rebase patch: * fix-gn-bootstrap.diff - Remove patches: * chromium-gcc7.patch * chromium-override.patch - Add new patches: * chromium-atk.patch * chromium-gcc5.patch * chromium-mojo-dep.patch - Gtk3 is hard required from now on - Version some of the required dependencies ------------------------------------------------------------------- Mon Aug 28 22:57:05 UTC 2017 - astieger@suse.com - fix build with Factory glibc: add chromium-60.0.3112.113-breakpad-ucontext.patch ------------------------------------------------------------------- Fri Aug 25 09:17:27 UTC 2017 - tchvatal@suse.com - Version update to 60.0.3112.113: * Various bugfixes ------------------------------------------------------------------- Tue Aug 15 15:17:00 UTC 2017 - tchvatal@suse.com - Version update to 60.0.3112.101: * various usability bugfixes ------------------------------------------------------------------- Thu Aug 3 13:25:33 UTC 2017 - tchvatal@suse.com - Version update to 60.0.3112.90: * Various usability bugfixes ------------------------------------------------------------------- Wed Jul 26 13:27:55 UTC 2017 - tchvatal@suse.com - Version update to 60.0.3112.78 bsc#1050537: * CVE-2017-5091: Use after free in IndexedDB * CVE-2017-5092: Use after free in PPAPI * CVE-2017-5093: UI spoofing in Blink * CVE-2017-5094: Type confusion in extensions * CVE-2017-5095: Out-of-bounds write in PDFium * CVE-2017-5096: User information leak via Android intents * CVE-2017-5097: Out-of-bounds read in Skia * CVE-2017-5098: Use after free in V8 * CVE-2017-5099: Out-of-bounds write in PPAPI * CVE-2017-5100: Use after free in Chrome Apps * CVE-2017-5101: URL spoofing in OmniBox * CVE-2017-5102: Uninitialized use in Skia * CVE-2017-5103: Uninitialized use in Skia * CVE-2017-5104: UI spoofing in browser * CVE-2017-7000: Pointer disclosure in SQLite * CVE-2017-5105: URL spoofing in OmniBox * CVE-2017-5106: URL spoofing in OmniBox * CVE-2017-5107: User information leak via SVG * CVE-2017-5108: Type confusion in PDFium * CVE-2017-5109: UI spoofing in browser * CVE-2017-5110: UI spoofing in payments dialog * Various fixes from internal audits, fuzzing and other initiatives - Add patch chromium-override.patch - Remove patches chromium-fpermissive.patch chromium-system-ffmpeg-r3.patch - Rebase patches: * chromium-dma-buf.patch * chromium-gcc7.patch * chromium-last-commit-position-r0.patch * fix-gn-bootstrap.diff ------------------------------------------------------------------- Mon Jul 24 09:01:07 UTC 2017 - tchvatal@suse.com - Recommend emoji fonts to make sure major web chats do not show questionmarks ------------------------------------------------------------------- Wed Jun 28 19:27:55 UTC 2017 - tchvatal@suse.com - Update to 59.0.3071.115: * Various small fixes all around ------------------------------------------------------------------- Fri Jun 23 07:46:48 UTC 2017 - astieger@suse.com - Update to 59.0.3071.109: * ozone/drm: Only reuse ScanoutBuffers with compatible modifiers * Fixing mouse focus on WebView * Remove gtk dependency from gles tests * Set build flag when using own FreeType * Revert of [scheduler] Move some task types to suspendable task runner * Fix an incorrect method name on the chrome://site-engagement WebUI page * Linux/Windows: Removing Guest menu item for supervised profile ------------------------------------------------------------------- Fri Jun 16 12:12:56 UTC 2017 - astieger@suse.com - Update to 59.0.3071.104 (bsc#1044690): * CVE-2017-5087: Sandbox Escape in IndexedDB * CVE-2017-5088: Out of bounds read in V8 * CVE-2017-5089: Domain spoofing in Omnibox * Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Thu Jun 8 14:56:42 UTC 2017 - tchvatal@suse.com - Add patch chromium-buildname.patch bsc#1043420 ------------------------------------------------------------------- Tue Jun 6 07:53:53 UTC 2017 - tchvatal@suse.com - Update to 59.0.3071.86 bsc#1042833: * CVE-2017-5070: Type confusion in V8. Reported by Zhao Qixun(@S0rryMybad) of Qihoo 360 Vulcan Team on 2017-05-16 * CVE-2017-5071: Out of bounds read in V8. Reported by Choongwoo Han on 2017-04-26 * CVE-2017-5072: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-04-07 * CVE-2017-5073: Use after free in print preview. Reported by Khalil Zhani on 2017-04-28 * CVE-2017-5074: Use after free in Apps Bluetooth. Reported by anonymous on 2017-03-09 * CVE-2017-5075: Information leak in CSP reporting. Reported by Emmanuel Gil Peyrot on 2017-01-05 * CVE-2017-5086: Address spoofing in Omnibox. Reported by Rayyan Bijoora on 2017-05-16 * CVE-2017-5076: Address spoofing in Omnibox. Reported by Samuel Erb on 2017-05-06 * CVE-2017-5077: Heap buffer overflow in Skia. Reported by Sweetchip on 2017-04-28 * CVE-2017-5078: Possible command injection in mailto handling. Reported by Jose Carlos Exposito Bueno on 2017-04-12 * CVE-2017-5079: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-20 * CVE-2017-5080: Use after free in credit card autofill. Reported by Khalil Zhani on 2017-04-05 * CVE-2017-5081: Extension verification bypass. Reported by Andrey Kovalev (@L1kvID) Yandex Security Team on 2016-12-07 * CVE-2017-5082: Insufficient hardening in credit card editor. Reported by Nightwatch Cybersecurity Research on 2017-05-11 * CVE-2017-5083: UI spoofing in Blink. Reported by Khalil Zhani on 2017-04-24 * CVE-2017-5085: Inappropriate javascript execution on WebUI pages. Reported by Zhiyang Zeng of Tencent security platform department on 2017-02-15 - Add patch to fix build with system dma: * chromium-dma-buf.patch - Drop no longer needed patches: * chromium-linker-memory.patch * chromium-system-jinja-r13.patch - Refresh patches: * chromium-gcc7.patch * chromium-system-ffmpeg-r3.patch * fix-gn-bootstrap.diff - Use bundled libxml * Upstream unfortunately uses git snapshot that is not api/abi compatible ------------------------------------------------------------------- Mon Jun 5 12:55:22 UTC 2017 - tchvatal@suse.com - Add patch to build with gcc7: * chromium-gcc7.patch - Add patch for fpermissive build error: * chromium-fpermissive.patch ------------------------------------------------------------------- Wed May 10 07:43:46 UTC 2017 - tchvatal@suse.com - Version update to 58.0.3029.110: * Various small bugfixes ------------------------------------------------------------------- Thu May 4 12:40:32 UTC 2017 - tchvatal@suse.com - Version update to 58.0.3029.96: * Fixes bsc#1037594 CVE-2017-5068 ------------------------------------------------------------------- Tue Apr 25 13:24:42 UTC 2017 - tchvatal@suse.com - Use bundled jinja2, system one changed in 2.9 too much to work * It is at least used only during build ------------------------------------------------------------------- Fri Apr 21 09:57:49 UTC 2017 - tchvatal@suse.com - Version update to 58.0.3029.81 bsc#1035103: * High CVE-2017-5057: Type confusion in PDFium. Credit to Guang Gong of Alpha Team, Qihoo 360 * High CVE-2017-5058: Heap use after free in Print Preview. Credit to Khalil Zhani * High CVE-2017-5059: Type confusion in Blink. Credit to SkyLined working with Trend Micro's Zero Day Initiative * Medium CVE-2017-5060: URL spoofing in Omnibox. Credit to Xudong Zheng * Medium CVE-2017-5061: URL spoofing in Omnibox. Credit to Haosheng Wang (@gnehsoah) * Medium CVE-2017-5062: Use after free in Chrome Apps. Credit to anonymous * Medium CVE-2017-5063: Heap overflow in Skia. Credit to Sweetchip * Medium CVE-2017-5064: Use after free in Blink. Credit to Wadih Matar * Medium CVE-2017-5065: Incorrect UI in Blink. Credit to Khalil Zhani * Medium CVE-2017-5066: Incorrect signature handing in Networking. Credit to chenchu * Medium CVE-2017-5067: URL spoofing in Omnibox. Credit to Khalil Zhani * Low CVE-2017-5069: Cross-origin bypass in Blink. Credit to Michael Reizelman - Refresh patch fix-gn-bootstrap.diff - Refresh patch chromium-system-jinja-r13.patch - Remove obsolete patch chromium-57-gcc4.patch ------------------------------------------------------------------- Thu Mar 30 13:07:50 UTC 2017 - tchvatal@suse.com - Version update to 57.0.2987.133 bsc#1031677: * Critical CVE-2017-5055: Use after free in printing. Credit to Wadih Matar * High CVE-2017-5054: Heap buffer overflow in V8. Credit to Nicolas Trippar of Zimperium zLabs * High CVE-2017-5052: Bad cast in Blink. Credit to JeongHoon Shin * High CVE-2017-5056: Use after free in Blink. Credit to anonymous * High CVE-2017-5053: Out of bounds memory access in V8. Credit to Team Sniper (Keen Lab and PC Mgr) reported through ZDI (ZDI-CAN-4587) ------------------------------------------------------------------- Fri Mar 24 15:22:38 UTC 2017 - tchvatal@suse.com - Drop the browser(npapi) provide which is not true ------------------------------------------------------------------- Sun Mar 19 11:04:47 UTC 2017 - tchvatal@suse.com - Add patch to build with gcc4 * chromium-57-gcc4.patch ------------------------------------------------------------------- Thu Mar 16 20:45:00 UTC 2017 - tchvatal@suse.com - Do not use gcc5 and newer as the compat was fixed again - Update to 57.0.2987.110 with various other small tweaks ------------------------------------------------------------------- Fri Mar 10 10:55:23 UTC 2017 - tchvatal@suse.com - Version update to 57.0.2987.98 bsc#1028848: CVE-2017-5030 CVE-2017-5031 CVE-2017-5032 CVE-2017-5029 CVE-2017-5034 CVE-2017-5035 CVE-2017-5036 CVE-2017-5037 CVE-2017-5039 CVE-2017-5040 CVE-2017-5041 CVE-2017-5033 CVE-2017-5042 CVE-2017-5038 CVE-2017-5043 CVE-2017-5044 CVE-2017-5045 CVE-2017-5046 - Refresh patches * fix-gn-bootstrap.diff * chromium-linker-memory.patch - Remove obsolete patches: * chromium-sandbox.patch * chromium-54-ffmpeg2compat.patch - Remove vaapi patch which broke rendering on non-intel cards: * chromium-enable-vaapi-on-suse.patch - From this release onwards i586 build is disabled ------------------------------------------------------------------- Wed Feb 15 12:02:32 UTC 2017 - idonmez@suse.com - Also add harfbuzz-ng to keeplibs for SLE ------------------------------------------------------------------- Mon Feb 6 20:29:52 UTC 2017 - tchvatal@suse.com - Add condition for system harfbuzz to be disabled on SLE ------------------------------------------------------------------- Mon Feb 6 12:21:34 UTC 2017 - qvoheagbfovvhubzdxfx@posteo.net - Fixed a typo in the build requirements for system minizip. ------------------------------------------------------------------- Fri Feb 3 12:23:34 UTC 2017 - tchvatal@suse.com - Version update to 56.0.2924.87: * Various small fixes * Disabled option to enable/disable plugins in the chrome://plugins ------------------------------------------------------------------- Thu Feb 2 20:01:27 UTC 2017 - qvoheagbfovvhubzdxfx@posteo.net - Added the package 'chromium-privacy' with multiple patches sourced from the release version on https://github.com/ u4qo60z73t1c4hurv3ny/privacy_patches-oS_cr, which, when enabled with the build option 'privacy', builds a version of Chromium with less privacy implications due to Google services integration. ------------------------------------------------------------------- Wed Feb 1 09:48:35 UTC 2017 - qvoheagbfovvhubzdxfx@posteo.net - Changed the build requirement of libavformat to library version 57.41.100, as included in ffmpeg 3.1.1, as only this version properly supports the public AVStream API 'codecpar'. ------------------------------------------------------------------- Tue Jan 31 14:08:26 UTC 2017 - tchvatal@suse.com - Version update to 56.0.2924.76 bsc#1022049: - CVE-2017-5007: Universal XSS in Blink - CVE-2017-5006: Universal XSS in Blink - CVE-2017-5008: Universal XSS in Blink - CVE-2017-5010: Universal XSS in Blink - CVE-2017-5011: Unauthorised file access in Devtools - CVE-2017-5009: Out of bounds memory access in WebRTC - CVE-2017-5012: Heap overflow in V8 - CVE-2017-5013: Address spoofing in Omnibox - CVE-2017-5014: Heap overflow in Skia - CVE-2017-5015: Address spoofing in Omnibox - CVE-2017-5019: Use after free in Renderer - CVE-2017-5016: UI spoofing in Blink - CVE-2017-5017: Uninitialised memory access in webm video - CVE-2017-5018: Universal XSS in chrome://apps - CVE-2017-5020: Universal XSS in chrome://downloads - CVE-2017-5021: Use after free in Extensions - CVE-2017-5022: Bypass of Content Security Policy in Blink - CVE-2017-5023: Type confusion in metrics - CVE-2017-5024: Heap overflow in FFmpeg - CVE-2017-5025: Heap overflow in FFmpeg - CVE-2017-5026: UI spoofing. Credit to Ronni Skansing - Add conditional to switch between system and bundled icu - Raise dependency on harfbuzz to 1.3.1 - Also refresh patches: chromium-prop-codecs.patch chromium-linker-memory.patch ------------------------------------------------------------------- Sat Jan 28 11:31:18 UTC 2017 - qvoheagbfovvhubzdxfx@posteo.net - Added patch chromium-enable-vaapi-on-suse.patch to enable VAAPI hardware accelerated video decoding. ------------------------------------------------------------------- Wed Dec 21 20:19:42 UTC 2016 - astieger@suse.com - Chromium 55.0.2883.87: * various fixes for crashes and specific wesites * update Google pinned certificates ------------------------------------------------------------------- Wed Dec 21 10:02:52 UTC 2016 - tchvatal@suse.com - Disable system icu on Factory, crashes autofill ------------------------------------------------------------------- Tue Dec 13 14:38:08 UTC 2016 - idonmez@suse.com - python-html5lib now depends on six, so preserve that too for SLE builds. ------------------------------------------------------------------- Fri Dec 9 12:07:10 UTC 2016 - astieger@suse.com - Obsolete ffmpeg and ffmpegsumo package in addition to conflict ------------------------------------------------------------------- Mon Dec 5 17:08:45 UTC 2016 - astieger@suse.com - record minimum version for harfbuzz, incuding runtime Chromium will crash with harfbuzz < 1.3.0 ------------------------------------------------------------------- Sat Dec 3 09:59:21 UTC 2016 - tchvatal@suse.com - Chromium 55.0.2883.75 bnc#1013236: CVE-2016-9651 CVE-2016-5208 CVE-2016-5207 CVE-2016-5206 CVE-2016-5205 CVE-2016-5204 CVE-2016-5209 CVE-2016-5203 CVE-2016-5210 CVE-2016-5212 CVE-2016-5211 CVE-2016-5213 CVE-2016-5214 CVE-2016-5216 CVE-2016-5215 CVE-2016-5217 CVE-2016-5218 CVE-2016-5219 CVE-2016-5221 CVE-2016-5220 CVE-2016-5222 CVE-2016-9650 CVE-2016-5223 CVE-2016-5226 CVE-2016-5225 CVE-2016-5224 CVE-2016-9652 - Switch to system libraries: harfbuzz, zlib, ffmpeg, ... - Refreshed patches: * chromium-system-ffmpeg-r3.patch * chromium-system-jinja-r13.patch - Use system ffmpeg unless on 13.2 that didn't include it * chromium-54-ffmpeg2compat.patch * Remove upstreamed chromium-more-codec-aliases.patch - Remove bookmarks override as discussed with artwork simply just set homepage to our openSUSE one and that is all ------------------------------------------------------------------- Sat Nov 12 08:20:05 UTC 2016 - astieger@suse.com - Chromium 54.0.2840.100: * CVE-2016-5199: Heap corruption in FFmpeg (boo#1009892) * CVE-2016-5200: out of bounds memory access in v8 (boo#1009893) * CVE-2016-5201: info leak in extensions (boo#1009894) * CVE-2016-5202: various fixes from internal audits (boo#1009895) ------------------------------------------------------------------- Mon Nov 7 20:02:46 UTC 2016 - tchvatal@suse.com - Add patch chromium-prop-codecs.patch and set properly the codecs variable in main scope to allow ffmpeg passthrough bnc#1008725 ------------------------------------------------------------------- Wed Nov 2 07:32:27 UTC 2016 - tchvatal@suse.com - Update to 54.0.2840.90: * Few fixes and tweaks * Fixes CVE-2016-5198 bsc#1008274 ------------------------------------------------------------------- Fri Oct 21 10:27:16 UTC 2016 - tchvatal@suse.com - Update to 54.0.2840.71: * Few fixes around ------------------------------------------------------------------- Thu Oct 13 10:19:03 UTC 2016 - tchvatal@suse.com - Version update to 54.0.2840.59 bnc#1004465: - CVE-2016-5181: Universal XSS in Blink (Anonymous) - CVE-2016-5182: Heap overflow in Blink (Giwan Go of STEALIEN) - CVE-2016-5183: Use after free in PDFium (Anonymous) - CVE-2016-5184: Use after free in PDFium (Anonymous) - CVE-2016-5185: Use after free in Blink (cloudfuzzer) - CVE-2016-5187: URL spoofing (Luan Herrera) - CVE-2016-5188: UI spoofing (Luan Herrera) - CVE-2016-5192: Cross-origin bypass in Blink (haojunhou at gmail) - CVE-2016-5189: URL spoofing (xisigr of Tencent's Xuanwu Lab) - CVE-2016-5186: Out of bounds read in DevTools (Abdulrahman Alqabandi) - CVE-2016-5191: Universal XSS in Bookmarks (Gareth Hughes) - CVE-2016-5190: Use after free in Internals (Atte Kettunen of OUSPG) - CVE-2016-5193: Scheme bypass (Yuyang ZHOUmartinzhou96) - packaging changes: * disable build for chromium-beta on %arm. * Make linker use less memory by tweaking its options: chromium-linker-memory.patch * obsolete desktop subpackages * Switch to gold to reduce memory use use during build * fix build on 4.5+ kernels with systemlibs: chromium-sandbox.patch * various compiler and linker flag adjustments * enable gtk3 ui, add patch gtk3-missing-define.patch * switch from some bundled libraries to the system versions chromium-system-ffmpeg-r3.patch chromium-system-jinja-r13.patch fix-gn-bootstrap.diff * remove service file covered by download_files - run time bug fixes: * Add --ui-disable-partial-swap to the launcher bnc#1000019 * Use default chromium values from master_preferences on first run rather than pseudo-duplicating in shellscript - added features: * hangouts extension ------------------------------------------------------------------- Fri Sep 30 08:00:45 UTC 2016 - tchvatal@suse.com - Version update to 53.0.2785.143 bnc#1002140: * CVE-2016-5177: Use after free in V8 * CVE-2016-5178: Various fixes from internal audits ------------------------------------------------------------------- Mon Sep 26 12:22:41 UTC 2016 - dimstar@opensuse.org - Export GDK_BACKEND=x11 before starting chromium, ensuring that it's started as an Xwayland client (boo#1001135). ------------------------------------------------------------------- Sat Sep 17 11:36:18 UTC 2016 - tchvatal@suse.com - Apply sandbox patch to fix crashers on tumbleweed bnc#999091 * chromium-sandbox.patch ------------------------------------------------------------------- Thu Sep 15 13:09:21 UTC 2016 - tchvatal@suse.com - Version update stable channel 53.0.2785.116 * Just smal bugfixes around ------------------------------------------------------------------- Wed Sep 14 07:35:09 UTC 2016 - tchvatal@suse.com - Version update to 53.0.2785.113 bnc#998743: * CVE-2016-5170 Use after free in Blink * CVE-2016-5171 Use after free in Blink * CVE-2016-5172 Arbitrary Memory Read in v8 * CVE-2016-5173 Extension resource access * CVE-2016-5174 Popup not correctly suppressed * CVE-2016-5175 Various fixes from internal audits ------------------------------------------------------------------- Mon Sep 12 08:31:59 UTC 2016 - tchvatal@suse.com - Reenable widevine build again bnc#998328 ------------------------------------------------------------------- Sat Sep 10 09:13:37 UTC 2016 - tchvatal@suse.com - Stable channel update to 53.0.2785.101 * SPDY crasher fixes * Disable NV12 DXGI video on AMD * Forward --password-store switch to os_crypt * Tell the kernel to discard USB requests when they time out. ------------------------------------------------------------------- Wed Sep 7 14:50:44 UTC 2016 - astieger@suse.com - Update to Chromium 53.0.2785.92: * Revert of support relocatable RPM packages * disallow WKBackForwardListItem navigations for pushState pages * arc: bluetooth: Fix advertised uuid * fix conflicting PendingIntent for stop button and swipe away ------------------------------------------------------------------- Thu Sep 1 04:04:13 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 53.0.2785.89 - Improvements to the GN build system (boo#996032, boo#99606, boo#995932) - Security fixes (boo#996648) * CVE-2016-5147: Universal XSS in Blink. * CVE-2016-5148: Universal XSS in Blink. * CVE-2016-5149: Script injection in extensions. * CVE-2016-5150: Use after free in Blink. * CVE-2016-5151: Use after free in PDFium. * CVE-2016-5152: Heap overflow in PDFium. * CVE-2016-5153: Use after destruction in Blink. * CVE-2016-5154: Heap overflow in PDFium. * CVE-2016-5155: Address bar spoofing. * CVE-2016-5156: Use after free in event bindings. * CVE-2016-5157: Heap overflow in PDFium. * CVE-2016-5158: Heap overflow in PDFium. * CVE-2016-5159: Heap overflow in PDFium. * CVE-2016-5161: Type confusion in Blink. * CVE-2016-5162: Extensions web accessible resources bypass. * CVE-2016-5163: Address bar spoofing. * CVE-2016-5164: Universal XSS using DevTools. * CVE-2016-5165: Script injection in DevTools. * CVE-2016-5166: SMB Relay Attack via Save Page As. * CVE-2016-5160: Extensions web accessible resources bypass. - Drop patches chromium-snapshot-toolchain-r1.patch ------------------------------------------------------------------- Sat Aug 27 18:46:44 UTC 2016 - tittiatcoke@gmail.com - Make it build on ARM. * Add build patch arm_use_right_compiler.patch - Drop unnecessary patches: * chromium-arm-r0.patch ------------------------------------------------------------------- Mon Aug 22 10:13:19 UTC 2016 - tittiatcoke@gmail.com - Change buildsystem to GN, which is the new upstream default * Make Ninja only use 4 buildprocesses for building Chromium itself * Drop unnecessary patches - chromium-gcc-fixes.patch - adjust-ldflags-no-keep-memory.patch - gcc50-fixes.diff * Add patches to ensure correct build - chromium-last-commit-position-r0.patch - chromium-snapshot-toolchain-r1.patch * Drop unnecessary sourcefiles - courgette.tar.xz - depot_tools.tar.xz - gn-binaries.tar.xz ------------------------------------------------------------------- Fri Aug 12 08:20:57 UTC 2016 - tittiatcoke@gmail.com - Use an explicit number of ninja build processes (-j 4), to further reduce the memory used. ------------------------------------------------------------------- Fri Aug 5 08:53:57 UTC 2016 - astieger@suse.com - Update to Chromium 52.0.2743.116: * Security fixes (boo#992305): + CVE-2016-5141: Address bar spoofing (boo#992314) + CVE-2016-5142: Use-after-free in Blink (boo#992313) + CVE-2016-5139: Heap overflow in pdfium (boo#992311) + CVE-2016-5140: Heap overflow in pdfium (boo#992310) + CVE-2016-5145: Same origin bypass for images in Blink (boo#992320) + CVE-2016-5143: Parameter sanitization failure in DevTools (boo#992319) + CVE-2016-5144: Parameter sanitization failure in DevTools (boo#992315) + CVE-2016-5146: Various fixes from internal audits, fuzzing and other initiatives (boo#992309) ------------------------------------------------------------------- Thu Jul 21 18:55:21 UTC 2016 - tittiatcoke@gmail.com - Temporarily disable fix_network_api_crash.patch. Upstream has changed part of their code, so hopefully that resolved the issue ------------------------------------------------------------------- Thu Jul 21 07:38:12 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 52.0.2743.82 * Security fixes (boo#989901): + CVE-2016-1706: Sandbox escape in PPAPI + CVE-2016-1707: URL spoofing on iOS + CVE-2016-1708: Use-after-free in Extensions + CVE-2016-1709: Heap-buffer-overflow in sfntly + CVE-2016-1710: Same-origin bypass in Blink + CVE-2016-1711: Same-origin bypass in Blink + CVE-2016-5127: Use-after-free in Blink + CVE-2016-5128: Same-origin bypass in V8 + CVE-2016-5129: Memory corruption in V8 + CVE-2016-5130: URL spoofing + CVE-2016-5131: Use-after-free in libxml + CVE-2016-5132: Limited same-origin bypass in Service Workers + CVE-2016-5133: Origin confusion in proxy authentication + CVE-2016-5134: URL leakage via PAC script + CVE-2016-5135: Content-Security-Policy bypass + CVE-2016-5136: Use after free in extensions + CVE-2016-5137: History sniffing with HSTS and CSP + CVE-2016-1705: Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Mon Jul 11 00:46 UTC 2016 - Nick_Levinson@yahoo.com - Clarification/correction to chromium-desktop-gnome and chromium-desktop-kde software descriptions due to passwords preservation reported by Chromium developer ------------------------------------------------------------------- Fri Jun 24 06:39:52 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 51.0.2704.106 * No changelog indicated ------------------------------------------------------------------- Thu Jun 23 08:10:56 UTC 2016 - tittiatcoke@gmail.com - Add gcc60-fixes.diff to resolve the crashes observed with chromium when compiled with GCC6 ------------------------------------------------------------------- Fri Jun 17 11:11:46 UTC 2016 - astieger@suse.com - Update to Chromium 51.0.2704.103 * Security fixes: - CVE-2016-1704: Various fixes from internal audits, fuzzing and other initiatives (boo#985397) ------------------------------------------------------------------- Tue Jun 7 12:15:02 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 51.0.2704.84 * No further changelog ------------------------------------------------------------------- Thu Jun 2 11:08:47 UTC 2016 - astieger@suse.com - Update to Chromium 51.0.2704.79 [boo#982719] * Security fixes: - CVE-2016-1696: Cross-origin bypass in Extension bindings - CVE-2016-1697: Cross-origin bypass in Blink - CVE-2016-1698: Information leak in Extension bindings - CVE-2016-1699: Parameter sanitization failure in DevTools - CVE-2016-1700: Use-after-free in Extensions - CVE-2016-1701: Use-after-free in Autofill - CVE-2016-1702: Out-of-bounds read in Skia - CVE-2016-1703: Various fixes from internal audits, fuzzing and other initiatives. ------------------------------------------------------------------- Thu May 26 04:09:46 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 51.0.2704.63 [boo#981886] * Security fixes: - CVE-2016-1672: Cross-origin bypass in extension bindings - CVE-2016-1673: Cross-origin bypass in Blink - CVE-2016-1674: Cross-origin bypass in extensions - CVE-2016-1675: Cross-origin bypass in Blink - CVE-2016-1676: Cross-origin bypass in extension bindings - CVE-2016-1677: Type confusion in V8 - CVE-2016-1678: Heap overflow in V8 - CVE-2016-1679: Heap use-after-free in V8 bindings - CVE-2016-1680: Heap use-after-free in Skia - CVE-2016-1681: Heap overflow in PDFium - CVE-2016-1682: CSP bypass for ServiceWorker - CVE-2016-1683: Out-of-bounds access in libxslt - CVE-2016-1684: Integer overflow in libxslt - CVE-2016-1685: Out-of-bounds read in PDFium - CVE-2016-1686: Out-of-bounds read in PDFium - CVE-2016-1687: Information leak in extensions - CVE-2016-1688: Out-of-bounds read in V8 - CVE-2016-1689: Heap buffer overflow in media - CVE-2016-1690: Heap use-after-free in Autofill - CVE-2016-1691: Heap buffer-overflow in Skia - CVE-2016-1692: Limited cross-origin bypass in ServiceWorker - CVE-2016-1693: HTTP Download of Software Removal Tool - CVE-2016-1694: HPKP pins removed on cache clearance - CVE-2016-1695: Various fixes from internal audits, fuzzing and other initiatives - drop chromium-50.0.2661.75-export_blink_Platform_symbols_in_shared_library_builds.patch now upstream ------------------------------------------------------------------- Fri May 13 10:54:25 UTC 2016 - astieger@suse.com - Update to Chromium 50.0.2661.102 (boo#979859) * Security fixes: - CVE-2016-1667: Same origin bypass in DOM - CVE-2016-1668: Same origin bypass in Blink V8 bindings - CVE-2016-1669: Buffer overflow in V8 - CVE-2016-1670: Race condition in loader ------------------------------------------------------------------- Fri Apr 29 13:45:18 UTC 2016 - astieger@suse.com - Update to Chromium 50.0.2661.94 (boo#977830) * Security fixes: - CVE-2016-1660: Out-of-bounds write in Blink - CVE-2016-1661: Memory corruption in cross-process frames - CVE-2016-1662: Use-after-free in extensions - CVE-2016-1663: Use-after-free in Blink’s V8 bindings - CVE-2016-1664: Address bar spoofing - CVE-2016-1665: Information leak in V8 - CVE-2016-1666: Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Fri Apr 22 14:06:30 UTC 2016 - jslaby@suse.com - _constraints: increase memory. It takes 1.2G to build some .o, and with -j4 this results in OOM. ------------------------------------------------------------------- Thu Apr 14 07:39:40 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 50.0.2661.75 (boo#975572) * Security Fixes: - CVE-2016-1652: Universal XSS in extension bindings - CVE-2016-1653: Out-of-bounds write in V8 - CVE-2016-1651: Out-of-bounds read in Pdfium JPEG2000 decoding - CVE-2016-1654: Uninitialized memory read in media - CVE-2016-1655: Use-after-free related to extensions - CVE-2016-1656: Android downloaded file path restriction bypass - CVE-2016-1657: Address bar spoofing - CVE-2016-1658: Potential leak of sensitive information to malicious extensions - CVE-2016-1659: Various fixes from internal audits, fuzzing and other initiatives - add patch to fix GCC builds with component=shared_library: chromium-50.0.2661.75-export_blink_Platform_symbols_in_shared_library_builds.patch ------------------------------------------------------------------- Fri Apr 8 07:55:33 UTC 2016 - astieger@suse.com - Update to Chromium 49.0.2623.112 * Block user removal when login attempt is in progress * Add the SuppressUnsupportedOSWarning policy setting * Fix how Save-Page-As responds to web requests blocked by extensions * Fix preferred width calculation for 8bit ltr runs in rtl blocks ------------------------------------------------------------------- Wed Mar 30 07:42:53 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 49.0.2623.110 * No changelog available ------------------------------------------------------------------- Mon Mar 28 17:44:43 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 49.0.2623.108 * Security fixes (boo#972834): - CVE-2016-1646: Out-of-bounds read in V8 - CVE-2016-1647: Use-after-free in Navigation - CVE-2016-1648: Use-after-free in Extensions - CVE-2016-1649: Buffer overflow in libANGLE - CVE-2016-1650: Various fixes from internal audits, fuzzing and other initiatives - CVE-2016-3679: Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.33). ------------------------------------------------------------------- Wed Mar 9 08:09:13 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 49.0.2623.87 * Security fixes: - CVE-2016-1643: Type confusion in Blink (boo#970514) - CVE-2016-1644: Use-after-free in Blink (boo#970509) - CVE-2016-1645: Out-of-bounds write in PDFium (boo#970511) ------------------------------------------------------------------- Tue Mar 8 09:14:00 UTC 2016 - tittiatcoke@gmail.com - Change the build method used on Packman. * Drop patch no-clang-on-packman.diff . This is no longer required as that ninja is respecting the build flags correctly. - Drop unused patch skia.patch ------------------------------------------------------------------- Fri Mar 4 10:49:51 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 49.0.2623.75 * 26 security fixes, with the most important ones being: - CVE-2016-1630: Same-origin bypass in Blink - CVE-2016-1631: Same-origin bypass in Pepper Plugin - CVE-2016-1632: Bad cast in Extensions - CVE-2016-1633: Use-after-free in Blink - CVE-2016-1634: Use-after-free in Blink - CVE-2016-1635: Use-after-free in Blink - CVE-2016-1636: SRI Validation Bypass - CVE-2015-8126: Out-of-bounds access in libpng - CVE-2016-1637: Information Leak in Skia - CVE-2016-1638: WebAPI Bypass - CVE-2016-1639: Use-after-free in WebRTC - CVE-2016-1640: Origin confusion in Extensions UI - CVE-2016-1641: Use-after-free in Favicon - CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.26) (boo#969333) ------------------------------------------------------------------- Fri Feb 19 08:33:46 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 48.0.2564.116 * Fixes a critical security flaw: - CVE-2016-1629: Same-origin bypass in Blink and Sandbox escape in Chrome. (boo#967376) ------------------------------------------------------------------- Mon Feb 15 09:19:16 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 48.0.2564.109 * Security fixes (boo#965999) - CVE-2016-1622: Same-origin bypass in Extensions - CVE-2016-1623: Same-origin bypass in DOM - CVE-2016-1624: Buffer overflow in Brotli - CVE-2016-1625: Navigation bypass in Chrome Instant - CVE-2016-1626: Out-of-bounds read in PDFium - CVE-2016-1627: Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Sat Feb 13 11:44:02 UTC 2016 - tittiatcoke@gmail.com - Drop the libva support completely. It seems that this is causing more issues than it actually resolves. (boo#965566) * Drop chromium-enable-vaapi.patch ------------------------------------------------------------------- Thu Feb 11 09:12:47 UTC 2016 - tittiatcoke@gmail.com - Don't build with libva support for openSUSE 13.2 and lower (boo#966082) ------------------------------------------------------------------- Tue Feb 9 12:12:47 UTC 2016 - tittiatcoke@gmail.com - Drop completely the option to build with system libraries. This could lead to issues (boo#965738) ------------------------------------------------------------------- Fri Feb 5 13:12:47 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 48.0.2564.103 * No chnagelog available ------------------------------------------------------------------- Sun Jan 31 12:24:47 UTC 2016 - tittiatcoke@gmail.com - Build against the in-source libjpeg to prevent graphical issues ------------------------------------------------------------------- Sun Jan 31 11:12:18 UTC 2016 - tchvatal@suse.com - Use spec-cleaner - Remove buildenv check that is moot for the update-alternatives script - Build against the latest libjpeg rather than jpeg6 - Use update-alternatives as is required by the specification ------------------------------------------------------------------- Thu Jan 28 09:59:57 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 48.0.2564.97 * No changelog available - Update the desktop-kde package so that on Leap and TW, the kwallet5 becomes the default. desktop-kde/gnome packages are no longer recommended as that the default is to automatically detect the password store. Only for those users that want to change this, they can select a different setup. ------------------------------------------------------------------- Fri Jan 22 19:08:56 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 48.0.2564.82 * Security fixes: - CVE-2016-1612: Bad cast in V8 (boo#963184) - CVE-2016-1613: Use-after-free in PDFium (boo#963185) - CVE-2016-1614: Information leak in Blink (boo#963186) - CVE-2016-1615: Origin confusion in Omnibox (boo#963187) - CVE-2016-1616: URL Spoofing (boo#963188) - CVE-2016-1617: History sniffing with HSTS and CSP (boo#963189) - CVE-2016-1618: Weak random number generator in Blink (boo#963190) - CVE-2016-1619: Out-of-bounds read in PDFium (boo#963191) - CVE-2016-1620 chromium-browser: various fixes (boo#963192) ------------------------------------------------------------------- Thu Jan 14 15:22:38 UTC 2016 - tittiatcoke@gmail.com - Update to Chromium 47.0.2526.111. * No changelog available ------------------------------------------------------------------- Mon Dec 28 18:14:40 UTC 2015 - stefan.bruens@rwth-aachen.de - Enable SSE2 on x86_64 ------------------------------------------------------------------- Sun Dec 27 21:44:50 UTC 2015 - stefan.bruens@rwth-aachen.de - Fix crash when trying to enable chromecast extension * Add patch: fix_network_api_crash.patch Fix https://code.google.com/p/chromium/issues/detail?id=572539 ------------------------------------------------------------------- Sun Dec 20 12:44:49 UTC 2015 - astieger@suse.com - Update to Chromium 47.0.2525.106, fixing the following security issue: * CVE-2015-6792: Fixes from internal audits and fuzzing. [boo#959458] ------------------------------------------------------------------- Mon Dec 14 04:31:08 UTC 2015 - jimmy@boombatower.com - Enable VA-API hardware acceleration in Linux. * chromium-enable-vaapi.patch ------------------------------------------------------------------- Thu Dec 10 07:11:29 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 47.0.2526.80 [boo#958481] * Security fixes - CVE-2015-6788: Type confusion in extensions - CVE-2015-6789: Use-after-free in Blink - CVE-2015-6790: Escaping issue in saved pages - CVE-2015-6791: Various fixes from internal audits, fuzzing and other initiatives - Drop unused patch fix-clang.diff. ------------------------------------------------------------------- Sat Dec 5 10:40:00 UTC 2015 - tittiatcoke@gmail.com - Enable the possibility to utilize the Widevine plugin within chromium. (boo#954103) * Add patch: fix_building_widevinecdm_with_chromium.patch ------------------------------------------------------------------- Wed Dec 2 18:49:23 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 47.0.2526.73 * Security fixes (boo#957519) - CVE-2015-6765: Use-after-free in AppCache - CVE-2015-6766: Use-after-free in AppCache - CVE-2015-6767: Use-after-free in AppCache - CVE-2015-6768: Cross-origin bypass in DOM - CVE-2015-6769: Cross-origin bypass in core - CVE-2015-6770: Cross-origin bypass in DOM - CVE-2015-6771: Out of bounds access in v8 - CVE-2015-6772: Cross-origin bypass in DOM - CVE-2015-6764: Out of bounds access in v8 - CVE-2015-6773: Out of bounds access in Skia - CVE-2015-6774: Use-after-free in Extensions - CVE-2015-6775: Type confusion in PDFium - CVE-2015-6776: Out of bounds access in PDFium - CVE-2015-6777: Use-after-free in DOM - CVE-2015-6778: Out of bounds access in PDFium - CVE-2015-6779: Scheme bypass in PDFium - CVE-2015-6780: Use-after-free in Infobars - CVE-2015-6781: Integer overflow in Sfntly - CVE-2015-6782: Content spoofing in Omnibox - CVE-2015-6783: Signature validation issue in Android Crazy Linker. - CVE-2015-6784: Escaping issue in saved pages - CVE-2015-6785: Wildcard matching issue in CSP - CVE-2015-6786: Scheme bypass in CSP - CVE-2015-6787: Various fixes from internal audits, fuzzing and other initiatives. - Multiple vulnerabilities in V8 fixed at the tip of the 4.7 branch (currently 4.7.80.23) ------------------------------------------------------------------- Wed Nov 11 08:55:19 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 46.0.2490.86 * Security fixes (boo#954579): - CVE-2015-1302: Information leak in PDF viewer ------------------------------------------------------------------- Fri Oct 23 17:22:51 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 46.0.2490.80 * No changelog available ------------------------------------------------------------------- Mon Oct 19 13:00:57 UTC 2015 - tittiatcoke@gmail.com - Change the default homepage based on the new landingpage for the openSUSE Project. (boo#950957) ------------------------------------------------------------------- Wed Oct 14 18:31:57 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 46.0.2490.71 * Security fixes (boo#950290) - CVE-2015-6755: Cross-origin bypass in Blink - CVE-2015-6756: Use-after-free in PDFium - CVE-2015-6757: Use-after-free in ServiceWorker - CVE-2015-6758: Bad-cast in PDFium - CVE-2015-6759: Information leakage in LocalStorage - CVE-2015-6760: Improper error handling in libANGLE - CVE-2015-6761: Memory corruption in FFMpeg - CVE-2015-6762: CORS bypass via CSS fonts - CVE-2015-6763: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed at the tip of the 4.6 branch (currently 4.6.85.23) CVE-2015-7834 - drop upstreamed correct-blacklist.diff - add chromium-46.0.2490.71-fix-missing-i18n_process_css_test.patch to fix build - remove remoting_locales from spec ------------------------------------------------------------------- Sat Oct 3 06:20:10 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 45.0.2454.101 * Security fixes: - CVE-2015-1303: Cross-origin bypass in DOM [boo#947504] - CVE-2015-1304: Cross-origin bypass in V8 [boo#947507] ------------------------------------------------------------------- Tue Sep 22 10:51:48 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 45.0.2454.99 - No changelog available - Add upstream patch correct-blacklist.diff * This should restore the correct behavior of the option --ignore-gpu-blacklist. https://code.google.com/p/chromium/issues/detail?id=509336 ------------------------------------------------------------------- Wed Sep 16 20:06:33 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 45.0.2454.93 - No changelog available ------------------------------------------------------------------- Fri Sep 11 06:15:41 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 45.0.2454.85 Security fixes: * CVE-2015-1291: Cross-origin bypass in DOM * CVE-2015-1292: Cross-origin bypass in ServiceWorker * CVE-2015-1293: Cross-origin bypass in DOM * CVE-2015-1294: Use-after-free in Skia * CVE-2015-1295: Use-after-free in Printing * CVE-2015-1296: Character spoofing in omnibox * CVE-2015-1297: Permission scoping error in WebRequest * CVE-2015-1298: URL validation error in extensions * CVE-2015-1299: Use-after-free in Blink * CVE-2015-1300: Information leak in Blink * CVE-2015-1301: Various fixes from internal audits, fuzzing and other initiatives. ------------------------------------------------------------------- Wed Aug 5 10:25:10 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 44.0.2403.130 * No changelog available ------------------------------------------------------------------- Wed Jul 29 08:57:03 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 44.0.2403.125 * No changelog available - The chromium-ffmpeg package (on Packman) now requires the same version for the main chromium package. This should prevent the issues arised from the libffmpeg switch that Google did recently ------------------------------------------------------------------- Sat Jul 25 12:35:29 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 44.0.2403.107 * No changelog available ------------------------------------------------------------------- Tue Jul 21 18:56:57 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 44.0.2403.89 * A number of new apps/extension APIs * Lots of under the hood changes for stability and performance * Security fixes: - CVE-2015-1271: Heap-buffer-overflow in pdfium - CVE-2015-1273: Heap-buffer-overflow in pdfium - CVE-2015-1274: Settings allowed executable files to run immediately after download - CVE-2015-1275: UXSS in Chrome for Android - CVE-2015-1276: Use-after-free in IndexedDB - CVE-2015-1279: Heap-buffer-overflow in pdfium - CVE-2015-1280: Memory corruption in skia - CVE-2015-1281: CSP bypass - CVE-2015-1282: Use-after-free in pdfium - CVE-2015-1283: Heap-buffer-overflow in expat - CVE-2015-1284: Use-after-free in blink - CVE-2015-1286: UXSS in blink - CVE-2015-1287: SOP bypass with CSS - CVE-2015-1270: Uninitialized memory read in ICU - CVE-2015-1272: Use-after-free related to unexpected GPU process termination - CVE-2015-1277: Use-after-free in accessibility - CVE-2015-1278: URL spoofing using pdf files - CVE-2015-1285: Information leak in XSS auditor - CVE-2015-1288: Spell checking dictionaries fetched over HTTP - CVE-2015-1289: Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Wed Jul 15 12:01:42 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 43.0.2357.134 Update of the Pepper Flash plugin to 18.0.0.209 ------------------------------------------------------------------- Wed Jul 8 03:38:30 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 43.0.2357.132 No changelog available ------------------------------------------------------------------- Tue Jun 23 12:29:39 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 43.0.2357.130 - Security fixes (boo#935723) * CVE-2015-1266: Scheme validation error in WebUI * CVE-2015-1268: Cross-origin bypass in Blink * CVE-2015-1267: Cross-origin bypass in Blink * CVE-2015-1269: Normalization error in HSTS/HPKP preload list ------------------------------------------------------------------- Wed Jun 17 18:08:51 UTC 2015 - tittiatcoke@gmail.com - Add the buildflag enable_hotwording=0 to prevent that Chromium downloads a binary blob for speechrecognition (boo#935022) - Add patch gcc50-fixes.diff to enable building against GCC 5. The patch fixes the python regular expression and ensures to return a two digit value for the GCC version ------------------------------------------------------------------- Fri Jun 12 13:51:28 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 43.0.2357.125 * Bug-fixes: - esolved browser font magnification/scaling issue. ------------------------------------------------------------------- Wed May 27 10:49:49 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 43.0.2357.81 * Bug-fixes: - Fixed an issue where sometimes a blank page would print - Icons not displaying properly on Linux ------------------------------------------------------------------- Wed May 20 11:02:32 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 43.0.2357.65 * Security fixes: - CVE-2015-1252: Sandbox escape in Chrome - CVE-2015-1253: Cross-origin bypass in DOM - CVE-2015-1254: Cross-origin bypass in Editing - CVE-2015-1255: Use-after-free in WebAudio - CVE-2015-1256: Use-after-free in SVG - CVE-2015-1251: Use-after-free in Speech - CVE-2015-1257: Container-overflow in SVG - CVE-2015-1258: Negative-size parameter in Libvpx - CVE-2015-1259: Uninitialized value in PDFium - CVE-2015-1260: Use-after-free in WebRTC - CVE-2015-1261: URL bar spoofing - CVE-2015-1262: Uninitialized value in Blink - CVE-2015-1263: Insecure download of spellcheck dictionary - CVE-2015-1264: Cross-site scripting in bookmarks - CVE-2015-1265: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed at the tip of the 4.3 branch (currently 4.3.61.21) ------------------------------------------------------------------- Wed Apr 29 08:54:17 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 42.0.2311.135 * Security fixes: - CVE-2015-1243: Use-after-free in DOM - CVE-2015-1250: Various fixes from internal audits, fuzzing and other initiatives and 3 more security fixes. ------------------------------------------------------------------- Mon Apr 27 13:26:00 UTC 2015 - tittiatcoke@gmail.com - Fix for missing Chromium icon in the taskbar. ------------------------------------------------------------------- Wed Apr 15 14:11:48 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 42.0.2311.90 * A number of new apps, extension and Web Platform APIs (including the Push API!) * Lots of under the hood changes for stability and performance * Security fixes, including: - CVE-2015-1235: Cross-origin-bypass in HTML parser - CVE-2015-1236: Cross-origin-bypass in Blink - CVE-2015-1237: Use-after-free in IPC - CVE-2015-1238: Out-of-bounds write in Skia - CVE-2015-1240: Out-of-bounds read in WebGL - CVE-2015-1241: Tap-Jacking - CVE-2015-1242: Type confusion in V8 - CVE-2015-1244: HSTS bypass in WebSockets - CVE-2015-1245: Use-after-free in PDFium - CVE-2015-1246: Out-of-bounds read in Blink - CVE-2015-1247: Scheme issues in OpenSearch - CVE-2015-1248: SafeBrowsing bypass - CVE-2015-1249: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed ------------------------------------------------------------------- Thu Apr 2 13:01:00 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 41.0.2272.118 Security fixes: * CVE-2015-1233: A combination of V8, Gamepad and IPC bugs that can lead to remote code execution outside of the sandbox * CVE-2015-1234: Buffer overflow via race condition in GPU ------------------------------------------------------------------- Sat Mar 21 07:33:54 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 41.0.2272.101 * Bugfixes ------------------------------------------------------------------- Thu Mar 12 12:55:23 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 41.0.2272.89 * Bugfixes ------------------------------------------------------------------- Wed Mar 4 09:57:26 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 41.0.2272.76 Security fixes: * CVE-2015-1212: Out-of-bounds write in media * CVE-2015-1213: Out-of-bounds write in skia filters * CVE-2015-1214: Out-of-bounds write in skia filters * CVE-2015-1215: Out-of-bounds write in skia filters * CVE-2015-1216: Use-after-free in v8 bindings * CVE-2015-1217: Type confusion in v8 bindings * CVE-2015-1218: Use-after-free in dom * CVE-2015-1219: Integer overflow in webgl * CVE-2015-1220: Use-after-free in gif decoder * CVE-2015-1221: Use-after-free in web databases * CVE-2015-1222: Use-after-free in service workers * CVE-2015-1223: Use-after-free in dom * CVE-2015-1230: Type confusion in v8 * CVE-2015-1224: Out-of-bounds read in vpxdecoder * CVE-2015-1225: Out-of-bounds read in pdfium * CVE-2015-1226: Validation issue in debugger * CVE-2015-1227: Uninitialized value in blink * CVE-2015-1228: Uninitialized value in rendering * CVE-2015-1229: Cookie injection via proxies * CVE-2015-1231: Various fixes from internal audits * Multiple vulnerabilities in V8 fixed at the tip of the 4.1 branch ------------------------------------------------------------------- Fri Feb 27 16:13:03 UTC 2015 - meissner@suse.com - regular diskusage is more like 20GB+ ------------------------------------------------------------------- Mon Feb 23 16:06:08 UTC 2015 - meissner@suse.com - uses around 5.8GB for building, assign like 6GB in _constraints ------------------------------------------------------------------- Fri Feb 20 17:47:30 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 40.0.2214.115 * Bugfixes ------------------------------------------------------------------- Tue Feb 18 12:47:30 UTC 2015 - tittiatcoke@gmail.com - Utilize the _service file to download the chromium tarball ------------------------------------------------------------------- Sun Feb 8 21:13:30 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 40.0.2214.111 * Security Fixes: - CVE-2015-1209: Use-after-free in DOM - CVE-2015-1210: Cross-origin-bypass in V8 bindings - CVE-2015-1211: Privilege escalation using service workers - CVE-2015-1212: Various fixes from internal audits, fuzzing and other initiatives ------------------------------------------------------------------- Sat Jan 31 16:35:39 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 40.0.2214.94 - Bugfixes ------------------------------------------------------------------- Wed Jan 28 07:53:55 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 40.0.2214.93 - Bugfixes ------------------------------------------------------------------- Fri Jan 23 16:26:27 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 40.0.2214.91 * Security Fixes: - CVE-2014-7923: Memory corruption in ICU - CVE-2014-7924: Use-after-free in IndexedDB - CVE-2014-7925: Use-after-free in WebAudio - CVE-2014-7926: Memory corruption in ICU - CVE-2014-7927: Memory corruption in V8 - CVE-2014-7928: Memory corruption in V8 - CVE-2014-7930: Use-after-free in DOM - VE-2014-7931: Memory corruption in V8 - CVE-2014-7929: Use-after-free in DOM - CVE-2014-7932: Use-after-free in DOM - CVE-2014-7933: Use-after-free in FFmpeg - CVE-2014-7934: Use-after-free in DOM - CVE-2014-7935: Use-after-free in Speech - CVE-2014-7936: Use-after-free in Views - CVE-2014-7937: Use-after-free in FFmpeg - CVE-2014-7938: Memory corruption in Fonts - CVE-2014-7939: Same-origin-bypass in V8 - CVE-2014-7940: Uninitialized-value in ICU - CVE-2014-7941: Out-of-bounds read in UI - CVE-2014-7942: Uninitialized-value in Fonts - CVE-2014-7943: Out-of-bounds read in Skia - CVE-2014-7944: Out-of-bounds read in PDFium - CVE-2014-7945: Out-of-bounds read in PDFium - CVE-2014-7946: Out-of-bounds read in Fonts - CVE-2014-7947: Out-of-bounds read in PDFium - CVE-2014-7948: Caching error in AppCache - CVE-2015-1205: Various fixes from internal audits, fuzzing and other initiatives - Multiple vulnerabilities in V8 fixed at the tip of the 3.30 branch ------------------------------------------------------------------- Tue Jan 13 21:34:07 UTC 2015 - tittiatcoke@gmail.com - Update to Chromium 39.0.2171.99 * Bugfixes ------------------------------------------------------------------- Wed Dec 10 09:05:47 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 39.0.2171.95 * Bugfixes ------------------------------------------------------------------- Sun Nov 30 22:34:00 UTC 2014 - Led <ledest@gmail.com> - fix using 'echo' command in chromium-browser.sh script ------------------------------------------------------------------- Wed Nov 26 09:31:05 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 39.0.2171.71 * Bugfixes ------------------------------------------------------------------- Wed Nov 19 12:51:03 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 39.0.2171.65 * Security fixes: - CVE-2014-7899: Address bar spoofing (boo#906320) - CVE-2014-7900: Use-after-free in pdfium (boo#906317) - CVE-2014-7901: Integer overflow in pdfium (boo#906322) - CVE-2014-7902: Use-after-free in pdfium (boo#906328) - CVE-2014-7903: Buffer overflow in pdfium (boo#906318) - CVE-2014-7904: Buffer overflow in Skia (boo#906321) - CVE-2014-7905: Flaw allowing navigation to intents that do not have the BROWSABLE category (boo#906330) - CVE-2014-7906: Use-after-free in pepper plugins (boo#906319) - CVE-2014-0574: Double-free in Flash - CVE-2014-7907: Use-after-free in blink (boo#906323) - CVE-2014-7908: Integer overflow in media (boo#906324) - CVE-2014-7909: Uninitialized memory read in Skia (boo#906326) - CVE-2014-7910: Various fixes from internal audits, fuzzing and other initiatives (boo#906327) ------------------------------------------------------------------- Fri Nov 14 07:53:38 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 38.0.2125.122 * Several bugfixes ------------------------------------------------------------------- Tue Oct 28 14:16:04 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 38.0.2125.111 * Several bugfixes ------------------------------------------------------------------- Wed Oct 15 21:03:27 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 38.0.2125.104 * Several bugfixes - Updated source url to point to the right location ------------------------------------------------------------------- Wed Oct 8 09:12:25 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 38.0.2125.101 This update includes 159 security fixes, including 113 relatively minor fixes. Highlighted securtiy fixes are: CVE-2014-3188: A combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox CVE-2014-3189: Out-of-bounds read in PDFium CVE-2014-3190: Use-after-free in Events CVE-2014-3191: Use-after-free in Rendering CVE-2014-3192: Use-after-free in DOM CVE-2014-3193: Type confusion in Session Management CVE-2014-3194: Use-after-free in Web Workers CVE-2014-3195: Information Leak in V8 CVE-2014-3196: Permissions bypass in Windows Sandbox CVE-2014-3197: Information Leak in XSS Auditor CVE-2014-3198: Out-of-bounds read in PDFium CVE-2014-3199: Release Assert in V8 bindings CVE-2014-3200: Various fixes from internal audits, fuzzing and other initiatives - Drop the build of the Native Client. This is actually not a build as that prebuild binaries are being shipped. Also Google no longer provides prebuild binaries for the NativeClient for 32bit. Chromium as webbrowser is not affected by this and it bring Chromium inline with the regulations that prebuild binaries should not be shipped. * toolchaing_linux tarball dropped * Spec-file cleaned for NaCl stuff - Added patch no-clang-on-packman.diff to prevent the usage of clang on packman, which is not supported there ------------------------------------------------------------------- Wed Sep 10 20:40:33 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 37.0.2062.120 * Security Fixes (bnc#896106) - CVE-2014-3178: Use-after-free in rendering ------------------------------------------------------------------- Sun Sep 7 07:46:20 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 37.0.2062.103 * This addresses some user feedback related to how Chrome renders text when display scaling is set to 125% or lower. - Combine the two toolchain tars into a single one. ------------------------------------------------------------------- Mon Sep 1 07:33:24 UTC 2014 - tittiatcoke@gmail.com - Switch to shared libraries as a global default. This hopefully speeds up the builds a little and prevents out-of-memory on OBS - Move the chrome sandbox binary to the main package and remove the sub-package for it. This should resolve build issues when having the debug flag on. ------------------------------------------------------------------- Sun Aug 31 00:39:34 UTC 2014 - josua.m@t-online.de - add toolchain_linux_arm - disable NaCl on ARM because it doesn't build - add arm-webrtc-fix.patch - add chromium-arm-r0.patch - add skia.patch - build components as shared libaries on arm ------------------------------------------------------------------- Wed Aug 27 11:53:24 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 37.0.2062.94 Security Fixes (bnc#893720) * CVE-2014-3176, CVE-2014-3177: A combination of bugs in V8, IPC, sync, and extensions that can lead to remote code execution outside of the sandbox. * CVE-2014-3168: Use-after-free in SVG * CVE-2014-3169: Use-after-free in DOM * CVE-2014-3170: Extension permission dialog spoofing * CVE-2014-3171: Use-after-free in bindings * CVE-2014-3172: Issue related to extension debugging * CVE-2014-3173: Uninitialized memory read in WebGL * CVE-2014-3174: Uninitialized memory read in Web Audio * CVE-2014-3175: Various fixes from internal audits, fuzzing and other initiatives and 41 more security fixes for which no description was given - Drop the following patches as they are no longer required: * chromium-23.0.1245-no-test-sources.patch * no-download-nacl.diff * chromium-no-courgette.patch ------------------------------------------------------------------- Wed Aug 13 12:19:10 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 36.0.1985.143 Security Fixes (bnc#891717) * CVE-2014-3165: Use-after-free in web sockets * CVE-2014-3166: Information disclosure in SPDY * CVE-2014-3167: Various fixes from internal audits, fuzzing and other initiatives and 9 more fixes for which no description was given ------------------------------------------------------------------- Tue Aug 5 21:47:00 UTC 2014 - tittiatcoke@gmail.com - Add directory remoting_locales to the package to complete the language support within Chromium ------------------------------------------------------------------- Tue Jul 22 08:19:51 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 36.0.1985.125 New Functionality: * Rich Notifications Improvements * An Updated Incognito / Guest NTP design * The addition of a Browser crash recovery bubble * Chrome App Launcher for Linux * Lots of under the hood changes for stability and performance Security Fixes (bnc#887952,bnc#887955): * CVE-2014-3160: Same-Origin-Policy bypass in SVG * CVE-2014-3162: Various fixes from internal audits, fuzzing and other initiatives and 24 more fixes for which no description was given. Packaging changes: * Switch to newer method to retrieve toolchain packages. Dropping the three naclsdk_*tgz files. Everything is now included in the toolchain_linux_x86.tar.bz2 tarball * Add Courgette.tar.xz as that the build process now requires some files from Courgette in order to build succesfully. This does not mean that Courgette is build/delivered. ------------------------------------------------------------------- Wed Jun 11 11:01:07 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 35.0.1916.153 Security fixes (bnc#882264,bnc#882264,bnc#882265,bnc#882263): * CVE-2014-3154: Use-after-free in filesystem api * CVE-2014-3155: Out-of-bounds read in SPDY * CVE-2014-3156: Buffer overflow in clipboard * CVE-2014-3157: Heap overflow in media ------------------------------------------------------------------- Thu May 22 08:48:29 UTC 2014 - tittiatcoke@gmail.com - Use also Ninja for openSUSE 12.3. This is the only method supported by upstream - Drop support for Arm. Despite that chromium builds on Arm, it can not complete the link process and dies with out-of-memory, etc. Drop the specific Arm patches: * arm_disable_gn.patch, arm_use_gold.patch, chromium-arm-webrtc-fix.patch, chromium-fix-arm-icu.patch, chromium-fix-arm-skia-memset.patch, chromium-fix-arm-sysroot.patch ------------------------------------------------------------------- Wed May 21 14:54:37 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 35.0.1916.114 New Functionality * More developer control over touch input * New JavaScript features * Unprefixed Shadow DOM * A number of new apps/extension APIs * Lots of under the hood changes for stability and performance Security fixes: * CVE-2014-1743: Use-after-free in styles * CVE-2014-1744: Integer overflow in audio * CVE-2014-1745: Use-after-free in SVG * CVE-2014-1746: Out-of-bounds read in media filters * CVE-2014-1747: UXSS with local MHTML file * CVE-2014-1748: UI spoofing with scrollbar * CVE-2014-1749: Various fixes from internal audits, fuzzing and other initiatives * CVE-2014-3152: Integer underflow in V8 fixed and 17 more for which no detailed information is given. - Drop patch chromium-vendor.patch.in as that does no longer apply due to upstream changes ------------------------------------------------------------------- Wed May 14 19:12:29 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 34.0.1847.137 * Security updates: - CVE-2014-1740: Use-after-free in WebSockets - CVE-2014-1741: Integer overflow in DOM range - CVE-2014-1742: Use-after-free in editing ------------------------------------------------------------------- Mon Apr 28 08:48:49 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 34.0.1847.132 * Security update: - CVE-2014-1730: Type confusion in V8 - CVE-2014-1731: Type confusion in DOM - CVE-2014-1732: Use-after-free in Speech Recognition - CVE-2014-1733: Compiler bug in Seccomp-BPF - CVE-2014-1734: Various fixes from internal audits, fuzzing and other initiatives - CVE-2014-1735: Multiple vulnerabilities in V8 fixed in version 3.24.35.33 ------------------------------------------------------------------- Fri Apr 25 16:20:59 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 34.0.1847.131 * Bugfixes ------------------------------------------------------------------- Thu Apr 10 15:27:15 UTC 2014 - tittiatcoke@gmail.com - Add patch chromium-fix-arm-skia-memset.patch to resolve a linking issue on ARM with regards to missing symbols. ------------------------------------------------------------------- Wed Apr 9 07:25:09 UTC 2014 - tittiatcoke@gmail.com - Add patch arm_use_gold.patch to use the right gold binaries on ARM. Hopefully this resolves the build issues with running out of memory ------------------------------------------------------------------- Tue Apr 8 20:20:38 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 34.0.1847.116 * Responsive Images and Unprefixed Web Audio * Import supervised users onto new computers * A number of new apps/extension APIs * Lots of under the hood changes for stability and performance - Security fixes: * CVE-2014-1716: UXSS in V8 * CVE-2014-1717: OOB access in V8 * CVE-2014-1718: Integer overflow in compositor * CVE-2014-1719: Use-after-free in web workers * CVE-2014-1720: Use-after-free in DOM * CVE-2014-1721: Memory corruption in V8 * CVE-2014-1722: Use-after-free in rendering * CVE-2014-1723: Url confusion with RTL characters * CVE-2014-1724: Use-after-free in speech * CVE-2014-1725: OOB read with window property * CVE-2014-1726: Local cross-origin bypass * CVE-2014-1727: Use-after-free in forms * CVE-2014-1728: Various fixes from internal audits, fuzzing and other initiatives * CVE-2014-1729: Multiple vulnerabilities in V8 - No longer build against system libraries as that Chromium works a lot better and crashes less on websites than with system libs - Added package depot_tools.tar.gz as that the chromium build now requires it during the initial build phase. It just contains some utilities and nothing from it is being installed. ------------------------------------------------------------------- Sun Apr 6 14:06:48 UTC 2014 - tittiatcoke@gmail.com - If people want to install newer versions of the ffmpeg library then let them. This is what they want. - Remove the buildscript from the sources ------------------------------------------------------------------- Mon Mar 17 07:33:21 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 33.0.1750.152 Stable channel uodate: - Security fixes: * CVE-2014-1713: Use-after-free in Blink bindings * CVE-2014-1714: Windows clipboard vulnerability * CVE-2014-1705: Memory corruption in V8 * CVE-2014-1715: Directory traversal issue ------------------------------------------------------------------- Thu Mar 13 06:31:45 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 33.0.1750.149 Stable channel uodate: - Security fixes: * CVE-2014-1700: Use-after-free in speech * CVE-2014-1701: UXSS in events * CVE-2014-1702: Use-after-free in web database * CVE-2014-1703: Potential sandbox escape due to a use-after-free in web sockets * CVE-2014-1704: Multiple vulnerabilities in V8 fixed in version 3.23.17.18 ------------------------------------------------------------------- Fri Feb 21 12:52:21 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 33.0.1750.117 Stable channel update: - Security Fixes: * CVE-2013-6653: Use-after-free related to web contents * CVE-2013-6654: Bad cast in SVG * CVE-2013-6655: Use-after-free in layout * CVE-2013-6656: Information leak in XSS auditor * CVE-2013-6657: Information leak in XSS auditor * CVE-2013-6658: Use-after-free in layout * CVE-2013-6659: Issue with certificates validation in TLS handshake * CVE-2013-6660: Information leak in drag and drop * CVE-2013-6661: Various fixes from internal audits, fuzzing and other initiatives. Of these, seven are fixes for issues that could have allowed for sandbox escapes from compromised renderers. - Other: - Google Chrome Frame has been retired - Added gn-binaries.tar.xz to have the right version of the Google depot tools during build. - Added patch arm_disable_gn.patch to disable GN on ARM builds ------------------------------------------------------------------- Tue Jan 28 17:50:25 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 32.0.1700.102 Stable channel update: - Security Fixes: * CVE-2013-6649: Use-after-free in SVG images * CVE-2013-6650: Memory corruption in V8 * and 12 other fixes - Other: * Mouse Pointer disappears after exiting full-screen mode * Drag and drop files into Chromium may not work properly * Quicktime Plugin crashes in Chromium * Chromium becomes unresponsive * Trackpad users may not be able to scroll horizontally * Scrolling does not work in combo box * Chromium does not work with all CSS minifiers such as whitespace around a media query's `and` keyword ------------------------------------------------------------------- Thu Jan 16 20:58:04 UTC 2014 - tittiatcoke@gmail.com - Update to Chromium 32.0.1700.77 Stable channel update: - Security fixes: * CVE-2013-6646: Use-after-free in web workers * CVE-2013-6641: Use-after-free related to forms * CVE-2013-6643: Unprompted sync with an attacker’s Google account * CVE-2013-6645: Use-after-free related to speech input elements * CVE-2013-6644: Various fixes from internal audits, fuzzing and other initiatives - Other: * Tab indicators for sound, webcam and casting * Automatically blocking malware files * Lots of under the hood changes for stability and performance - Remove patch chromium-fix-chromedriver-build.diff as that chromedriver is fixed upstream ------------------------------------------------------------------- Thu Dec 5 11:34:03 UTC 2013 - tittiatcoke@gmail.com - Update to Chromium 31.0.1650.63 Stable channel update: - Security fixes: * CVE-2013-6634: Session fixation in sync related to 302 redirects * CVE-2013-6635: Use-after-free in editing * CVE-2013-6636: Address bar spoofing related to modal dialogs * CVE-2013-6637: Various fixes from internal audits, fuzzing and other initiatives. * CVE-2013-6638: Buffer overflow in v8 * CVE-2013-6639: Out of bounds write in v8. * CVE-2013-6640: Out of bounds read in v8 * and 12 other security fixes. - Updated ExcludeArch to exclude aarch64, ppc, ppc64 and ppc64le. This is based on missing build requires (valgrind, v8, etc) ------------------------------------------------------------------- Wed Nov 27 09:36:08 UTC 2013 - tittiatcoke@gmail.com - Remove the build flags to build according to the Chrome ffmpeg branding and the proprietary codecs. (bnc#847971) ------------------------------------------------------------------- Sat Nov 16 08:44:23 UTC 2013 - tittiatcoke@gmail.com - Update to Chromium 31.0.1650.57 Stable channel update: - Security Fixes: * CVE-2013-6632: Multiple memory corruption issues. ------------------------------------------------------------------- Wed Nov 13 17:46:35 UTC 2013 - tittiatcoke@gmail.com - Update to Chromium 31.0.1650.48 Stable Channel update: - Security fixes: * CVE-2013-6621: Use after free related to speech input elements.. * CVE-2013-6622: Use after free related to media elements. * CVE-2013-6623: Out of bounds read in SVG. * CVE-2013-6624: Use after free related to “id” attribute strings. * CVE-2013-6625: Use after free in DOM ranges. * CVE-2013-6626: Address bar spoofing related to interstitial warnings. * CVE-2013-6627: Out of bounds read in HTTP parsing. * CVE-2013-6628: Issue with certificates not being checked during TLS renegotiation. * CVE-2013-2931: Various fixes from internal audits, fuzzing and other initiatives. * CVE-2013-6629: Read of uninitialized memory in libjpeg and libjpeg-turbo. * CVE-2013-6630: Read of uninitialized memory in libjpeg-turbo. * CVE-2013-6631: Use after free in libjingle. - Added patch chromium-fix-chromedriver-build.diff to fix the chromedriver build ------------------------------------------------------------------- Thu Nov 7 11:18:07 UTC 2013 - tittiatcoke@gmail.com - Enable ARM build for Chromium. * Added patches chromium-arm-webrtc-fix.patch, chromium-fix-arm-icu.patch and chromium-fix-arm-sysroot.patch to resolve ARM specific build issues ------------------------------------------------------------------- Fri Oct 25 17:50:46 UTC 2013 - tittiatcoke@gmail.com - Update to Chromium 30.0.1599.114 Stable Channel update: fix build for 32bit systems - Drop patch chromium-fix-chromedriver-build.diff. This is now fixed upstream - For openSUSE versions lower than 13.1, build against the in-tree libicu ------------------------------------------------------------------- Wed Oct 16 05:14:12 UTC 2013 - tittiatcoke@gmail.com - Update to Chromium 30.0.1599.101 - Security Fixes: + CVE-2013-2925: Use after free in XHR + CVE-2013-2926: Use after free in editing + CVE-2013-2927: Use after free in forms. + CVE-2013-2928: Various fixes from internal audits, fuzzing and other initiatives. ------------------------------------------------------------------- Tue Oct 1 20:48:13 UTC 2013 - tittiatcoke@gmail.com - Update to Chromium 30.0.1599.66 - Easier searching by image - A number of new apps/extension APIs - Lots of under the hood changes for stability and performance - Security fixes: + CVE-2013-2906: Races in Web Audio + CVE-2013-2907: Out of bounds read in Window.prototype object + CVE-2013-2908: Address bar spoofing related to the “204 No Content” status code + CVE-2013-2909: Use after free in inline-block rendering + CVE-2013-2910: Use-after-free in Web Audio + CVE-2013-2911: Use-after-free in XSLT + CVE-2013-2912: Use-after-free in PPAPI + CVE-2013-2913: Use-after-free in XML document parsing + CVE-2013-2914: Use after free in the Windows color chooser dialog + CVE-2013-2915: Address bar spoofing via a malformed scheme + CVE-2013-2916: Address bar spoofing related to the “204 No Content” status code + CVE-2013-2917: Out of bounds read in Web Audio + CVE-2013-2918: Use-after-free in DOM + CVE-2013-2919: Memory corruption in V8 + CVE-2013-2920: Out of bounds read in URL parsing + CVE-2013-2921: Use-after-free in resource loader + CVE-2013-2922: Use-after-free in template element + CVE-2013-2923: Various fixes from internal audits, fuzzing and other initiatives + CVE-2013-2924: Use-after-free in ICU. Upstream bug ------------------------------------------------------------------- Tue Oct 1 09:57:35 UTC 2013 - tittiatcoke@gmail.com - Add patch chromium-fix-altgrkeys.diff - Make sure that AltGr is treated correctly (issue#296835) ------------------------------------------------------------------- Fri Sep 27 22:22:31 UTC 2013 - tittiatcoke@gmail.com - Do not build with system libxml (bnc#825157) ------------------------------------------------------------------- Wed Sep 25 18:29:25 UTC 2013 - tittiatcoke@gmail.com - Update to Chromium 31.0.1640.0 * Bug and Stability Fixes - Fix destkop file for chromium by removing extension from icon - Change the methodology for the Chromium packages. Build is now based on an official tarball. As soon as the Beta channel catches up with the current version, Chromium will be based on the Beta channel instead of svn snapshots ------------------------------------------------------------------- Sun Sep 15 10:37:00 UTC 2013 - tittiatcoke@gmail.com - Update to 31.0.1632 * Bug and Stability fixes - Added the flag --enable-threaded-compositing to the startup script. This flag seems to be required when hardware acceleration is in use. This prevents websites from locking up on users in certain cases. ------------------------------------------------------------------- Tue Sep 10 18:44:03 UTC 2013 - tittiatcoke@gmail.com - Update to 31.0.1627 * Bug and Stability fixes ------------------------------------------------------------------- Mon Sep 2 13:39:12 UTC 2013 - tittiatcoke@gmail.com - Update to 31.0.1619 * bug and Stability fixes ------------------------------------------------------------------- Mon Aug 26 20:57:18 UTC 2013 - andreas.stieger@gmx.de - require mozilla-nss-devel >= 3.14 and mozilla-nspr-devel >= 4.9.5 ------------------------------------------------------------------- Mon Aug 26 09:35:02 UTC 2013 - tittiatcoke@gmail.com - Add patch exclude_ymp.diff to ensure that 1-click-install files are downloaded and NOT opened (bnc#836059) ------------------------------------------------------------------- Sun Aug 25 08:25:22 UTC 2013 - tittiatcoke@gmail.com - Update to 31.0.1611 * Bug and stability fixes ------------------------------------------------------------------- Sun Aug 18 15:51:38 UTC 2013 - tittiatcoke@gmail.com - Update to 31.0.1605 * Bug and stability fixes ------------------------------------------------------------------- Fri Aug 16 13:31:17 UTC 2013 - tittiatcoke@gmail.com - Change the startup script so that Chromium will not start when the chrome_sandbox doesn't have the SETUID. (bnc#779448) ------------------------------------------------------------------- Wed Aug 14 17:31:17 UTC 2013 - tittiatcoke@gmail.com - Update to 31.0.1601 * Bug and stability fixes ------------------------------------------------------------------- Sun Aug 11 08:40:31 UTC 2013 - tittiatcoke@gmail.com - Update to 30.0.1594 * Bug and stability fixes - Correct specfile to properly own /usr/bin/chromium (bnc#831584) - Chromium now expects the SUID-helper installed in the same directory as chromium. So let's create a symlink to the helper in /usr/lib ------------------------------------------------------------------- Sun Aug 4 14:11:58 UTC 2013 - tittiatcoke@gmail.com - Update to 30.0.1587 * Bug and stability fixes - Remove patch chromium-nss-compliant.diff (Upstream) ------------------------------------------------------------------- Wed Jul 24 04:57:36 UTC 2013 - tittiatcoke@gmail.com - Update to 30.0.1575 * Bug and stability fixes * Enable the gpu-sandbox again due to upstream fix (chromium#255063) ------------------------------------------------------------------- Tue Jul 16 17:55:57 UTC 2013 - tittiatcoke@gmail.com - Update to 30.0.1567 * bug and Stability fixes ------------------------------------------------------------------- Mon Jul 1 17:02:52 UTC 2013 - tittiatcoke@gmail.com - Update to 30.0.1553 * Bug and stability fixes * Includes security update for v8 (bnc821601) * CVE-2013-2838 Denial of service (out-of-bounds read) via unspecified vectors ------------------------------------------------------------------- Fri Jun 28 07:46:04 UTC 2013 - tittiatcoke@gmail.com - Add the flag --disable-gpu-sandbox to prevent crashes and/or slowness. The GPU Sandbox is a new sandbox introduces in M28 and is currently causing issues (http://code.google.com/p/chromium/issues/detail?id=255063) ------------------------------------------------------------------- Tue Jun 25 12:27:22 UTC 2013 - tittiatcoke@gmail.com - Update to 29.0.1548 * Bug and Stability fixes ------------------------------------------------------------------- Sun Jun 16 15:03:32 UTC 2013 - tittiatcoke@gmail.com - Update to 29.0.1541 * Bug and Stability fixes - Added patch chromium-nss-compatibility to fix build on Factory ------------------------------------------------------------------- Wed Jun 5 20:24:08 UTC 2013 - tittiatcoke@gmail.com - Update to 29.0.1530 * Bug and Stability fixes. - Dropped subversion buildrequire as svn is no longer used. (Thanks to andreas.stieger@gmx.de) ------------------------------------------------------------------- Mon May 27 16:31:10 UTC 2013 - tittiatcoke@gmail.com - Update to 29.0.1521 * Bug and stability fixes ------------------------------------------------------------------- Thu May 23 08:26:55 UTC 2013 - tittiatcoke@gmail.com - Update to 29.0.1517 * Bug and stability fixes ------------------------------------------------------------------- Sun May 5 18:43:49 UTC 2013 - tittiatcoke@gmail.com - Update to 28.0.1500 * Bug and stability fixes - Added patch adjust-ldflags-no-keep-memory.patch to change a ldflags option to reduce the memory used during linking ------------------------------------------------------------------- Thu May 2 11:43:10 UTC 2013 - tittiatcoke@gmail.com - Update to 28.0.1497 * Bug and stability fixes ------------------------------------------------------------------- Mon Apr 29 12:20:19 UTC 2013 - tittiatcoke@gmail.com - Update to 28.0.1494 * Bug and Stability Fixes ------------------------------------------------------------------- Sat Apr 27 21:34:51 UTC 2013 - tittiatcoke@gmail.com - Update to 28.0.1493 * bug and stability fixes * Bring back the lost buildflag to enable proprietary codecs ------------------------------------------------------------------- Sun Apr 14 13:46:39 UTC 2013 - tittiatcoke@gmail.com - Update to 28.0.1479 * bug and stability fixes ------------------------------------------------------------------- Wed Apr 10 20:34:07 UTC 2013 - tittiatcoke@gmail.com - use %config(noreplace) for /etc/default/chromium, so that user changes are preserved. ------------------------------------------------------------------- Sat Apr 6 18:55:27 UTC 2013 - tittiatcoke@gmail.com - Update to 28.0.1468 * Bug and stability fixes ------------------------------------------------------------------- Sun Mar 24 12:56:12 UTC 2013 - tittiatcoke@gmail.com - Update to 27.0.1452 * Bug and stability fixes - Change buoldsystem to ninja for additional speed * Dropped patch chromium_use_gold.patch - Removed obsolete 11.4 bits and pieces in the spec-file * includes chromium.easy patch ------------------------------------------------------------------- Tue Mar 19 16:51:59 UTC 2013 - tittiatcoke@gmail.com - Update to 27.0.1447 * Bug and stability fixes * Drop patch chromium-norpath.patch. Rpath is only used when building chromium with shared libraries. - Deactive building against system libraries. This is now causing issues for building on 12.3 and Factory. ------------------------------------------------------------------- Sat Mar 9 14:03:28 UTC 2013 - tittiatcoke@gmail.com - Update to 27.0.1435 * Bug and stability fixes * Drop patch chromium-siginfo.patch due to upstream inclusion ------------------------------------------------------------------- Sat Feb 23 08:09:58 UTC 2013 - tittiatcoke@gmail.com - Update to 27.0.1425 * Bug and stability fixes: - Fixed crash after clicking through malware warning. (Issue: 173986) - Fixed broken command line to create extensions with locale info (Issue: 176187) - Hosted apps in Chrome will always be opened from app launcher. (Issue: 176267) - Added modal confirmation dialog to the enterprise profile sign-in flow. (Issue: 171236) - Fixed a crash with autofill. (Issues: 175454, 176576) - Fixed issues with sign-in. (Issues: 175672, 175819, 175541, 176190) - Fixed spurious profile shortcuts created with a system-level install. (Issue: 177047) - Fixed the background tab flashing with certain themes. (Issue: 175426) * Security Fixes: (bnc#804986) - High CVE-2013-0879: Memory corruption with web audio node - High CVE-2013-0880: Use-after-free in database handling - Medium CVE-2013-0881: Bad read in Matroska handling - High CVE-2013-0882: Bad memory access with excessive SVG parameters. - Medium CVE-2013-0883: Bad read in Skia. - Low CVE-2013-0884: Inappropriate load of NaCl. - Medium CVE-2013-0885: Too many API permissions granted to web store - Medium CVE-2013-0886: Incorrect NaCl signal handling. - Low CVE-2013-0887: Developer tools process has too many permissions and places too much trust in the connected server - Medium CVE-2013-0888: Out-of-bounds read in Skia - Low CVE-2013-0889: Tighten user gesture check for dangerous file downloads. - High CVE-2013-0890: Memory safety issues across the IPC layer. - High CVE-2013-0891: Integer overflow in blob handling. - Medium CVE-2013-0892: Lower severity issues across the IPC layer - Medium CVE-2013-0893: Race condition in media handling. - High CVE-2013-0894: Buffer overflow in vorbis decoding. - High CVE-2013-0895: Incorrect path handling in file copying. - High CVE-2013-0896: Memory management issues in plug-in message handling - Low CVE-2013-0897: Off-by-one read in PDF - High CVE-2013-0898: Use-after-free in URL handling - Low CVE-2013-0899: Integer overflow in Opus handling - Medium CVE-2013-0900: Race condition in ICU * Make adjustment for autodetecting of the PepperFlash library. The package with the PepperFlash hopefully will be soon available through packman ------------------------------------------------------------------- Tue Feb 12 20:12:25 UTC 2013 - tittiatcoke@gmail.com - Update to 26.0.1411 * Bug and stability fixes ------------------------------------------------------------------- Sun Feb 3 11:41:13 UTC 2013 - tittiatcoke@gmail.com - Update to 26.0.1403 * Bug and stability fixes ------------------------------------------------------------------- Sat Jan 26 18:19:10 UTC 2013 - crrodriguez@opensuse.org - Using system libxml2 requires system libxslt. - Using system MESA does not work in i586 for some reason. ------------------------------------------------------------------- Sat Jan 26 15:59:32 UTC 2013 - crrodriguez@opensuse.org - Also use system MESA, factory version seems adecuate now. - Always use system libxml2. ------------------------------------------------------------------- Fri Jan 25 16:15:58 UTC 2013 - crrodriguez@opensuse.org - Restrict the usage of system libraries instead of the bundled ones to new products, too much hassle otherwise. ------------------------------------------------------------------- Fri Jan 25 03:32:21 UTC 2013 - crrodriguez@opensuse.org - Also link kerberos and libgps directly, do not dlopen them. ------------------------------------------------------------------- Fri Jan 25 02:08:01 UTC 2013 - crrodriguez@opensuse.org - Avoid using dlopen on system libraries, rpm or the package Manager do not handle this at all. tested for a few weeks and implemented with a macro so it can be easily disabled if problems arise. - Use SOME system libraries instead of the bundled ones, tested for several weeks and implemented with a macro for easy enable/Disable in case of trouble. ------------------------------------------------------------------- Thu Jan 24 06:45:53 UTC 2013 - tittiatcoke@gmail.com - Update to 26.0.1393 * Bug and stability fixes ------------------------------------------------------------------- Sun Jan 13 18:15:47 UTC 2013 - tittiatcoke@gmail.com - Update to 26.0.1383 * Security fixes - CVE-2012-5145: Use-after-free in SVG layout - CVE-2012-5146: Same origin policy bypass with malformed URL - CVE-2012-5147: Use-after-free in DOM handling - CVE-2012-5148: Missing filename sanitization in hyphenation support - CVE-2012-5149: Integer overflow in audio IPC handling - CVE-2012-5150: Use-after-free when seeking video - CVE-2012-5152: Out-of-bounds read when seeking video - CVE-2012-5153: Out-of-bounds stack access in v8. - CVE-2012-5154: Integer overflow in shared memory allocation - CVE-2013-0830: Missing NUL termination in IPC. - CVE-2013-0831: Possible path traversal from extension process - CVE-2013-0832: Use-after-free with printing. - CVE-2013-0833: Out-of-bounds read with printing. - CVE-2013-0834: Out-of-bounds read with glyph handling - CVE-2013-0835: Browser crash with geolocation - CVE-2013-0836: Crash in v8 garbage collection. - CVE-2013-0837: Crash in extension tab handling. - CVE-2013-0838: Tighten permissions on shared memory segments ------------------------------------------------------------------- Tue Jan 8 13:19:57 UTC 2013 - tittiatcoke@gmail.com * Set up Google API keys, see http://www.chromium.org/developers/how-tos/api-keys . # Note: these are for openSUSE Chromium builds ONLY!! (Setup was done based on indication from Pawel Hajdan) ------------------------------------------------------------------- Fri Jan 4 09:08:32 UTC 2013 - tittiatcoke@gmail.com - Update to 26.0.1375 * Bug and stability fixes ------------------------------------------------------------------- Thu Dec 27 14:43:46 UTC 2012 - tittiatcoke@gmail.com - Change the default setting for password-store to basic. (bnc#795860) ------------------------------------------------------------------- Wed Dec 26 12:36:13 UTC 2012 - tittiatcoke@gmail.com - Update to 26.0.1371 * Bug and stability fixes ------------------------------------------------------------------- Thu Dec 20 13:25:14 UTC 2012 - tittiatcoke@gmail.com - Update to 26.0.1367 * Bug and stability fixes ------------------------------------------------------------------- Sat Dec 15 13:32:15 UTC 2012 - tittiatcoke@gmail.com - Update to 25.0.1362 * Security fixes (bnc#794075): - CVE-2012-5139: Use-after-free with visibility events - CVE-2012-5140: Use-after-free in URL loader - CVE-2012-5141: Limit Chromoting client plug-in instantiation. - CVE-2012-5142: Crash in history navigation. - CVE-2012-5143: Integer overflow in PPAPI image buffers - CVE-2012-5144: Stack corruption in AAC decoding ------------------------------------------------------------------- Thu Dec 6 10:06:51 UTC 2012 - tittiatcoke@gmail.com - Update to 25.0.1352 * Fixed garbled header and footer text in print preview. [Issue: 152893] * Fixed extension action badges with long text. [Issue: 160069] * Disable find if constrained window is shown. [Issue: 156969] * Enable fullscreen for apps windows. [Issue: 161246] * Fixed broken profile with system-wide installation and UserDataDir & DiskCacheDir policy. [Issue: 161336] * Fixed stability crashes like 158747, 159437, 149139, 160914, 160401, 161858, 158747, 156878 * Fixed graphical corruption in Dust. [Issue: 155258] * Fixed scrolling issue. [Issue: 163553] ------------------------------------------------------------------- Fri Nov 30 17:15:39 UTC 2012 - tittiatcoke@gmail.com - Update to 25.0.1343 * Security Fixes (bnc#791234 and bnc#792154): - CVE-2012-5131: Corrupt rendering in the Apple OSX driver for Intel GPUs - CVE-2012-5133: Use-after-free in SVG filters. - CVE-2012-5130: Out-of-bounds read in Skia - CVE-2012-5132: Browser crash with chunked encoding - CVE-2012-5134: Buffer underflow in libxml. - CVE-2012-5135: Use-after-free with printing. - CVE-2012-5136: Bad cast in input element handling. - CVE-2012-5138: Incorrect file path handling - CVE-2012-5137: Use-after-free in media source handling - Correct build so that proprietary codecs can be used when the chromium-ffmpeg package is installed ------------------------------------------------------------------- Sun Nov 25 12:50:28 UTC 2012 - tittiatcoke@gmail.com - Add a configuration file (/etc/default/chromium) where we can indicate flags for the chromium-browser. ------------------------------------------------------------------- Sat Nov 24 20:00:51 UTC 2012 - tittiatcoke@gmail.com - Update to 25.0.1335 * {gtk} Fixed <input> selection renders white text on white background in apps. (Issue: 158422) * Fixed translate infobar button to show selected language. (Issue: 155350) * Fixed broken Arabic language. (Issue: 158978) * Fixed pre-rendering if the preference is disabled at start up. (Issue: 159393) * Fixed JavaScript rendering issue. (Issue: 159655) * No further indications in the ChangeLog ------------------------------------------------------------------- Tue Nov 20 23:27:56 UTC 2012 - tittiatcoke@gmail.com - Update to 25.0.1329 * No further indications in the ChangeLog - Removed patch chomium-ffmpeg-no-pkgconfig.patch - Building now internal libffmpegsumo.so based on the standard chromium ffmpeg codecs ------------------------------------------------------------------- Tue Nov 6 18:42:46 UTC 2012 - tittiatcoke@gmail.com - Update to 25.0.1319 * No further indications in the Changelog ------------------------------------------------------------------- Fri Oct 26 08:58:02 UTC 2012 - tittiatcoke@gmail.com - Update to 24.0.1308 * Updated V8 - 3.14.5.0 * Bookmarks are now searched by their title while typing into the omnibox with matching bookmarks being shown in the autocomplete suggestions pop-down list. Matching is done by prefix. * Fixed chromium issues 155871, 154173, 155133. ------------------------------------------------------------------- Tue Oct 16 12:41:55 UTC 2012 - coolo@suse.com - add explicit buildrequire on libbz2-devel ------------------------------------------------------------------- Sun Oct 7 11:28:56 UTC 2012 - tittiatcoke@gmail.com - Update to 24.0.1290 * No further indications in the ChangeLog. ------------------------------------------------------------------- Sun Sep 30 09:38:06 UTC 2012 - tittiatcoke@gmail.com - Update to 24.0.1283 * Security Fixes (bnc#782257) - High CVE-2012-2889: UXSS in frame handling - High CVE-2012-2886: UXSS in v8 bindings. - High CVE-2012-2881: DOM tree corruption with plug-ins. - High CVE-2012-2876: Buffer overflow in SSE2 optimizations. - High CVE-2012-2883: Out-of-bounds write in Skia. - High CVE-2012-2887: Use-after-free in onclick handling. - High CVE-2012-2888: Use-after-free in SVG text references. - High CVE-2012-2894: Crash in graphics context handling. - High CVE-2012-2896: Integer overflow in WebGL. - Medium CVE-2012-2877: Browser crash with extensions and modal dialogs - Low CVE-2012-2879: DOM topology corruption. - Medium CVE-2012-2884: Out-of-bounds read in Skia. - High CVE-2012-2874: Out-of-bounds write in Skia. - High CVE-2012-2878: Use-after-free in plug-in handling. - Medium CVE-2012-2880: Race condition in plug-in paint buffer. - High CVE-2012-2882: Wild pointer in OGG container handling. - Medium CVE-2012-2885: Possible double free on exit. - Low CVE-2012-2891: Address leak over IPC. - Low CVE-2012-2892: Pop-up block bypass. - High CVE-2012-2893: Double free in XSL transforms. ------------------------------------------------------------------- Sat Sep 15 06:27:56 UTC 2012 - tittiatcoke@gmail.com - Update to 23.0.1268 * Updated V8 - 3.13.6.0 * Updated WebKit - 537.10 * Make the new sandbox more robust when denying socket calls. * Fix crashes (Issues 142388 and 146606) ------------------------------------------------------------------- Fri Sep 7 15:49:57 UTC 2012 - tittiatcoke@gmail.com - Update to 23.0.1259 * No further indications in the ChangeLog. ------------------------------------------------------------------- Sun Sep 2 14:31:22 UTC 2012 - tittiatcoke@gmail.com - Update to 23.0.1255 * Security Fixes (bnc#778005): - Medium CVE-2012-2865: Out-of-bounds read in line breaking. - High CVE-2012-2866: Bad cast with run-ins. - Low CVE-2012-2867: Browser crash with SPDY. - Medium CVE-2012-2868: Race condition with workers and XHR. - High CVE-2012-2869: Avoid stale buffer in URL loading. - Low CVE-2012-2870: Lower severity memory management issues in XPath. - High CVE-2012-2871: Bad cast in XSL transforms. - Medium CVE-2012-2872: XSS in SSL interstitial. ------------------------------------------------------------------- Wed Aug 29 19:19:31 UTC 2012 - tittiatcoke@gmail.com - Update to 23.0.1249 * No longer building with system libraries. This caused issues with high CPU utilization and a blank homescreen. Now the in-source libraries are used. ------------------------------------------------------------------- Sun Aug 19 08:32:45 UTC 2012 - tittiatcoke@gmail.com - Update to 23.0.1240 * Duplex Printing defaults to Yes, which prints extra pages even for a 1 page print out (Issue 138312). * Print preview takes forever on Win XP (issue: 140044) * Anti-DDoS inversion of logic (Issues: 141643, 141081) * Projectmanager.com application causes Flash to hang (Issue: 141018) * An additional scroll bar appears at the right on many sites (issue: 140239) * Setting and unsetting display:none obliterates current scroll position (issue: 140101) - Utilize the patched zlib sources from Chromium in order to build ------------------------------------------------------------------- Fri Aug 3 15:54:24 UTC 2012 - tittiatcoke@gmail.com - Update to 22.0.1226 * Security Fixes (bnc#770821): CVE-2012-2843: Use-after-free in layout height tracking CVE-2012-2842: Use-after-free in counter handling ------------------------------------------------------------------- Mon Jul 30 13:21:27 UTC 2012 - aj@suse.de - Fix build with glibc 2.16 (struct siginfo is not exported anymore). ------------------------------------------------------------------- Sun Jul 29 13:32:21 UTC 2012 - tittiatcoke@gmail.com - Update to 22.0.1221 * Several crash fixes (Issues: 131310, 134574) * Can't press Enter to save to PDF (Issue: 137690) ------------------------------------------------------------------- Wed Jul 25 14:17:53 UTC 2012 - tittiatcoke@gmail.com - Update to 22.0.1218 * New Connection Manager * New Print UI. * No further indications in the ChangeLog. ------------------------------------------------------------------- Sun Jul 8 13:10:48 UTC 2012 - tittiatcoke@gmail.com - Update to 22.0.1201 * No further indications in the ChangeLog. - exclude ppc and ppc64. There is no v8 for ppc. (Update from dvaleev@suse.com) ------------------------------------------------------------------- Fri Jun 29 08:52:58 UTC 2012 - tittiatcoke@gmail.com - Update to 22.0.1190 * Security Fixes: * CVE-2012-2815: Leak of iframe fragment id * CVE-2012-2816: Prevent sandboxed processes interfering with each other * CVE-2012-2817: Use-after-free in table section handling * CVE-2012-2818: Use-after-free in counter layout * CVE-2012-2819: Crash in texture handling * CVE-2012-2820: Out-of-bounds read in SVG filter handling * CVE-2012-2821: Autofill display problem * CVE-2012-2823: Use-after-free in SVG resource handling * CVE-2012-2826: Out-of-bounds read in texture conversion * CVE-2012-2829: Use-after-free in first-letter handling * CVE-2012-2830: Wild pointer in array value setting * CVE-2012-2831: Use-after-free in SVG reference handling * CVE-2012-2834: Integer overflow in Matroska container * CVE-2012-2825: Wild read in XSL handling * CVE-2012-2807: Integer overflows in libxml * Fix update-alternatives within the spec-file ------------------------------------------------------------------- Thu Jun 21 12:20:28 UTC 2012 - tittiatcoke@gmail.com - Update to 22.0.1183 * Content settings for Cookies now also show protected storage granted to hosted apps * Chromoting client plugin correctly up-scales on when page-zoom is >100%. ------------------------------------------------------------------- Tue Jun 19 13:06:52 UTC 2012 - tittiatcoke@gmail.com - Update to 21.0.1181 * Bugfixes. * Remove obsolete patch * Do not execute update-alternatives when building ------------------------------------------------------------------- Fri Jun 15 12:19:24 UTC 2012 - coolo@suse.com - fix update-alternative usage to fix build ------------------------------------------------------------------- Thu May 31 08:27:09 UTC 2012 - tittiatcoke@gmail.com - Update to 21.0.1158 * Bugfixes * Gamepad API prototype http://www.w3.org/TR/gamepad/ available by default. * TLS 1.1 is enabled by default. ------------------------------------------------------------------- Sun May 20 16:40:03 UTC 2012 - tittiatcoke@gmail.com - Update to 21.0.1145 * Fixed several issues around audio not playing with videos * Crash Fixes * Improvements to trackpad on Cr-48 * Security Fixes (bnc#762481) - CVE-2011-3083: Browser crash with video + FTP - CVE-2011-3084: Load links from internal pages in their own process. - CVE-2011-3085: UI corruption with long autofilled values - CVE-2011-3086: Use-after-free with style element. - CVE-2011-3087: Incorrect window navigation - CVE-2011-3088: Out-of-bounds read in hairline drawing - CVE-2011-3089: Use-after-free in table handling. - CVE-2011-3090: Race condition with workers. - CVE-2011-3091: Use-after-free with indexed DB - CVE-2011-3092: Invalid write in v8 regex - CVE-2011-3093: Out-of-bounds read in glyph handling - CVE-2011-3094: Out-of-bounds read in Tibetan handling - CVE-2011-3095: Out-of-bounds write in OGG container. - CVE-2011-3096: Use-after-free in GTK omnibox handling. - CVE-2011-3098: Bad search path for Windows Media Player plug-in - CVE-2011-3100: Out-of-bounds read drawing dash paths. - CVE-2011-3101: Work around Linux Nvidia driver bug - CVE-2011-3102: Off-by-one out-of-bounds write in libxml. ------------------------------------------------------------------- Sun May 13 19:53:59 UTC 2012 - tittiatcoke@gmail.com - Update to 21.0.1137 * Fixes crashes when manually typing in URL's ------------------------------------------------------------------- Fri May 11 14:22:22 UTC 2012 - tittiatcoke@gmail.com - Update to 21.0.1135.0 * Added patch for Sqlite which should resolve crashes when build with GCC 4.7 * Fixes for rendering and stability * Fixed about:inducebrowsercrashforrealz (Issue: 124843) * Mouse over on apps/extensions makes place holder blank in web store. (Issue: 125777) * Security Fixes (bnc#760264): - CVE-2011-3078: Use after free in floats handling. - CVE-2012-1521: Use after free in xml parser. - CVE-2011-3079: IPC validation failure. - CVE-2011-3080: Race condition in sandbox IPC - CVE-2011-3081: Use after free in floats handling. ------------------------------------------------------------------- Sun Apr 29 15:38:00 UTC 2012 - tittiatcoke@gmail.com - Update to 20.0.1123.0 ------------------------------------------------------------------- Fri Apr 27 09:54:43 UTC 2012 - tittiatcoke@gmail.com - Update to 20.0.1119.0 Fixes - Adjust spec-file to include two new resource files that are required for the UI. (bnc#759381) ------------------------------------------------------------------- Wed Apr 25 11:32:07 UTC 2012 - tittiatcoke@gmail.com - Update to 20.0.1116.0 * Fixes and update to newer v8 version ------------------------------------------------------------------- Thu Apr 19 09:12:44 UTC 2012 - tittiatcoke@gmail.com - Added the ChromeDriver as a separate package. Normal users will not require this as it is a standalone server for testing webbrowsers ------------------------------------------------------------------- Tue Apr 17 13:53:49 UTC 2012 - tittiatcoke@gmail.com - Update to 20.0.1106.0 * Fixes issues with fonts (Issue: 108645). * Enable the Chrome To Mobile page action for users with compatible registered devices * file: downloads allowed again ------------------------------------------------------------------- Fri Apr 13 09:12:42 UTC 2012 - fcrozat@suse.com - Use desktop_database macros at install time. ------------------------------------------------------------------- Fri Apr 6 14:32:07 UTC 2012 - tittiatcoke@gmail.com - Update to 20.0.1094.0 Fixes: * Other Devices menu shows last update time for other sessions, and allows sessions to be hidden using a context menu. * Fix sync issue with sessions (open tabs) triggering an unrecoverable error. * Fixed Sync/Apps: NTP apps icons missing after sync. [Issue: 117857] * Fixed bookmarks drag-n-drop in Bookmark Manager. [Issue: 118715] Security Fixes: * Medium CVE-2011-3066: Out-of-bounds read in Skia clipping. * Medium CVE-2011-3067: Cross-origin iframe replacement. * High CVE-2011-3068: Use-after-free in run-in handling. * High CVE-2011-3069: Use-after-free in line box handling. * High CVE-2011-3070: Use-after-free in v8 bindings. * High CVE-2011-3071: Use-after-free in HTMLMediaElement. * Low CVE-2011-3072: Cross-origin violation parenting pop-up window. * High CVE-2011-3073: Use-after-free in SVG resource handling. * Medium CVE-2011-3074: Use-after-free in media handling. * High CVE-2011-3075: Use-after-free applying style command. * High CVE-2011-3076: Use-after-free in focus handling. * Medium CVE-2011-3077: Read-after-free in script bindings. ------------------------------------------------------------------- Tue Apr 3 06:51:49 UTC 2012 - tittiatcoke@gmail.com - Update to 20.0.1090 Fixes: * Fixed issue cannot add GMail app to Chrome. [Issue: 119975] * Fixed theme and bookmarks bar notifications. [Issue: 117027] * Fixed popup prompting permission for flash plugin. [Issue: 120358] Security Fixes: * Medium CVE-2011-3058: Bad interaction possibly leading to XSS in EUC-JP. * Medium CVE-2011-3059: Out-of-bounds read in SVG text handling. * Medium CVE-2011-3060: Out-of-bounds read in text fragment handling. * Medium CVE-2011-3061: SPDY proxy certificate checking error. * High CVE-2011-3062: Off-by-one in OpenType Sanitizer. * Low CVE-2011-3063: Validate navigation requests from the renderer more carefully. * High CVE-2011-3064: Use-after-free in SVG clipping. * High CVE-2011-3065: Memory corruption in Skia. * Medium CVE-2011-3057: Invalid read in v8. ------------------------------------------------------------------- Sat Mar 24 06:40:10 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1079 Security Fixes (bnc#754456): * High CVE-2011-3050: Use-after-free with first-letter handling * High CVE-2011-3045: libpng integer issue from upstream * High CVE-2011-3051: Use-after-free in CSS cross-fade handling * High CVE-2011-3052: Memory corruption in WebGL canvas handling * High CVE-2011-3053: Use-after-free in block splitting * Low CVE-2011-3054: Apply additional isolations to webui privileges * Low CVE-2011-3055: Prompt in the browser native UI for unpacked extension installation * High CVE-2011-3056: Cross-origin violation with “magic iframe”. * Low CVE-2011-3049: Extension web request API can interfere with system requests Other Fixes: * The short-cut key for caps lock (Shift + Search) is disabled when an accessibility screen reader is enabled * Fixes an issue with files not being displayed in File Manager when some file names contain UTF-8 characters (generally accented characters) * Fixed dialog boxes in settings. (Issue: 118031) * Fixed flash videos turning white on mac when running with --disable-composited-core-animation-plugins (Issue: 117916) * Change to look for correctly sized favicon when multiple images are provided. (Issue: 118275) * Fixed issues - 116044, 117470, 117068, 117668, 118620 ------------------------------------------------------------------- Wed Mar 21 12:36:42 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1077 ------------------------------------------------------------------- Sun Mar 18 17:35:02 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1074 - Build Chromium on openSUSE > 12.1 with the gold linker - Fix build issues with GCC 4.7 ------------------------------------------------------------------- Thu Mar 15 12:51:21 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1071 * Several fixes and improvements in the new Settings, Extensions, and Help pages. * Fixed the flashing when switched between composited and non-composited mode. [Issue: 116603] * Fixed stability issues 116913, 117217, 117347, 117081 ------------------------------------------------------------------- Sun Mar 11 08:01:15 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1066 * Fixed Chrome install/update resets Google search preferences (Issue: 105390) * Don't trigger accelerated compositing on 3D CSS when using swiftshader (Issue: 116401) * Fixed a GPU crash (Issue: 116096) * More fixes for Back button frequently hangs (Issue: 93427) * Bastion now works (Issue: 116285) * Fixed Composited layer sorting irregularity with accelerated canvas (Issue: 102943) * Fixed Composited layer sorting irregularity with accelerated canvas (Issue: 102943) * Fixed Google Feedback causes render process to use too much memory (Issue: 114489) * Fixed after upgrade, some pages are rendered as blank (Issue: 109888) * Fixed Pasting text into a single-line text field shouldn't keep literal newlines (Issue: 106551) - Security Fixes: * Critical CVE-2011-3047: Errant plug-in load and GPU process memory corruption * Critical CVE-2011-3046: UXSS and bad history navigation. ------------------------------------------------------------------- Mon Mar 5 20:53:06 UTC 2012 - vdziewiecki@suse.com - add Provides: browser(npapi) FATE#313084 ------------------------------------------------------------------- Sat Mar 3 16:55:15 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1060 * Fixed NTP signed in state is missing (Issue: 112676) * Fixed gmail seems to redraw itself (all white) occasionally (Issue: 111263) * Focus "OK" button on Javascript dialogs (Issue: 111015) * Fixed Back button frequently hangs (Issue: 93427) * Increase the buffer size to fix muted playback rate (Issue: 108239) * Fixed Empty span with line-height renders with non-zero height (Issue: 109811) * Marked the Certum Trusted Network CA as an issuer of extended-validation (EV) certificates. * Fixed importing of bookmarks, history, etc. from Firefox 10+. * Fixed issues - 114001, 110785, 114168, 114598, 111663, 113636, 112676 * Fixed several crashes (Issues: 111376, 108688, 114391) * Fixed Firefox browser in Import Bookmarks and Settings drop-down (Issue: 114476) * Sync: Sessions aren't associating pre-existing tabs (Issue: 113319) * Fixed All "Extensions" make an entry under the "NTP Apps" page (Issue: 113672) + Security Fixes (bnc#750407): * High CVE-2011-3031: Use-after-free in v8 element wrapper. * High CVE-2011-3032: Use-after-free in SVG value handling. * High CVE-2011-3033: Buffer overflow in the Skia drawing library. * High CVE-2011-3034: Use-after-free in SVG document handling. * High CVE-2011-3035: Use-after-free in SVG use handling. * High CVE-2011-3036: Bad cast in line box handling. * High CVE-2011-3037: Bad casts in anonymous block splitting. * High CVE-2011-3038: Use-after-free in multi-column handling. * High CVE-2011-3039: Use-after-free in quote handling. * High CVE-2011-3040: Out-of-bounds read in text handling. * High CVE-2011-3041: Use-after-free in class attribute handling. * High CVE-2011-3042: Use-after-free in table section handling. * High CVE-2011-3043: Use-after-free in flexbox with floats. * High CVE-2011-3044: Use-after-free with SVG animation elements. - Remove the external ffmepg headers and start using the ones delivered with Chromium. Changes to Chromium are no longer in line with any ffmpeg version :-(. So we can only use the Chromium ffmpeg headers. ------------------------------------------------------------------- Mon Feb 20 14:39:23 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1046 * Security updates + CVE-2011-3015: Integer overflows in PDF codecs. + CVE-2011-3016: Read-after-free with counter nodes. + CVE-2011-3017: Possible use-after-free in database handling. + CVE-2011-3018: Heap overflow in path rendering. + CVE-2011-3019: Heap buffer overflow in MKV handling. + CVE-2011-3020: Native client validator error. + CVE-2011-3021: Use-after-free in subframe loading. + CVE-2011-3022: Inappropriate use of http for translation script. + CVE-2011-3023: Use-after-free with drag and drop. + CVE-2011-3024: Browser crash with empty x509 certificate. + CVE-2011-3025: Out-of-bounds read in h.264 parsing. + CVE-2011-3026: Integer overflow / truncation in libpng. + CVE-2011-3027: Bad cast in column handling. ------------------------------------------------------------------- Wed Feb 15 07:40:59 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1042 * Make speech input bubble borders close with the bubble [Issue: 112194] * Fixed stability issues [Issues: 113531, 113492, 113654, 113546, 113847, 114011] * Use Google’s online spellchecker to identify misspelled words as well as provide suggestions, for pasted text only. * Fix: open incognito windows at exit created extra normal windows when the session was restored * When translating a page, get the code and translation via HTTPS ------------------------------------------------------------------- Fri Feb 10 05:36:56 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1037 * Fix crashing timing bug where panel animates after its closed (issue#111120) * Remove patch to build with newer glib version. This was merged upstream * Added option to disable building with gold for x86_64. Used linker option "--icf=none" is not supported yet. ------------------------------------------------------------------- Mon Feb 6 10:45:25 UTC 2012 - tittiatcoke@gmail.com - Update to 19.0.1031 * Block plugins for platform apps To block plugins a new content settings has been added, with the highest priority (i.e. at the front of the list). This could be used down the track to hang off more platform app specific stuff. * Remove unconditional -msse3 -mssse3 CFLAGS from media.gyp (issue#107532) * Refactoring of Settings page * Other bugfixes * Security Fixes: CVE-2011-3953: Avoid clipboard monitoring after paste event. CVE-2011-3954: Crash with excessive database usage. CVE-2011-3955: Crash aborting an IndexDB transaction CVE-2011-3956: Incorrect handling of sandboxed origins inside extensions CVE-2011-3957: Use-after-free in PDF garbage collection CVE-2011-3958: Bad casts with column spans CVE-2011-3959: Buffer overflow in locale handling CVE-2011-3960: Out-of-bounds read in audio decoding CVE-2011-3961: Race condition after crash of utility process CVE-2011-3962: Out-of-bounds read in path clipping CVE-2011-3963: Out-of-bounds read in PDF fax image handling CVE-2011-3964: URL bar confusion after drag + drop CVE-2011-3965: Crash in signature check CVE-2011-3966: Use-after-free in stylesheet error handling CVE-2011-3967: Crash with unusual certificate. CVE-2011-3968: Use-after-free in CSS handling CVE-2011-3969: Use-after-free in SVG layout. CVE-2011-3970: Out-of-bounds read in libxslt CVE-2011-3971: Use-after-free with mousemove events CVE-2011-3972: Out-of-bounds read in shader translator ------------------------------------------------------------------- Sun Jan 29 21:11:37 UTC 2012 - tittiatcoke@gmail.com - Update to 18.0.1022 * Security fixes (bnc#743319) + CVE-2011-3924 Use-after-free vulnerability + CVE-2011-3925 Use-after-free vulnerability + CVE-2011-3926 Heap-based buffer overflow in the tree builder + CVE-2011-3927 Skia does not perform all required initialization of values + CVE-2011-3928 Use-after-free vulnerability * Compile the chrome_sandbox binary with -fPIE flags ------------------------------------------------------------------- Mon Jan 23 09:44:42 UTC 2012 - tittiatcoke@gmail.com - Update to 18.0.1017 * Security Issues fixed (bnc#740493) + CVE-2011-3921 Use-after-free in animation frames + CVE-2011-3919 Heap-buffer-overflow in libxml + CVE-2011-3922 Stack-buffer-overflow in glyph handling ------------------------------------------------------------------- Sat Dec 31 22:29:20 UTC 2011 - tittiatcoke@gmail.com - Update to 18.0.992 * Delay some extension startup until after first run import. (issue 108286) * Add function support for Sleep with TimeDelta input. (issue 108171) * Make webstore installs work when the Downloads folder is missing. (issue 108812) * Disable GL_EXT_texture_storage support in Linux. (issue 107782) ------------------------------------------------------------------- Wed Dec 28 12:00:11 UTC 2011 - tittiatcoke@gmail.com - Update to 18.0.985 + Webkit layout: * Suppress a leak in http/tests/appcache/reload.html (issue 108621) * Suppress a leak in xmlhttprequest/workers/referer.html (issue 108622) * Extend the suppression for uninit value in fast/forms/input-text-paste-maxlength.html (issue 106183) * Suppress memory leaks in fast/files/workers/worker-read-blob-async.html (issue 108624) * Suppress a leak in websocket/tests/hybi/workers/receive-arraybuffer.html (issue 108627) * Suppress a leak in http/tests/xmlhttprequest/workers/methods-async.html (issue 108628) + Set opaque on the WebMediaPlayerClient based on the decoder ------------------------------------------------------------------- Mon Dec 19 06:41:16 UTC 2011 - tittiatcoke@gmail.com - Update to 18.0.975 + Updating extensions code to use UTF16. (issue#71980) + Assign F5 to cycle forward (issue#107417) + [Sync] Add NOTREACHED for empty passphrase (issue#104189) + Add libudev as build-dependency (issue#79050) + Enable mnemonic and bookmark folder key activation on menu (issue#107869) - Removed conflict with xine-browser-plugins. ------------------------------------------------------------------- Wed Dec 14 10:25:20 UTC 2011 - tittiatcoke@gmail.com - Update to 18.0.972 * Security issues fixed: (bnc#736716) + CVE-2011-3903: Out-of-bounds read in regex matching. + CVE-2011-3905: Out-of-bounds reads in libxml. + CVE-2011-3906: Out-of-bounds read in PDF parser. + CVE-2011-3907: URL bar spoofing with view-source. + CVE-2011-3908: Out-of-bounds read in SVG parsing. + CVE-2011-3909: [64-bit only] Memory corruption in CSS property array. + CVE-2011-3910: Out-of-bounds read in YUV video frame handling. + CVE-2011-3911: Out-of-bounds read in PDF. + CVE-2011-3912: Use-after-free in SVG filters. + CVE-2011-3914: Out-of-bounds write in v8 i18n handling + CVE-2011-3915: Buffer overflow in PDF font handling. + CVE-2011-3916: Out-of-bounds reads in PDF cross references. + CVE-2011-3917: Stack-buffer-overflow in FileWatcher. + CVE-2011-3904: Use-after-free in bidi handling. * No longer build against the system libjpeg, but build against the libjpeg that comes with Chromium to prevent graphics issues * Chromium for openSUSE:Factory now builds against libjpeg8 * Removed explicit -fPIC from the C-flags ------------------------------------------------------------------- Sat Dec 10 18:51:39 UTC 2011 - tittiatcoke@gmail.com - Update to 18.0.968 + Print preview: Disable the right context menu items in print preview. (issue#106876,#106915) + Fix page zoom for plug-in documents (PDF, etc.) (issue#106013,#106228) + ntp: track number of times a user switches pages in a single session (issue#106575) + <video> decode in hardware! (issue#104579) + New tab button icons (issue#100775) + Profile/user menu on NTP should look more clickable? (issue#102685) - Enable the build of the Native Client (NaCl) ------------------------------------------------------------------- Thu Dec 1 12:11:40 UTC 2011 - idoenmez@suse.de - Support ISO_8859-X as an alias to ISO-8859-X ------------------------------------------------------------------- Sun Nov 27 09:50:23 UTC 2011 - tittiatcoke@gmail.com - Update to 17.0.952 + Message receiver on browser side that holds/starts the gamepad data provider (issue#79050) + WebSocket Pepper API: in process API implementation (issue#87310) + Clean up plug-in placeholders (issue#62079) + Schedule idle handler in the foreground tab based on CPU usage and user activity ------------------------------------------------------------------- Sun Nov 27 08:51:17 UTC 2011 - tittiatcoke@gmail.com - Remove the media-probe.patch. This has one regression and that video's are no longer played through chromium if the chromium-ffmpeg package from packman is not installed. However removing this patch enabled support for all video formats if the chromium-ffmpeg package has been installed. ------------------------------------------------------------------- Sun Nov 20 12:27:43 UTC 2011 - tittiatcoke@gmail.com - Update to 17.0.945 + Defer construction of NotificationUIManager to fix notification initialization. (bug#103427) + Ignore button mouse enter for new tab button (bug#104326) + History/Downloads: - Adding button and checkbox css to history and downloads. - Tweaked checkbox styles for history. ------------------------------------------------------------------- Sun Nov 13 09:35:03 UTC 2011 - tittiatcoke@gmail.com - Update to 17.0.937 + Make it so that turning off sync for extensions in the preferences UI also turns off sync for extension settings, ditto for apps and app settings (bug#98488) + Cleanup: Remove unneeded forward declarations from chrome/browser/ui/webui. + fix appearance of buttons in chrome://settings + Report correct error when connection cannot be established (bug#103937) + Temporarily disables XI2 for aura until events are straightened out. (bug#103981) + Make chrome communicate with gpsd through libgps/shared memory (bug#103751) + Don't close tabs from crashed extensions with background pages. Make the crashed extension reload when the sad tab is reloaded. (bug#71629,bug#94177) ------------------------------------------------------------------- Sun Oct 30 08:10:13 UTC 2011 - tittiatcoke@gmail.com - Update to 17.0.922 + Use the new ChromeV8ContextSet in ExtensionProcessBindings::StartRequestCommon() + Suppress failure for downloads.DownloadsTest.testPauseAndResume, as it is failing sporadically on pyauto win vista, and cause is not understood. (bug#102228) + Fix a crash in FullscreenExitBubbleController when the user clicks the "Exit full screen" button. (bug#101835) + Close all panels originated by the extension when extension unloads. (bug#101118) + Fix history importing by delaying DownloadManager creation. (bug#98966) + aura: Draw persistent borders around browser windows. (bug#101977) + aura: brightness and volume bubble (bug#98322) + Associate the instant label text with a specific checkbox. (bug#101930) + GTK: More profiling of the rendering path. (bug#100803) + Convert the non-debug logging in chrome/common to debug logging. + Add code to prompt for browser login during app notification setup (bug#98145) + GTK: Constrain the clip area on tabstrip draws. (bug#100803) + Fully enable about:tracking by default (controlled by the flag: "--enable-tracking" and the default is always on.) ------------------------------------------------------------------- Sun Oct 23 07:17:06 UTC 2011 - tittiatcoke@gmail.com - Update to 17.0.917 + Convert the Flash interfaces to no longer use GetInfo + Now does not sync URLs that only have imported visits + Print Preview fixes + Use WebCompositor only when --enable-threaded-compositing + Enable privileged WebGL extensions for Chrome extensions. + Implement sync data type controller and UI for syncing notifications: + Improve audio underflow handling. + Improve extension settings accessibility. + Other bugfixes - Remove patch19 for system zlib adjustments as this is no longer required ------------------------------------------------------------------- Sun Oct 16 11:21:52 UTC 2011 - tittiatcoke@gmail.com - Update to 16.0.910 + Delay network requests on startup if any webRequest or webNavigation extensions are enabled. + Make escape exit tabbed fullscreen mode even if browser was in fullscreen mode before. (bug#89208) + [Sync] Support open tabs experiment enabling before sync setup completion. (bug#99403) + On Linux, turn off panels when there is no window manager present. (bug#100381) + Linux: add the "other bookmarks" folder to the new bookmark menu. (bug#81263) + Add google search app to list of apps installed by default. (bug#94920) + PrintPreview: Added code to honor the grayscale color model + Linux: add basic bookmark menu support. More features can be added later. Currently, only supports ctrl-click/middle click to open in a new tab. It's supposed to be quite fancy and support context menus and maybe other gestures as well; these are not yet supported. (bug#81263) ------------------------------------------------------------------- Sun Oct 9 06:57:29 UTC 2011 - tittiatcoke@gmail.com - Update to 16.0.904 + aura: Implement cursor support on linux + Add --enable-video-track commandline flag for enabling <track> (otherwise disabled by default) + [Sync UI] When signed in, choosing the sync wrench menu item should navigate to personal options + Fix UI quirks when doing a history navigation to a slow page (bug#94747) + Auto-login UI polish. (bug#98873) + Fixed the gtk menu race (bug#88473) ------------------------------------------------------------------- Sun Oct 2 07:37:15 UTC 2011 - tittiatcoke@gmail.com - Updaet to 16.0.898 + Move webNavigation out of experimental (bug#60100) + Rework BrightnessLibrary using DBusThreadManager + Remove google search experiment + Only allow to lock the mouse when the tab is in fullscreen mode (bug#41781) + Expose connection error code to the web app (bug#91402) + Make the license tools recoginze the dual license (bug#98116) + Don't immediately fill saved passwords in Incognito mode + Ensure that --disable-extensions disables extension prefs from being enacted + Removing mfplayer and mfdecoder tools ------------------------------------------------------------------- Sun Sep 25 09:00:41 UTC 2011 - tittiatcoke@gmail.com - Make "Set as default browser" work - Update to 16.0.891 + Prefer curl over wget on linux if installed. + Printing: Fix Linux print dialog code when there are no printers installed. + Do not intitialize V8 in browser process. + Suppress race in URLRequestHttpJob/HttpNetworkTransaction + Profile shouldn't own PersonalDataManager + Remove the old chrome://extensions page, since the URL now redirects to the new Settings page. + fix disappearing bookmark star on linux/gtk + Fix display of "Last Synced as..." in Personal Stuff. + FTP: fixed compatibility with servers which send 451 response for CWD command. ------------------------------------------------------------------- Thu Sep 22 09:53:18 UTC 2011 - prusnak@opensuse.org - add versions to some dependencies of subpackages ------------------------------------------------------------------- Tue Sep 20 16:14:30 UTC 2011 - tittiatcoke@gmail.com - Added permissions-patch so that the suid-helper will also work on distro versions equal to 11.4. - Moved the no-sandbox check to the browser start-up script so that the enabling of the sandbox is done at runtime (bnc#718016) ------------------------------------------------------------------- Wed Sep 14 11:30:06 UTC 2011 - tittiatcoke@gmail.com - Update to 16.0.880 + Print preview issues with self-closing popups have been fixed + Fixed many known stability issues. + Change chrome://crash (sad tab page) "Learn more" link to: "If you're seeing this frequently, try these suggestions." Link "these suggestions" to the "Learn more" help article. + Convert chrome://extensions to a settings page within the options pages. + Beginnings of basic Focus and Key Events. + various bugfixes ------------------------------------------------------------------- Sun Sep 3 17:39:50 UTC 2011 - tittiatcoke@gmail.com - Update to 15.0.870 + Fix the print preview regression bug + Enable low-latency audio by default + Add Indic IME support + Switch the native print path on Linux and ChromeOS to use Skia instead of Cairo + Use 16x16 icons so they don't stretch + Turn client-side phishing detection on for non-UMA users + Fix a crash on Linux which occurs during drag drop operations in the renderer + various bugfixes ------------------------------------------------------------------- Wed Aug 24 17:53:51 UTC 2011 - tittiatcoke@gmail.com - Update to 15.0.862 + Fix pyauto autofill flakiness when submitting profile info via webpage forms (issues: 90232,89784) + Get rid of static TabContentsView::Create function since the interface is in content, but the implementations are in chrome. (issue: 76697) + Suppress another race with KURLGooglePrivate + Workers. (issue 93708) + Add a new content settings type AUTO-SELECT-CERTIFICATE. The default value of the new content settings type AUTO-SELECT-CERTIFICATE is CONTENT_SETTING_ASK + Add a policy for whitelisting origins for which client certificates should be auto selected. + Add a policy to set a default setting for the auto select certificates setting. ------------------------------------------------------------------- Mon Aug 22 16:32:16 UTC 2011 - tittiatcoke@gmail.com - Update to 15.0.860 ------------------------------------------------------------------- Sat Aug 20 20:47:53 UTC 2011 - tittiatcoke@gmail.com - Update to 15.0.859 ------------------------------------------------------------------- Fri Aug 19 05:55:51 UTC 2011 - tittiatcoke@gmail.com - Update to 15.0.857 + Issue with the close tab button is fixed. ------------------------------------------------------------------- Tue Aug 16 09:14:32 UTC 2011 - tittiatcoke@gmail.com - Update to 15.0.854 - Enable build of sandbox client as that this is now mandatory ------------------------------------------------------------------- Sun Aug 7 09:13:32 UTC 2011 - tittiatcoke@gmail.com - Introduce an option to switch the password store for Chromium in a more friendlier way, by using the update-alternatives. The user has now the option to install a new package (chromium-desktop-kde or chromium-desktop-gnome) and based on this the respective password store is selected. ------------------------------------------------------------------- Sat Aug 6 10:09:02 UTC 2011 - tittiatcoke@gmail.com - Update to 15.0.846 ------------------------------------------------------------------- Sat Jul 30 08:12:51 UTC 2011 - tittiatcoke@gmail.com - Update to 15.0.839 ------------------------------------------------------------------- Thu Jul 21 17:06:31 UTC 2011 - tittiatcoke@gmail.com - Update to 14.0.829 ------------------------------------------------------------------- Sun Jul 17 09:15:18 UTC 2011 - tittiatcoke@gmail.com - Update to 14.0.825 ------------------------------------------------------------------- Tue Jul 12 02:26:20 UTC 2011 - nmarques@opensuse.org - Fix for bnc#705223: + Icons are installed in hicolor instead of oxygen, this ensures compatibility with open Desktop standards. + Add GTK icon cache update for >= 1140 on %post and %postun. + Removed the .png in %{_datadir}/pixmaps as hicolor is a better option. + Add hicolor-icon-theme to BuildRequires and Requires. ------------------------------------------------------------------- Mon Jun 13 11:49:27 UTC 2011 - tittiatcoke@gmail.com - Update to 14.0.792 ------------------------------------------------------------------- Mon Jun 6 08:47:30 UTC 2011 - tittiatcoke@gmail.com - Update to 14.0.786 ------------------------------------------------------------------- Sat Jun 4 07:22:05 UTC 2011 - tittiatcoke@gmail.com - Update to 14.0.785 ------------------------------------------------------------------- Sat May 28 20:05:21 UTC 2011 - tittiatcoke@gmail.com - Update to 13.0.780 ------------------------------------------------------------------- Wed May 25 13:03:04 UTC 2011 - tittiatcoke@gmail.com - Update to 13.0.777 + Builds now based on system library for V8. + Removed Shared Library build due to errors. Everything is back into one single binary + Added patchfile to build with GCC 4.6 ------------------------------------------------------------------- Sun May 15 12:49:33 UTC 2011 - tittiatcoke@gmail.com - Update to 13.0.767 ------------------------------------------------------------------- Thu Apr 28 17:44:47 UTC 2011 - tittiatcoke@gmail.com - Update to 13.0.751 ------------------------------------------------------------------- Fri Apr 22 06:23:09 UTC 2011 - tittiatcoke@gmail.com - Update to 12.0.744 ------------------------------------------------------------------- Mon Apr 18 17:01:00 UTC 2011 - tittiatcoke@gmail.com - Update to 12.0.741 - Include icon-set for Oxygen. (bnc#684728) ------------------------------------------------------------------- Fri Apr 8 15:29:13 UTC 2011 - tittiatcoke@gmail.com - Update to 12.0.731 ------------------------------------------------------------------- Sun Apr 3 15:30:49 UTC 2011 - tittiatcoke@gmail.com - Update to 12.0.724 ------------------------------------------------------------------- Thu Mar 31 19:28:18 UTC 2011 - tittiatcoke@gmail.com - Update to 12.0.721 ------------------------------------------------------------------- Mon Mar 28 18:26:22 UTC 2011 - tittiatcoke@gmail.com - Update to 12.0.718 - Added conflict for xine-browser-plugin ------------------------------------------------------------------- Wed Mar 16 05:15:44 UTC 2011 - tittiatcoke@gmail.com - Update to 12.0.705 - Included option to detect the password store in /usr/bin/chromium (options there are detect,default,gnome,kwallet) ------------------------------------------------------------------- Fri Mar 11 08:42:36 UTC 2011 - tittiatcoke@gmail.com - Update to 12.0.700 ------------------------------------------------------------------- Wed Mar 9 18:45:16 UTC 2011 - tittiatcoke@gmail.com - Update to 11.0.698 ------------------------------------------------------------------- Fri Mar 4 08:08:57 UTC 2011 - tittiatcoke@gmail.com - Update to 11.0.691 ------------------------------------------------------------------- Wed Mar 2 18:17:40 UTC 2011 - tittiatcoke@gmail.com - Update to 11.0.688 ------------------------------------------------------------------- Sun Feb 27 09:05:00 UTC 2011 - tittiatcoke@gmail.com - Update to 11.0.685 ------------------------------------------------------------------- Sun Feb 27 08:52:51 UTC 2011 - tittiatcoke@gmail.com - Update to 11.0.683 * Chromium will now use the internal ICU libraries for all openSUSE versions. ------------------------------------------------------------------- Wed Feb 16 23:45:49 UTC 2011 - tittiatcoke@gmail.com - Update to 11.0.674 ------------------------------------------------------------------- Tue Feb 15 18:37:51 UTC 2011 - tittiatcoke@gmail.com - Update to 11.0.673 * For Factory the internal ICU libraries are used as that Chromium does not build with the ones provided by Factory ------------------------------------------------------------------- Wed Jan 19 13:23:13 UTC 2011 - prusnak@opensuse.org - add more mimetypes to desktop file ------------------------------------------------------------------- Sat Dec 25 09:40:13 UTC 2010 - rwooninck@opensuse.org - update to 10.0.622.0 ------------------------------------------------------------------- Mon Oct 25 14:30:33 UTC 2010 - tittiatcoke@gmail.com - Update to 9.0.564 build * Added specific patches for MeeGo. * We are now using shared libraries for Chromium * Spec-file cleanup (Thanks to prusnak) ------------------------------------------------------------------- Thu Jul 8 00:13:33 UTC 2010 - cristian.rodriguez@opensuse.org - use jobs instead of a fixed numer of jobs, buildsystem may hang ------------------------------------------------------------------- Wed Jul 7 20:10:06 UTC 2010 - cristian.rodriguez@opensuse.org - workaround gcc bug, that produces extremely annoying failure of the search bar. ------------------------------------------------------------------- Mon May 24 01:17:14 UTC 2010 - cristian.rodriguez@opensuse.org - do not include %{release} in RPM_VERSION that makes the package to republish everytime to users even if there are no code changes. ------------------------------------------------------------------- Wed Mar 10 20:10:14 UTC 2010 - bgmerrell@novell.com - Add master_preferences source file and install it to /etc/chromium. - Create a new patch (chromium-master-prefs-path.patch) which tells chromium to look in /etc/chromium for the master_preferences file (instead of looking in the default directory, which is the same directory as the 'chrome' binary). ------------------------------------------------------------------- * Sun Mar 7 00:00:00 UTC 2010 - tititatcoke@gmail.com - Update to 5.0.347 + moved back to static binary again. + No longer depends on system v8 ------------------------------------------------------------------- * Mon Feb 21 00:00:00 UTC 2010 - tititatcoke@gmail.com - Update to 5.0.341 + remove courgette build and sources (patent issue) + Move to shared libraries build + Depends on system v8 again ------------------------------------------------------------------- Sun Jan 24 21:42:27 UTC 2010 - prusnak@suse.cz - added vendor to user agent (chromium-vendor.patch.in) ------------------------------------------------------------------- Sun Nov 29 14:18:27 UTC 2009 - prusnak@suse.cz - added --enable-sync to wrapper to enable bookmark sync ------------------------------------------------------------------- * Sun Nov 29 00:00:00 UTC 2009 - tittiatcoke@gmail.com - Update to 4.0.260 ------------------------------------------------------------------- * Fri Nov 27 00:00:00 UTC 2009 - tittiatcoke@gmail.com - Update to 4.0.259 ------------------------------------------------------------------- * Thu Nov 26 00:00:00 UTC 2009 - tittiatcoke@gmail.com - Update to 4.0.258 ------------------------------------------------------------------- * Tue Nov 24 00:00:00 UTC 2009 - tittatcoke@gmai.com - In order to complete prevent the wrong v8 version to be used, the Chromium build has been changed to having an built-in v8 ------------------------------------------------------------------- * Tue Nov 24 00:00:00 UTC 2009 - dbuck@example.com - Re-base patches. - Fixed a few patch errors. - Rename some patches to better correspond with function. - Removed some patches. - Minor SPEC changes. - I changed the v8 requirement to be exact, instead of greater than a specific version. ------------------------------------------------------------------- Fri Nov 13 20:34:05 UTC 2009 - tittiatcoke@gmail.com - update to 247.0 svn 31928 ------------------------------------------------------------------- Fri Oct 30 13:58:11 UTC 2009 - tittiatcoke@gmail.com - update to 229.0 svn 30454 + Fix regression where popups and app frames lost their titlebars. + Makes it so that when a folder is open on the bookmark bar and the mouse moves over another folder, the menu for that folder is shown. + Lazily create the find bar. + Polish to the gmail checker sample. * New, crisper icons that are exactly 19x19 * Add a loading animation at the beginning before Gmail responds. * Fix a bug where we sometimes don't update the UI after a logout/login cycle. + Refactor widget methods to support desktop notifications, including GTK stubs. + Find-in-page should not ding while deleting characters. + Add SSL wrapper for linux and mac. This allows notifier to use chrome's SSL layer instead of OpenSSL. + Add three of the six extensions to PAC that Internet Explorer supports. + WebSocket support in chromium. (Run with --enable-web-sockets enables WebSocket features.) + Do not allow GTK File Chooser dialogs to return directories. + Fix the notifier SSL layer to make notifications work for Linux Bookmark sync. + linux: don't override mouse selection behavior in omnibox ------------------------------------------------------------------- Sun Oct 25 08:37:29 UTC 2009 - tittiatcoke@gmail.com - Update to 224.4 svn 30027 + First cut at new page and browser action docs based on new API. Deleted old stuff. + Add suppression for new memory leak caused by WebKit merge 49830:49844 + Cleanup: change PIDs to base::ProcessId (or pid_t, as appropriate) + Minimize dependency of user scripts + Fixup the flip_framer eof-handling semantics now that we have the FIN bit in place + app depends on x11 because of active_window_watcher_x + Adding two images for the new Extension managment UI + Removing hard-coded Chrome Frame output path + Rearrange clipboard code + Fix crash bug when attempting to download a url with unsupported scheme, e.g. 'data:', by 'Alt + Click' + GTK: Change text for extension download UI + Ignore invalid urls on command line + Make dropped tabs animate from where they were dropped. + Make room for the full width of the tab placeholder. + Make tab dragging as smooth as glass. + Remove an annoying NOTIMPLEMNETED + Extensions: guarantee removal of BROWSER_WINDOW_READY registration + If we're in the middle of a drag, don't allow the user to middle click to close or right click for the context menu + "Fix" a NOTIMPLEMENTED on Linux by using the default password store + Remove +x bit from files that shouldn't have it + Fold first 3 channels of multichannel instead of 5. Use fixed point + Adding new image needed for the managment UI + Fix a race bug where content scripts would not apply to the first page load + Make escape remove a bookmark if it's just been added (but not if it already existed) + Fix bubbles deactivating the opaque frame + Allow ESC to cancel ALT+SHIFT+T in Toolbar + ake all pepper plugins default to windowless and transparent + Add styles for printing + Implement the new extension management UI + Add support for to automation interface load install and load extensions + GTK: theme the info bar border + Update V8 to version 1.3.16.1 + Introduce WebSecurityPolicy for security related methods + New button scheme...borders are separate from the inner contents so that they can be highlighted / depressed independently + When opening Chrome maximized with an application window already running, the Chrome window was not activated + Fix compatibility problems with FileZilla FTP Server + Remove the extension shelf on Linux + Fix the proxy host and port string to start with http:// if it does not already + Enable HTML5 databases for all extension renderer processes ------------------------------------------------------------------- * Sat Oct 24 00:00:00 UTC 2009 - prusnak@opensuse.org - don't create desktop files in wrapper - fix LD_LIBRARY_PATH (chromium-fix-wrapper.patch) ------------------------------------------------------------------- * Tue Oct 20 00:00:00 UTC 2009 - tittiatcoke@gmail.com - update to newer svn snapshot + Obsoletes fwrite patch (included upstream) ------------------------------------------------------------------- * Fri Oct 16 00:00:00 UTC 2009 - tittiatcoke@gmail.com - update to newer svn snapshot + Requires newer version of v8 ------------------------------------------------------------------- * Thu Oct 15 00:00:00 UTC 2009 - prusnak@suse.cz - do not force SSE on x86 (drop-sse.patch) ------------------------------------------------------------------- * Tue Oct 13 00:00:00 UTC 2009 - tittiatcoke@gmail.com - Update to newer svn snapshot - Fixed spec file in order to build - Included patch to build with system zlib ------------------------------------------------------------------- * Mon Oct 12 00:00:00 UTC 2009 - prusnak@suse.cz - package renamed to chromium - cleaned up spec file ------------------------------------------------------------------- * Tue Oct 6 00:00:00 UTC 2009 - dbuck@example.com - v8 is now built as a separate package, and is required - included many patches to use system libraries: v8, icu, libxml2, libxslt, libjpeg, libpng, libevent, bzip2, zlib, nspr, nss ------------------------------------------------------------------- * Sun Oct 1 00:00:00 UTC 2009 - dbuck@example.com - included a newer DEP than is in svn, native_client@823 - things should compile cleanly now ------------------------------------------------------------------- * Sun Aug 31 00:00:00 UTC 2009 - dbuck@example.com - initial build
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor