A lot of CVE's (Please update CEF to Chromium 87.0.4280.141)

Do not post support requests, bug reports or feature requests. Discuss CEF here. Non-CEF related discussion goes in General Discussion!

A lot of CVE's (Please update CEF to Chromium 87.0.4280.141)

Postby DvL » Thu Jan 07, 2021 12:54 pm

Yesterday, the Chrome stable channel has been updated to version 87.0.4280.141

I request to update CEF to that build faster than usual.. I will motivate this below.

This time, it contains way more (and relatively more serious - see the bounties are very high) vulnerability patches than usual.

It is probably influenced by that it took much longer than usual for the Stable channel to get an update after the last version (more than a month since 87.0.4280.88).. I would guess due to christmas & new year, and then they used this opportunity to package more security fixes into the ultimate build, and work on collected metrics for longer.

Source: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html

Vulnerabilities fixed:
Code: Select all
[$20000][1148749] High CVE-2021-21106: Use after free in autofill. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-11-13

[$20000][1153595] High CVE-2021-21107: Use after free in drag and drop. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-11-30

[$20000][1155426] High CVE-2021-21108: Use after free in media. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-04

[$15000][1152334] High CVE-2021-21109: Use after free in payments. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2020-11-24

[$15000][1152451] High CVE-2021-21110: Use after free in safe browsing. Reported by Anonymous on 2020-11-24

[$7500][1149125] High CVE-2021-21111: Insufficient policy enforcement in WebUI. Reported by Alesandro Ortiz on 2020-11-15

[$7500][1151298] High CVE-2021-21112: Use after free in Blink. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-11-20

[$6000][1155178] High CVE-2021-21113: Heap buffer overflow in Skia. Reported by tsubmunu on 2020-12-03

[$N/A][1148309] High CVE-2020-16043: Insufficient data validation in networking. Reported by Samy Kamkar, Ben Seri at Armis, Gregory Vishnepolsky at Armis on 2020-11-12

[$N/A][1150065] High CVE-2021-21114: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-11-17

[$TBD][1157790] High CVE-2020-15995: Out of bounds write in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2020-12-11

[$TBD][1157814] High CVE-2021-21115: Use after free in safe browsing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-11

[$N/A][1151069] Medium CVE-2021-21116: Heap buffer overflow in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-11-19


I would appreciate if you consider, @magreenblatt :)
DvL
Newbie
 
Posts: 7
Joined: Mon Feb 24, 2020 3:44 pm

Re: A lot of CVE's (Please update CEF to Chromium 87.0.4280.

Postby DvL » Thu Jan 07, 2021 12:59 pm

News source on the severity of these vulnerabilities:

https://www.securityweek.com/google-pays-out-over-100000-vulnerabilities-patched-chrome-87-update

Google Pays Out Over $100,000 for Vulnerabilities Patched With Chrome 87 Update

"An update released this week by Google for Chrome 87 patches 16 vulnerabilities, including 14 rated high severity. The company has awarded more than $100,000 for these vulnerabilities"
DvL
Newbie
 
Posts: 7
Joined: Mon Feb 24, 2020 3:44 pm

Re: A lot of CVE's (Please update CEF to Chromium 87.0.4280.

Postby magreenblatt » Thu Jan 07, 2021 1:10 pm

The 87.0.4280.141 update is in progress. Please be patient.
magreenblatt
Site Admin
 
Posts: 10652
Joined: Fri May 29, 2009 6:57 pm


Return to CEF Discussion

Who is online

Users browsing this forum: No registered users and 7 guests