A lot of CVE's (Please update CEF to Chromium 87.0.4280.141)
Posted: Thu Jan 07, 2021 12:54 pmYesterday, the Chrome stable channel has been updated to version 87.0.4280.141
I request to update CEF to that build faster than usual.. I will motivate this below.
This time, it contains way more (and relatively more serious - see the bounties are very high) vulnerability patches than usual.
It is probably influenced by that it took much longer than usual for the Stable channel to get an update after the last version (more than a month since 87.0.4280.88).. I would guess due to christmas & new year, and then they used this opportunity to package more security fixes into the ultimate build, and work on collected metrics for longer.
Source: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html
Vulnerabilities fixed:
I would appreciate if you consider, @magreenblatt
I request to update CEF to that build faster than usual.. I will motivate this below.
This time, it contains way more (and relatively more serious - see the bounties are very high) vulnerability patches than usual.
It is probably influenced by that it took much longer than usual for the Stable channel to get an update after the last version (more than a month since 87.0.4280.88).. I would guess due to christmas & new year, and then they used this opportunity to package more security fixes into the ultimate build, and work on collected metrics for longer.
Source: https://chromereleases.googleblog.com/2021/01/stable-channel-update-for-desktop.html
Vulnerabilities fixed:
- Code: Select all
[$20000][1148749] High CVE-2021-21106: Use after free in autofill. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2020-11-13
[$20000][1153595] High CVE-2021-21107: Use after free in drag and drop. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-11-30
[$20000][1155426] High CVE-2021-21108: Use after free in media. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-04
[$15000][1152334] High CVE-2021-21109: Use after free in payments. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2020-11-24
[$15000][1152451] High CVE-2021-21110: Use after free in safe browsing. Reported by Anonymous on 2020-11-24
[$7500][1149125] High CVE-2021-21111: Insufficient policy enforcement in WebUI. Reported by Alesandro Ortiz on 2020-11-15
[$7500][1151298] High CVE-2021-21112: Use after free in Blink. Reported by YoungJoo Lee(@ashuu_lee) of Raon Whitehat on 2020-11-20
[$6000][1155178] High CVE-2021-21113: Heap buffer overflow in Skia. Reported by tsubmunu on 2020-12-03
[$N/A][1148309] High CVE-2020-16043: Insufficient data validation in networking. Reported by Samy Kamkar, Ben Seri at Armis, Gregory Vishnepolsky at Armis on 2020-11-12
[$N/A][1150065] High CVE-2021-21114: Use after free in audio. Reported by Man Yue Mo of GitHub Security Lab on 2020-11-17
[$TBD][1157790] High CVE-2020-15995: Out of bounds write in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2020-12-11
[$TBD][1157814] High CVE-2021-21115: Use after free in safe browsing. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-11
[$N/A][1151069] Medium CVE-2021-21116: Heap buffer overflow in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research on 2020-11-19
I would appreciate if you consider, @magreenblatt