chromium (126.0.6478.114-1) unstable; urgency=high . * New upstream security release. - CVE-2024-6100: Type Confusion in V8. Reported by Seunghyun Lee (@0x10n) participating in SSD Secure Disclosure's TyphoonPWN 2024. - CVE-2024-6101: Inappropriate implementation in WebAssembly. Reported by @ginggilBesel. - CVE-2024-6102: Out of bounds memory access in Dawn. Reported by wgslfuzz. - CVE-2024-6103: Use after free in Dawn. Reported by wgslfuzz. chromium (126.0.6478.56-1) unstable; urgency=high . * New upstream stable release. - CVE-2024-5830: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab. - CVE-2024-5831: Use after free in Dawn. Reported by wgslfuzz. - CVE-2024-5832: Use after free in Dawn. Reported by wgslfuzz. - CVE-2024-5833: Type Confusion in V8. Reported by @ginggilBesel. - CVE-2024-5834: Inappropriate implementation in Dawn. Reported by gelatin dessert. - CVE-2024-5835: Heap buffer overflow in Tab Groups. Reported by Weipeng Jiang (@Krace) of VRI. - CVE-2024-5836: Inappropriate Implementation in DevTools. Reported by Allen Ding. - CVE-2024-5837: Type Confusion in V8. Reported by Anonymous. - CVE-2024-5838: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy). - CVE-2024-5839: Inappropriate Implementation in Memory Allocator. Reported by Mickey. - CVE-2024-5840: Policy Bypass in CORS. Reported by Matt Howard. - CVE-2024-5841: Use after free in V8. Reported by Cassidy Kim(@cassidy6564). - CVE-2024-5842: Use after free in Browser UI. Reported by Sven Dysthe (@svn_dy). - CVE-2024-5843: Inappropriate implementation in Downloads. Reported by hjy79425575. - CVE-2024-5844: Heap buffer overflow in Tab Strip. Reported by Sri. - CVE-2024-5845: Use after free in Audio. Reported by anonymous. - CVE-2024-5846: Use after free in PDFium. Reported by Han Zheng (HexHive). - CVE-2024-5847: Use after free in PDFium. Reported by Han Zheng (HexHive). * d/copyright: delete bullseye environment that upstream ships (??). * d/patches: - upstream/appservice-include.patch: drop, merged upstream. - upstream/lens-include.patch: drop, merged upstream. - upstream/mojo-bindings-include.patch: drop, merged upstream. - upstream/ninja.patch: drop, merged upstream. - upstream/no-vector-consts.patch: drop, merged upstream. - upstream/vulkan-include.patch: drop, merged upstream. - system/clang-format.patch: drop it; we broke it some time ago, and didn't notice. Guess we don't need it? - bookworm/clang16.patch: refresh. - fixes/bad-font-gc00000.patch: refresh - fixes/bad-font-gc11.patch: refresh - fixes/bad-font-gc2.patch: refresh - disable/signin.patch: refresh - upstream/quiche-deque.patch: gcc build fix pulled from upstream. - upstream/gpu-header.patch: add header build fix from upstream. - upstream/blink-header.patch: add header build fix from upstream. - upstream/blink-header2.patch: add header build fix from upstream. - upstream/blink-header3.patch: add header build fix from upstream. - upstream/realtime-reporting.patch: gcc build fix from upstream. - upstream/urlvisit-header.patch: add header build fix from upstream. - upstream/accessibility-format.patch: gcc build fix from upstream. - bookworm/urlhelper-ctor.patch: work around a clang-16 bug; add an explicit constructor. . [ Timothy Pearson ] * d/patches/ppc64le: - sandbox/0008-sandbox-fix-ppc64le-glibc234.patch: Modify for upstream changes - third_party/0002-Add-PPC64-generated-files-for-boringssl.patch: Modify for upstream changes - libaom/0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: Refresh for upstream changes chromium (125.0.6422.141-1) unstable; urgency=high . * New upstream security release. - CVE-2024-5493: Heap buffer overflow in WebRTC. Reported by Cassidy Kim(@cassidy6564). - CVE-2024-5494: Use after free in Dawn. Reported by wgslfuzz. - CVE-2024-5495: Use after free in Dawn. Reported by wgslfuzz. - CVE-2024-5496: Use after free in Media Session. Reported by Cassidy Kim(@cassidy6564). - CVE-2024-5497: Out of bounds memory access in Keyboard Inputs. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab. - CVE-2024-5498: Use after free in Presentation API. - CVE-2024-5499: Out of bounds write in Streams API. * d/patches/fixes/libxml-parseerr.patch: delete, now that we have a newer libxml2. * d/control: add versioned build-dep on libxml2-dev >= 2.12. chromium (125.0.6422.112-1) unstable; urgency=high . * New upstream security release. - CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security. * Fix handling of quoted arguments (closes: #1071662). chromium (125.0.6422.76-1) unstable; urgency=high . * New upstream security release. - CVE-2024-5157: Use after free in Scheduling. Reported by Looben Yang. - CVE-2024-5158: Type Confusion in V8. Reported by Zhenghang Xiao (@Kipreyyy). - CVE-2024-5159: Heap buffer overflow in ANGLE. Reported by David Sievers (@loknop). - CVE-2024-5160: Heap buffer overflow in Dawn. Reported by wgslfuzz. * Don't silently ignore arguments meant for the wrapper script if chromium args happen to come first (closes: #1068096). * d/patches: - upstream/tabstrip-include.patch: add header build fix. qt6-declarative (6.6.2+dfsg-4) unstable; urgency=medium . * Team upload. * Following the enablement of Vulkan also on non-Linux architectures in qt6-base 6.6.2+dfsg-9, remove the linux-any limitation for the Vulkan-related examples in qt6-declarative-examples.install. * There are no more architecture-specific files in install files, so: - drop the dh-exec usage in qt6-declarative-examples.install - drop the dh-exec build dependency * Sort the install files. * Bump Standards-Version to 4.7.0, no changes required. REMOVED: pcbasic 2.0.7-3 REMOVED: python-flanker 0.9.15-1 REMOVED: python-tld 0.13-1 REMOVED: wapiti 3.0.4+dfsg-2 REMOVED: pysdl2 0.9.16+dfsg-1