CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Do not post support requests, bug reports or feature requests. Discuss CEF here. Non-CEF related discussion goes in General Discussion!

CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby DvL » Wed Oct 21, 2020 3:40 pm

Hi,

There is a hurry behind updating the available CEF build to Chromium 86.0.4240.111, due to this incident: https://www.zdnet.com/article/google-releases-chrome-security-update-to-patch-actively-exploited-zero-day/
Hackers in question are targetting app (as in: software application) users as well.

So please, if it's possible to update faster than the usual 6-10 days you take at average to update to a new version of Chromium, do so, @magreenblatt
Thanks for considering :)
DvL
Newbie
 
Posts: 7
Joined: Mon Feb 24, 2020 3:44 pm

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby magreenblatt » Thu Oct 22, 2020 6:35 pm

Updated builds should be available tomorrow (Friday).
magreenblatt
Site Admin
 
Posts: 12379
Joined: Fri May 29, 2009 6:57 pm

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby DvL » Thu Oct 22, 2020 9:38 pm

magreenblatt wrote:Updated builds should be available tomorrow (Friday).


Alright, thank you very much!

I would personally advise all developers using CEF to upgrade after tomorrow.. even if your users can only browse to limited content/domains (due to the nature of your app), remotely served fonts could be fitted with the exploit.
Imagine a popular fonts CDN gets compromised, all internet users on this version of Chromium would be at huge risk during routine tasks.
DvL
Newbie
 
Posts: 7
Joined: Mon Feb 24, 2020 3:44 pm

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby ndesktop » Fri Oct 23, 2020 1:42 am

For whoever build CEF themselves and emergency patching, the patch is here.
What needs to be patched is src/third_party/freetype/src/src/sfnt/pngshim.c.
ndesktop
Master
 
Posts: 748
Joined: Thu Dec 03, 2015 10:10 am

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby magreenblatt » Fri Oct 23, 2020 11:18 am

A 4183 branch build with the fix will also be available later today.
magreenblatt
Site Admin
 
Posts: 12379
Joined: Fri May 29, 2009 6:57 pm

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby DvL » Fri Oct 23, 2020 5:47 pm

Multiple platforms have built (CEF 86.0.18+gd3ead8b+chromium-86.0.4240.111), but not Windows.
If possible, make the updated Windows build available as fast as the other platforms..
DvL
Newbie
 
Posts: 7
Joined: Mon Feb 24, 2020 3:44 pm

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby amaitland » Fri Oct 23, 2020 6:43 pm

The Windows builds are available (they've been available for at least 13 hours).

The http://opensource.spotify.com/cefbuilds/index.html page is cached and can take some time to update.

View http://opensource.spotify.com/cefbuilds/index.json for a list of all builds
Maintainer of the CefSharp project.
amaitland
Virtuoso
 
Posts: 1290
Joined: Wed Jan 14, 2015 2:35 am

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby ChrmiumMonkey » Tue Nov 03, 2020 12:00 am

Can the emergency patch be applied to 4147 branch?
ChrmiumMonkey
Newbie
 
Posts: 5
Joined: Wed Sep 25, 2019 6:27 pm

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby magreenblatt » Tue Nov 03, 2020 12:04 pm

ChrmiumMonkey wrote:Can the emergency patch be applied to 4147 branch?

Probably, but you will need to build it yourself.
magreenblatt
Site Admin
 
Posts: 12379
Joined: Fri May 29, 2009 6:57 pm

Re: CVE-2020-15999 (Please update to 86.0.4240.111 ASAP)

Postby ndesktop » Wed Nov 04, 2020 10:32 am

ChrmiumMonkey wrote:Can the emergency patch be applied to 4147 branch?

Yes, I did that. As stated, you need to build CEF yourself.
ndesktop
Master
 
Posts: 748
Joined: Thu Dec 03, 2015 10:10 am

Next

Return to CEF Discussion

Who is online

Users browsing this forum: No registered users and 6 guests