| What's new in this version: Google Chrome 90.0.4430.72
Security fixes:
- High: CVE-2021-21201: Use after free in permissions
- High: CVE-2021-21202: Use after free in extensions
- High: CVE-2021-21203: Use after free in Blink
- High: CVE-2021-21204: Use after free in Blink
- High: CVE-2021-21205: Insufficient policy enforcement in navigation
- High: CVE-2021-21221: Insufficient validation of untrusted input in Mojo
- Medium: CVE-2021-21207: Use after free in IndexedDB
- Medium: CVE-2021-21208: Insufficient data validation in QR scanner
- Medium: CVE-2021-21209: Inappropriate implementation in storage
- Medium: CVE-2021-21210: Inappropriate implementation in Network
- Medium: CVE-2021-21211: Inappropriate implementation in Navigation
- Medium: CVE-2021-21212: Incorrect security UI in Network Config UI
- Medium: CVE-2021-21213: Use after free in WebMIDI
- Medium: CVE-2021-21214: Use after free in Network API
- Medium: CVE-2021-21215: Inappropriate implementation in Autofill
- Medium: CVE-2021-21216: Inappropriate implementation in Autofill
- Low: CVE-2021-21217: Uninitialized Use in PDFium
- Low: CVE-2021-21218: Uninitialized Use in PDFium
- Low: CVE-2021-21219: Uninitialized Use in PDFium
Google Chrome 89.0.4389.128
- Forbid script execution while updating the paint lifecycle
- [WPT] Mark permissions policy timing test slow on debug
- [GCPW] Fallback to registry when permitted domains cloud policy is empty
- Pin win10_chromium_x64_rel_ng and win7-rel to 16 cores
- Created a duplicate 'Mac11 Tests' from 'Mac11.0 Tests'
- Launching app inventory, upload device details and fetch experiments
- [Fuchsia] Add Fuchsia official builders to mb_config
- [Fuchsia] Remove unnecessary package vars from yaml files
- Only show krane's custom Demo Mode attract loop on krane devices
- [4389][mac][infra] Add Mac10.15 Tests (dbg)
Security fixes:
- High CVE-2021-21206: Use after free in Blink
- High CVE-2021-21220: Insufficient validation of untrusted input in V8 for x86_64
Google Chrome 89.0.4389.114
Security Fixes:
- High CVE-2021-21194: Use after free in screen capture.
- High CVE-2021-21195: Use after free in V8.
- High CVE-2021-21196: Heap buffer overflow in TabStrip.
- TBD1173903 High CVE-2021-21197: Heap buffer overflow in TabStrip.
- TBD1184399 High CVE-2021-21198: Out of bounds read in IPC.
- High CVE-2021-21199: Use Use after free in Aura.
Various fixes from internal audits, fuzzing and other initiatives:
- Merge 4389: Make ComputeNGCaretPosition() to handle upstream position after soft line wrap
- Enable cloud policies by default
- Read Os version from registries.
- [ChromeCart] Fix URL matching for cart and checkout
- [ChromeCart] Extract product images in absolute URL
- [ChromeCart] Improve cart visit detection heuristics
- Disable flaky CommerceHintCacaoTest.Rejected test.
- [ChromeCart] Exclude products in "saved for later" section
- [ChromeCart] Fix false positives of add-to-cart detection
- Reland "Reland "[ChromeCart] Improve checkout detection heuristics""
- Setting AppType for Win32 apps.
- [privacy_budget] Remove unnecessary kCanvasReadback metrics.
- Upload app data only when device is enrolled.
- Don't use BigBuffer for IPC::Message transport
- Fix container overflow in add to existing window and group tab context menu commands.
- Merge 89: Handle DOM-created tables with atypical structure
- [fuchsia] Recreate web.Context if persisted cache is erased.
- [floats] Fix overlap tests in NGExclusionSpace.
- Avoid starting invalidations multiple times.
- Changes to fetch win32 apps installed on the managed windows device and upload them.
- [Fuchsia] Fix FuchsiaAudioRenderer to call Stop() only after Start()
- Allow logged-in sites to be mentioned via optimization guide
- WebContents bug fix: Device capture only if web contents is valid
- Unlock win7-rel to run on machines with any core count.
- Disable variations layers when low entropy provider is null
- [M89 merge] x11/ozone: fix two edge cases
- Fix PageInfo for https image compression
- [M89][CrOS] Align password to start of password row when no icon is shown
- Allow first K images to load faster
- Add scheme check to crashing login detection code
- [Messages] Control autodismiss duration from Finch experiment
- Record image compression ukm metrics
- [Start] Make tab switcher page scroll to the last selected card.
- Download: Support legacy SD card download path content URI on R.
- [Start] Fix java.lang.NullPointerException at FeedStream.getView(FeedStream.java)
- [fuchsia] Ensure thread safety for ScenicOverlayView
- [fuchsia] Disable memory mitigations for visible LayerTreeHostImpls.
- Sheriff: Disable LoadTimingBrowserTest on the M89 branch.
- Sheriff: Disable broken StartSurface test on M89.
- Pull muted tab audio on a RT thread in the audio process.
- [fuchsia] Add vmodule flag support from config-data for WebEngine
- Allow ServiceWorkerResourceReader::ReadData() to return empty handle
- [fuchsia] Change minimum log level when verbose logging is on
- [fuchsia] Enable the media log as VLOGs on Fuchsia
- [fuchsia] Disable memory-pressure handling in Renderers by default
- Use a longer timeout for android-marshamllow-arm64-rel on branches.
- [CCA] Remove metadata observer when closing streams
- Add auto rollers as OWNERS of the files they touch
- [Fuchsia] Fix crash in VideoCaptureDeviceFactoryFuchsia
- Rename is_master to is_main.
- Get CameraAppDeviceImpl upon using in CrOS VCD
- VCD: Refactor CameraAppDeviceBridgeImpl and CameraAppDeviceImpl
- [ChromeCart] Allow skipping products
- [ChromeCart] Only handle http(s) schemes
- OOBE OfflineLogin: Correct login call to use internal authorization
- [CrOS] Show placeholder text on login/lock screen even with empty pwd
- Fix crash when restoring selection after a drag during which a dragged tab was closed.
- [Merge M89] Multi-User WM: Fix disappearing windows during profile switching.
- [M89][Lacros] Disable multiple Chrome OS sign-in when Lacros is enabled
- m89: Mitigate performance issues in Google tts
- [M89] Adds lacros_version_metadata
Google Chrome 89.0.4389.90
- High CVE-2021-21191: Use after free in WebRTC. Reported
- High CVE-2021-21192: Heap buffer overflow in tab groups. Reported
- High CVE-2021-21193: Use after free in Blink. Reported
- Various fixes from internal audits, fuzzing and other initiatives
- [Merge to M89] Expose langid events from SODA to Chrome and switch to protos
- Disable SVG composited animation if effective zoom is not 1
- Remove pre-target event handler before main widget close
- Fix remaining instances of RevertDragAt losing track of tabs.
- [ChromeCart] Extract products in shopping cart (2/2)
- [headless] Don't CHECK() crash on OSCrypt initialization failure.
- [headless] Move PrefService to HeadlessBrowserMainParts
- [WebLayer] Fix crash in GPU process when using GMS APIs
- [Grid] Auto-scroll to selected tab after tab model switching
- Revert "[headless] Configure renderer preferences from system settings"
- [headless] Configure renderer preferences from system settings
- [Merge to M89] Iterate more carefully over DTLS transports at close
- [ChromeCart] Restore module visibility when cart-action happens
- [ChromeCart] Extract products in shopping cart (1/2)
- Mark additional RootInlineBox dirty when culled inline box is removed
- [ChromeCart] Deflake CommerceHintAgentTest.CartPriority
- [Sheriff] Disable CommerceHintAgentTest.CartPriority on Linux
- Copy CSSM_TP_APPLE_EVIDENCE_INFO immediately after SecTrustGetResult
- Fix null domWindow crash in VisualViewport events
- [ChromeCart] Try to obtain cart URL when add-to-cart is detected
- [ChromeCart] Use optimization guide to filter out non-shopping sites
- M89: Increase BrowsingInstance cleanup delay.
- [ChromeCart] Pick the best source of cart URL
- [ChromeCart] Hide a unused function on CrOS
- [ChromeCart] Disable cart for non-SignIn single-profile users
- [ChromeCart] De-flake CommerceHintAgentTest tests
- [ChromeCart] Look up cart URL and merchant name when adding cart
- [ChromeCart] Add OWNERS file for chrome/renderer/cart
- [ChromeCart] Disable flaky CommerceHintAgentTest tests
- [Sheriff] Disable benchmark under Msan.
- [ChromeCart] Detect more shopping actions
- [ChromeCart] Implement add-to-cart detection
- [fuchsia] Add logging to diagnose a crash in the request rewrite throttles
- Handle resize bitmap operation failing.
- Revert changes to PPD file parsing
- [fuchsia] Suppress |is_main_document_loaded| if navigations are pending.
- Updating XTBs based on .GRDs from branch 4389
- [floc] change the API return type to Promise
- SiteForCookies now computes value for frame tree
- [base/allocator] Intercept (v)asprintf() in the shims on Android.
- [a11y] Accessibility bridge rejects actions on invalidtrees.
- [M89] [sheriff] Disable ExtensionInstallDialogViewInteractiveBrowserTest.InvokeUi_ManyPermissions on Windows for real
Google Chrome 89.0.4389.82
- GMC: Enable Global Media Controls for ChromeOS
- [sheriff] Disable flaky CartHandlerTest.TestEnableFakeData
- [Sheriff] Disable flaky test on TSAN
- Call SetNeedsAssignmentRecalc in HTMLSlotElement::ChildrenChanged
- Stop preloading vr module to avoid racey crash
- Don't crash on reentrant RunMoveLoop call
- Fix download resumption in reduced mode
- Add WebLayer getters for referrer and form submission
- Enable chromium M89 CQ to trigger chrome M90 builders
- [Merge to M89][Multipaste] Restrict the size of the web contents from the copied HTML
- cros: Make AcceleratorHistory higher priority
- Wi-Fi Sync: Default autoconnect to enabled when unspecified
- Active user takes ownership of networks on password updates
- Prevent showing notification when Wi-Fi Sync is not visible in settings
- [M89]Use the chrome.exe path instead of the directory
- [Fuchsia] Fix OutputPresenterFuchsia to send non-decreasing timestamps
- Condition Price Tracking on MBB Consent
- [fuchsia] Add multiple component support for audio/video capturers
- [iOS] Guard against grid view item array overrun
- [iOS][MF] Validate web state
- [iOS][Settings] Fixes clear browsing data link
- [Merge M89] Bento: Save desk names and workspaces after desk reordering
- [M89] ash: Handle nullptr window in WebAuthn request registrar
- [Merge to M-89][Multipaste] Destruct the multipaste menu views asynchronously
- Revert "Use stereo audio processing in stereo calls"
- m89: Makes all accessibility * enable prefs non-synchable
Google Chrome 89.0.4389.72
Fixed:
- Heap buffer overflow in TabStrip
- Heap buffer overflow in WebAudio
- Heap buffer overflow in TabStrip
- Use after free in WebRTC
- Insufficient data validation in Reader Mode
- Insufficient data validation in Chrome for iOS
- Object lifecycle issue in audio
- Object lifecycle issue in audio
- Use after free in bookmarks
- Insufficient policy enforcement in appcache
- Out of bounds memory access in V8
- Incorrect security UI in Loader
- Incorrect security UI in TabStrip and Navigation
- Insufficient policy enforcement in File System API
- Side-channel information leakage in Network Internals
- Inappropriate implementation in Referrer
- Inappropriate implementation in Site isolation
- Inappropriate implementation in full screen mode
- Insufficient policy enforcement in Autofill
- Inappropriate implementation in Compositing
- Use after free in Network Internals
- Use after free in tab search
- Heap buffer overflow in OpenJPEG
- Side-channel information leakage in autofill
- Insufficient policy enforcement in navigations
- Inappropriate implementation in performance APIs
- Inappropriate implementation in performance APIs
- Insufficient policy enforcement in extensions
- Insufficient policy enforcement in QR scanning
- Insufficient data validation in URL formatting
- Use after free in Blink
- Insufficient policy enforcement in payments
- Uninitialized Use in PDFium
Various fixes from internal audits, fuzzing and other initiatives:
- webview: clear the network callback in AwPacProcessor
- Better adhere to the Get rule with SecTrustGetCertificateAtIndex
- Clear the add to submenu before add new items
- Do not register NetworkCallback for AwPacProcessor if network is not specified
- Do not reset shortcuts if no valid Chrome installations were found
- Introduce AudioBuffers for user access in ScriptProcessorNode
- [Merge to M89] Prevent re-dropping when the desk is snapping back
- Merge 89: "Disable AV1 hardware decode w/ D3D11VideoDecoder for Intel GPUs."
- ios: Check for nullptr cert
- [Merge to M89] [X11] Fix incorrect bitmap row-bytes calculation
- [M89] Fix marking device-wide keys as corporate if no Profile was given
- Remove usage of WKUserContentController mock
- [Merge to M-89] Capture Mode: use Env event handler
- Merge 89: Fix null check and reduce DumpWithoutCrashing
- Reland "Prevent calling setSelection with negative values"
- [fuchsia] Enable Partial Site Isolation
- CrOS system tray: check for Media Router after primary profile init
- [fuchsia] Reduce likelihood of integration tests timeout-flaking
- Disable flaky tests
- remoting: Introduce native systemd unit for CRD
- ChromeOS: Disable touchpad finger swipe in the "Locked Mode"
- [Merge to M-89] Capture Mode: fix cursor scale for different displays
- [Blobs] Don't store BlobStorageLimits as a reference in transport strategy
- [Merge M89] Attempt to ensure ClassLoaders are consistent for splits
- [Merge to 89] MediaRecorder: tolerate non-GMB NV12 frames for H264
- Updating XTBs based on .GRDs from branch 4389
- Merge M89 ash: Fix mirror transform when displays have different aspect
- viz: Clip required overlays to display boundaries
- [M89][Signin][Android] Set up sign-in promo only with account list cache
- Move notify call earlier when download is canceled
- m89: Do not process hover events when not expected by ChromeVox
- [ChromeCart] Remove expired cart entries
- Use the correct layer bounds
- Fix dependency
- Add flag to disable AV1 Decoding on d3d11 video decoder
- [merge to 89] Reland "capture_mode: Keyboard navigation and chromevox implementation."
- Fix bug where search_box_view_base active/inactive colors were swapped
Google Chrome 88.0.4324.192
- Change log not available for this version
Google Chrome 88.0.4324.182
- Stop using raw WebContents ptr in DragDownloadFile
- [Messages] Address a CHECK in MessageWrapper on activity destruction
- Make IncognitoCustomTabIntentDataProvider#isIncognito as single
- Use a copy for transferring non detachable buffers
- Add symupload dependency to chrome_cleanup_tool binaries
- M88 Merge: Disable SurfaceControl on capri devices
- WebSocket: Don't clear event queue on destruction
- Make ShapeResult::ComputeGlyphPositions() to calculate safe to break before offset correctly
- [fuchsia] Send a null client certificate
- Video Tutorials : Support videos not available in all languages
- Fix crash in FilePathWatcherKQueue.
- Add metrics for Web Platform notifications.
- [fuchsia] Add feature flag for disabling renderer memory pressure handling.
- Video Tutorials : UI fixes on IPH sequencing and language picker
- Disable GPU acceleration on all Mesa software rasterizers
- Video Tutorials : Added missing metrics for IPH cards
- [Fuchsia] Fix FuchsiaAudioRenderer::GetWallClockTimes()
- [fuchsia] Add memory pressure monitoring support to Renderers.
- [M88] [sheriff] Disable NestedIframeTransformedIntoViewViewportIntersection
- [M88] Disable flaky tests PrerenderBrowserTest.LinkRelPrerender*
- Video tutorials : Fixed toolbar shadow for video list
- [M88] Add strip_binary and strip_binary_chrome target
- [Merge to M88] Avoid spinning a nested message loop for X11 clipboard
- Fix RevertDragAt losing track of tabs in some cases.
- c Fix crash when reverting a drag if the source tabstrip changed during the drag.
- [Merge to M88] [XProto] Switch event queue from a std::list to a base::circular_deque
- [Merge to M88][Web Payment]PR_sheet_controller should not update views during PR abort
- Video Tutorials : Fixed summary card not getting shown
- [fuchsia] Fix AutoPlayTest.*UserActivatedViaSimulatedInteraction
- Change doubletap backwards test to happen on a paused video
- Merge: Update hover button state before calling press callback
- [M88] Skip fast/workers/worker-shared-asm-buffer to unblock V8 roll
- Block HW video decode on AMD driver 8.17.10.1433
- [M88] Disable BackForwardCacheBrowserTestWithFileSystemAPISupported.CacheWithFileSystemAPI due to flakes.
- [M88] Add TRACE_EVENT for RequestTermination and Stop
- Merge M88: "Don't use effective frame count to expire frames."
- Merge M88: "Prevent Windows IMFTransform hangs
- [Merge to M88] Enable ShortcutsMenu during Shortcut creation.
- Reland "Updating XTBs based on .GRDs from branch 4324"
- [M88] ServiceWorker: Fix the lifetime of OnFetchEventFinished()
- [Fuchsia] Send output frames to ImagePipe as soon as possible
- Revert "Updating XTBs based on .GRDs from branch 4324"
- Updating XTBs based on .GRDs from branch 4324
- webauthn: Remove PaaSK USB accessory filter
- [fuchsia] Never use official Google API keys on Fuchsia.
- [Autofill Assistant] Fast path++ CL for M-88 refresh#2
- [Fuchsia] Use embedder origin to determine permissions for iframes
- [fuchsia] Prevent Media Inspector memory leak on Fuchsia in M88
- [fuchsia] Allow official keys to remain unset in Fuchsia builds.
- [fuchsia] Fix a bug in NormalizeConsoleLogMessage
- [fuchsia] Wait for ContextProvider instances to start.
- Read later: Delete reading list in search state should not crash.
- content: adds check for null stop_callback_ in MediaStreamUIProxy
- [fuchsia] Fix NetworkChangeNotifierFuchsia construction race.
- Updating XTBs based on .GRDs from branch 4324
- Fix heap overflow in VideoFrameYUVConverter
- Revert "Roll AFDO from 88.0.4324.144_rc-r1-merged to 88.0.4324.147_rc-r1-merged"
- [M88 merge] weblayer: register android-app scheme
- [m88] Roll ICU to fix Android extra dat file issue
Security Fixes and Rewards:
- High CVE-2021-21149: Stack overflow in Data Transfer. Reported by Ryoya Tsukasaki on 2020-10-14
- High CVE-2021-21150: Use after free in Downloads. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2021-01-29
- High CVE-2021-21151: Use after free in Payments. Reported by Khalil Zhani on 2021-01-12
- High CVE-2021-21152: Heap buffer overflow in Media. Reported by Anonymous on 2021-01-14
- High CVE-2021-21153: Stack overflow in GPU Process. Reported by Jan Ruge of ERNW GmbH on 2020-12-06
- High CVE-2021-21154: Heap buffer overflow in Tab Strip . Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-01
- High CVE-2021-21155: Heap buffer overflow in Tab Strip . Reported by Khalil Zhani on 2021-02-07
- High CVE-2021-21156: Heap buffer overflow in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-02-11
- Medium CVE-2021-21157: Use after free in Web Sockets. Reported by Anonymous on 2021-01-26
- We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
As usual, our ongoing internal security work was responsible for a wide range of fixes:
- [1178973] Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 88.0.4324.150
- [infra] Change 'Mac10.13 Tests' tester os dimension to Mac 10.13 or 10.15
- mac: enable input sources before selecting them in ScopedKeyboardLayout
- Remove no_gpu mixin for tasks on Mac 10.13 machines
Security fixes:
- High CVE-2021-21148: Heap buffer overflow in V8
Google Chrome 88.0.4324.146
This update includes 6 security fixes. Below, we highlight fixes that were contributed by external researchers:
- Critical CVE-2021-21142: Use after free in Payments
- High CVE-2021-21143: Heap buffer overflow in Extensions
- High CVE-2021-21144: Heap buffer overflow in Tab Groups
- High CVE-2021-21145: Use after free in Fonts
- High CVE-2021-21146: Use after free in Navigation
- Medium CVE-2021-21147: Inappropriate implementation in Skia
As usual, our ongoing internal security work was responsible for a wide range of fixes:
- [1154775] Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 88.0.4324.96
Security Fixes:
- This update includes 36 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
- Critical CVE-2021-21117: Insufficient policy enforcement in Cryptohome
- High CVE-2021-21118: Insufficient data validation in V8
- High CVE-2021-21119: Use after free in Media. Reported by Anonymous on 2020-12-20
- High CVE-2021-21120: Use after free in WebSQL
- High CVE-2021-21121: Use after free in Omnibox
- High CVE-2021-21122: Use after free in Blink
- High CVE-2021-21123: Insufficient data validation in File System API
- High CVE-2021-21124: Potential user after free in Speech Recognizer
- High CVE-2021-21125: Insufficient policy enforcement in File System API
- High CVE-2020-16044: Use after free in WebRTC
- Medium CVE-2021-21126: Insufficient policy enforcement in extensions
- Medium CVE-2021-21127: Insufficient policy enforcement in extensions
- Medium CVE-2021-21128: Heap buffer overflow in Blink
- Medium CVE-2021-21129: Insufficient policy enforcement in File System API
- Medium CVE-2021-21130: Insufficient policy enforcement in File System API
- Medium CVE-2021-21131: Insufficient policy enforcement in File System API
- Medium CVE-2021-21132: Inappropriate implementation in DevTools
- Medium CVE-2021-21133: Insufficient policy enforcement in Downloads
- Medium CVE-2021-21134: Incorrect security UI in Page Info
- Medium CVE-2021-21135: Inappropriate implementation in Performance API
- Low CVE-2021-21136: Insufficient policy enforcement in WebView
- Low CVE-2021-21137: Inappropriate implementation in DevTools
- Low CVE-2021-21138: Use after free in DevTools
- Low CVE-2021-21139: Inappropriate implementation in iframe sandbox
- Low CVE-2021-21140: Uninitialized Use in USB
- Low CVE-2021-21141: Insufficient policy enforcement in File System API
- We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
As usual, our ongoing internal security work was responsible for a wide range of fixes:
- [1168217] Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 87.0.4280.141
Security Fixes:
- High CVE-2021-21106: Use after free in autofill
- High CVE-2021-21107: Use after free in drag and drop
- High CVE-2021-21108: Use after free in media
- High CVE-2021-21109: Use after free in payments
- High CVE-2021-21110: Use after free in safe browsing
- High CVE-2021-21111: Insufficient policy enforcement in WebUI
- High CVE-2021-21112: Use after free in Blink
- High CVE-2021-21113: Heap buffer overflow in Skia
- High CVE-2020-16043: Insufficient data validation in networking
- High CVE-2021-21114: Use after free in audio
- High CVE-2020-15995: Out of bounds write in V8
- High CVE-2021-21115: Use after free in safe browsing
- Medium CVE-2021-21116: Heap buffer overflow in audio
As usual, our ongoing internal security work was responsible for a wide range of fixes:
- [1163626] Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 87.0.4280.88
- Change log not available for this version
Google Chrome 87.0.4280.67
- This release contains native support for Apple M1 devices and a number of fixes and improvements
Google Chrome 87.0.4280.66
Security Fixes:
- High: Use after free in payments
- High: Inappropriate implementation in filesystem
- High: Inappropriate implementation in cryptohome
- High: Race in ImageBurner
- High: Insufficient policy enforcement in networking
- High: Insufficient data validation in WASM
- High: Use after free in PPAPI
- High: Use after free in WebCodecs
- High: Heap buffer overflow in UI
- High: Heap buffer overflow in clipboard
- Medium: Use after free in WebRTC
- Medium: Insufficient policy enforcement in developer tools
- Medium: Heap buffer overflow in WebRTC
- Medium: Inappropriate implementation in PDFium
- Medium: Insufficient data validation in Blink
- Medium: Insufficient data validation in Flash
- Medium: Incorrect security UI in tab preview
- Medium: Incorrect security UI in sharing
- Medium: Incorrect security UI in WebUSB
- Medium: Inappropriate implementation in WebRTC
- Medium: Insufficient data validation in cros-disks
- Low: Side-channel information leakage in graphics
- Low: Inappropriate implementation in cookies
Google Chrome 86.0.4240.198
Security fixes:
- Inappropriate implementation in V8
- Use after free in site isolation
Google Chrome 86.0.4240.193
- Prevent UB if a WeakPtr to an already-destroyed object is dereferenced
- Update elapsed cc expiration date for test
- [Sheriff] Disable test on Linux, Debug or ASAN
- Reland "[M-86][VideoCapture] Handle GPU context lost for the zero-copy path"
- Revert "[M-86][VideoCapture] Handle GPU context lost for the zero-copy path"
- [M-86][VideoCapture] Handle GPU context lost for the zero-copy path
- Avoid bitmap overflow
- Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 86.0.4240.183
- Revert "WebUI Settings: Prevent site_data.js running multiple handler requests"
- Only refresh the printer list when we disconnect from a network
- Fix UAF in TabDragContext::ContinueDrag
- [merge 86] Fix shutdown hangs related to DB_Impl
- [M86 merge] weblayer: ensures TabImpl::OpenURLFromTab handles WebContents deletion
- LiteVideo: Fix throttling to stop permanently on rebuffer event
- 4240: Move every CrOS VM test into pool=chromium.tests
- Disable parent access code for online login in M86
- WebUI Settings: Prevent site_data.js running multiple handler requests
- Added the missing IPC trait macro (M86)
- [mini_installer] Remove code to delete files left behind by previous runs
- Fix the resolution issue with picture url. Fallback to default url
- GestureNav: Adjust edge width for triggering navigation
- [M86 merge] weblayer: ensure DisplayCutoutController is destroyed
- [M86] Fix memory leak in inspector
Security fixes:
- Use after free in user interface
- Insufficient policy enforcement in ANGLE
- Inappropriate implementation in V8
- Insufficient data validation in installer
- Stack buffer overflow in WebRTC
- Inappropriate implementation in V8
- Heap buffer overflow in UI on Windows
Google Chrome 86.0.4240.111
- Change log not available for this version
Google Chrome 86.0.4240.80
- Merge "Stop recreating keychain item for SC private API"
- [M86] OOBE: Make UserSessionManager more robust to shutdown during the login
- Get supported formats before sandboxing
- [ios] append disable_widevine_signing to official_goma_mac mb
- [ios] disable widevine for mac-chrome* trybots
- Clear fast_ink GpuMemoryBuffer
- [M86 merge] Unsubscribe from Drive invalidations when Drive shuts down
- Messages: Re-enable feature for users that hit crbug/1131140
- Messages: Wait for app registry to load before querying for PWA info
- Ash Notification: Add SetPaintToLayer to stacked notification bar
- [Merge-M86] Turn off Release notes suggestion chips
- Disable flaky external/wpt/webvtt/rendering/cues-with-video/processing-model/embedded_style_media_queries.html [M86]
- [CrOs] Update supported version for display password button feature
- [Merge] [Siri Shortcuts] Add checks for old shortcut actions
- Initialize WebStateListMetricsBrowser after SessionRestorationBrowser
Google Chrome 86.0.4240.75
Security Fixes:
- Critical CVE-2020-15967: Use after free in payments
- High CVE-2020-15968: Use after free in Blink
- High CVE-2020-15969: Use after free in WebRTC
- High CVE-2020-15970: Use after free in NFC
- High CVE-2020-15971: Use after free in printing
- High CVE-2020-15972: Use after free in audio
- High CVE-2020-15990: Use after free in autofill
- High CVE-2020-15991: Use after free in password manager
- Medium CVE-2020-15973: Insufficient policy enforcement in extensions
- Medium CVE-2020-15974: Integer overflow in Blink
- Medium CVE-2020-15975: Integer overflow in SwiftShader
- Medium CVE-2020-15976: Use after free in WebXR
- Medium CVE-2020-6557: Inappropriate implementation in networking
- Medium CVE-2020-15977: Insufficient data validation in dialogs
- Medium CVE-2020-15978: Insufficient data validation in navigation
- Medium CVE-2020-15979: Inappropriate implementation in V8
- Medium CVE-2020-15980: Insufficient policy enforcement in Intents
- Medium CVE-2020-15981: Out of bounds read in audio
- Medium CVE-2020-15982: Side-channel information leakage in cache
- Medium CVE-2020-15983: Insufficient data validation in webUI
- Medium CVE-2020-15984: Insufficient policy enforcement in Omnibox
- Medium CVE-2020-15985: Inappropriate implementation in Blink
- Medium CVE-2020-15986: Integer overflow in media
- Medium CVE-2020-15987: Use after free in WebRTC
- Medium CVE-2020-15992: Insufficient policy enforcement in networking
- Low CVE-2020-15988: Insufficient policy enforcement in downloads
- Low CVE-2020-15989: Uninitialized Use in PDFium
Google Chrome 85.0.4183.121
- [m85] Reland "Add more checks for chrome.debugger extensions"
- [Merge M85] Fix crash in InspectorCSSAgent::ResetPseudoStates
- [M85] Quota: Fix precision mistakes for storage pressure.
- Support disabling lens for incognito users
- [M85] Skip clean up if stored RealTimeUrlCheck verdict count is 0.
- (merge) widevine: Only enable Widevine CDM host verification for official builds
- [m85] Delegate TargetHandler::Session permission checks to the root client
- Reland Run ObfuscatedFileUtilMemoryDelegate entirely on TaskRunner.
- (merge) Check for context destroyed in MediaKeys
- Fix for UAF when referencing a deleted scrollbar layer.
- [merge to 85] Revert "cros: V2 apps open on the same display as GetDisplayForNewWindows."
- Re-Enable legacy deep scanning features in M85
- serial: Check that port is open before reading or writing
- [mojo] Fix SequenceLocalSyncEventWatcher reset
- Change how 3D API blocking is implemented
- Remove redundant lines from TestExpectations
- Do not override Navigator.share for insecure contexts
- Reland: Restrict web share feature to URLs without file protocol
Security Fixes:
- Out of bounds read in storage
- Insufficient policy enforcement in extensions
- Insufficient policy enforcement in serial
- Insufficient policy enforcement in extensions
- Out of bounds write in V8
- Insufficient policy enforcement in extensions
- Insufficient data validation in media
- Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 85.0.4183.102
Security fixes:
- Use after free in video
- Insufficient policy enforcement in installer
- Race in Mojo. Reported by Microsoft
- Use after free in offscreen canva
- Insufficient policy enforcement in networking
Google Chrome 85.0.4183.83
- Change log not available for this version
Google Chrome 84.0.4147.135
- Fixed: Heap buffer overflow in SwiftShader
Google Chrome 84.0.4147.125
Fixes:
- Use after free in ANGLE
- Use after free in task scheduling
- Use after free in media
- Use after free in audio
- Inappropriate implementation in installer
- Incorrect security UI in media
- Heap buffer overflow in Skia
- Use after free in media
- Use after free in IndexedDB
- Use after free in WebXR
- Use after free in Blink
- Use after free in offline mode
- Medium CVE-2020-6554: Use after free in extensions
- Medium CVE-2020-6555: Out of bounds read in WebGL
Google Chrome 84.0.4147.105
Security Fixes:
- Type Confusion in V8
- Inappropriate implementation in WebView
- Use after free in SCTP
- Use after free in CSS
- Heap buffer overflow in Skia
- Use after free in WebUSB
- Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 84.0.4147.89
- Change log not available for this version
Google Chrome 83.0.4103.116
- Change log not available for this version
Google Chrome 83.0.4103.106
- Disable CertVerifyProcInternalTest.EVVerificationMultipleOID
- [M83] Revert "[Media Device Management] Check if the interface is already bound
- Roll ChromeOS Orderfiles from 83-4103.77-1591006230-benchmark-83.0.4103.99-r1 to 83-4103.97-1591611962-benchmark-83.0.4103.103-r1
- [Viz, capture] Merge to M83: Fix corruption bug: Invalidate marked buffer on reuse and remark frames on size change
- Merge to M83: Re-land: Fix UAF in TtsPlatformImpl if a BrowserContext is deleted
- [M83] Drop 'future=True' for SBProtectionLevel - it launched in M83
- Roll ChromeOS Silvermont AFDO profile from 83-4103.77-1591006230-benchmark-83.0.4103.99-r1 to 83-4103.97-1591611962-benchmark-83.0.4103.103-r1
- Roll ChromeOS Broadwell AFDO profile from 83-4103.50-1590404133-benchmark-83.0.4103.92-r1 to 83-4103.77-1591610071-benchmark-83.0.4103.103-r1
- Roll ChromeOS Airmont AFDO profile from 83-4103.50-1590408034-benchmark-83.0.4103.92-r1 to 83-4103.97-1591614391-benchmark-83.0.4103.103-r1
- Merge ": Update a shadow node on resetting" to M83 branch
- [M83] Revert "fido: add FidoDiscoveryFactory::ResetRequestState()"
- Pass the PreferredColorScheme to SVGImage
- Merge M83: "[WebAudio] Call SetFormat() for every sink Initialize() call."
- Ash Tray: RemovePrivacyScreenToastController Obs in Dtor
- Roll ChromeOS Orderfiles from 83-4103.50-1590401629-benchmark-83.0.4103.92-r1 to 83-4103.77-1591006230-benchmark-83.0.4103.99-r1
- [WebView] Fix single-window-mode JS injection
- Fix observers in ChallengeResponseAuthKeysLoader
- Replace time restrictions with deny interactive logon type instead
- Roll ChromeOS Silvermont AFDO profile from 83-4103.77-1591006230-benchmark-83.0.4103.98-r1 to 83-4103.77-1591006230-benchmark-83.0.4103.99-r1
- Roll ChromeOS Silvermont AFDO profile from 83-4103.50-1590401629-benchmark-83.0.4103.92-r1 to 83-4103.77-1591006230-benchmark-83.0.4103.98-r1
- Forward built-in-admin-name and administrators-group-name as part of
- Collect and forward OS version to UploadDeviceDetails RPC
- Demo mode: Add new Chrome and Android apps to demo mode metrics
- Remove -stable GPU Mac OS usage
- Switch away from GPU synthetic dimensions
- [ShareButtonInToolbar] add explicit end animation state to explicit show
- Disable GPU buildbucket test
- Mark fast/speech/scripted/speechrecognition-restart-onend.html as flaky
Google Chrome 83.0.4103.97
- Change log not available for this version
Google Chrome 83.0.4103.61
Security Fixes:
- Use after free in reader mode
- Use after free in media
- Use after free in WebRTC
- Type Confusion in V8
- Insufficient policy enforcement in developer tools
- Insufficient validation of untrusted input in clipboard
- Insufficient policy enforcement in developer tools
- Insufficient policy enforcement in developer tools
- Insufficient policy enforcement in Blink
- Use after free in Blink
- Incorrect security UI in full screen
- Insufficient policy enforcement in tab strip
- Inappropriate implementation in installer
- Inappropriate implementation in full screen
- Inappropriate implementation in sharing
- Insufficient policy enforcement in enterprise
- Insufficient policy enforcement in URL formatting
- Insufficient policy enforcement in developer tools
- Insufficient policy enforcement in payments
- Insufficient data validation in ChromeDriver
- Insufficient data validation in media router
- Insufficient policy enforcement in navigations
- Insufficient policy enforcement in downloads
- Insufficient policy enforcement in downloads
- Inappropriate implementation in developer tools
- Insufficient data validation in loader
- Incorrect security UI in site information
- Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 81.0.4044.138
- Cherry picking usrsctp stack overflow fix to M81
- [chromedriver] Regenerate atoms files from selenium
- Fix "Completion handler not called" crash in //ios/web_view. by Hiroshi Ichikawa Revert "WebApp: Handle OS shortcut deletion for bookmark apps in web apps land."
- Element moving betor no-op between lifecycles
- Removes spammy log in blink::WebRtcAudioSink
- Allow Device Service access from any thread
- [Autofill] Fixed requesting invalid country codes from CountryData
- Fix customized built-in element constructor behavior
- Only run Mac non-isolated scripts in compile tasks
- Remove mdm enrollment check in AllowSigninRestrictions
Google Chrome 81.0.4044.129
- Change log not available for this version
Google Chrome 81.0.4044.122
- Compiles //components/sessions/core/ios with ARC
- Invalidate view background when root element adds/removes paint properties
- Bump theme pak version from 72 to 73 on M81
- [ios] Creates flag to enable Messages only for iOS13
- LZMA: Unconditionally flush output files after unmapping
- [ios] Checks if Bookmarks rootNode is not nullptr before caching row
- Block gcpw login if allowed domains registry key is missing
- [SelfShare] Update manifests for renamed/unified handler
- Check ResourceContext is alive before binding SafeBrowsing in weblayer/webview
- Move unmapping of large pages out of the spin-lock in PartitionAlloc
- Merge to M81: [viz, capture] Add debug logging to FrameSinkVideoCapturer
- Merge to M81: Add webrtc logging in WebrtcVideoFrameAdapter. Do not cause lifecycle change during AX serialization by Aaron Leventhal · 6 days ago
- [Merge M81][Web Payment] Browser context owned callback
- Revert "[ios] Disables failing tests in RestoreTestCase"
- Revert "Only use SupervisedUserNavigationObserver for child accounts"
- Reland "Don't decode invalid punycode in URL formatter"
- [Merge to M81] Do not allow window dragging/resizing in oobe or login screen
Google Chrome 81.0.4044.113
- Revert "Don't decode invalid punycode in URL formatter"
- Don't decode invalid punycode in URL formatter
- Flush the output file after writing if it was mapped into memory
- Revert "[css-grid] Exclude implicit grid tracks from the resolved value"
- Fix crash when launching Release Notes PWA in Chrome OS
- SpeechRecognizerImpl: use a WeakPtr to itself for all tasks
- Compute omnibox background color from toolbar color, for custom themes
- Donot refresh login UI if auth enforcement was already performed on
- Make gcpw default cred provider
- [GCPW] Add retry mechanism for WinHttpUrlFetcher
- Update Google static pins
- network_config.js: Avoid assert when vpnType_ is undefined
- Switched to using a groupping role for embedded objects with children
- viz: Use child sequence number from parent if embed token changes
- M81: Support Sharp PPD color parsing by Lei Zhang Always return a valid IOSChromeSyncedTabDelegate::GetCurrentEntryIndex
- Don't set occlusion region when the frame is disabled
- Add sliders to modify mic gain in system tray
- GpuVDA: Override ProvidePictureBuffersWithVisibleRect()
- Ash,Wallpaper: Add support for reloading WallpaperType::ONE_SHOT
- Add option to enable system tray mic gain in chrome://flags
- Modify system tray icons to match new specs
- [MERGE 81] weblayer: increase allowed version skew to 4
- [Cherry-pick] WebUI Tab Strip: Add alert indicator for HID connected
- Add feature flag for mic gain settings in system tray
- Fixing NPE in cacheEvent of BTSUma
- [merge] media: Disallow CDM reset in mojo media services
- 4044: [code coverage] Merge script changes for separated test types
- CrOS network config: Cleanup and fix partial setting of ConfigProperties
- Require kvm for browser tests
- Handle visible_rect in V4L2/VAAPI VDAs when origin != (0, 0)
- V4L2SVDA: Validate visible rectangle
- media: Fix non-zero offset in visible rect
- VdaVD: Advertise a VideoFrame's visible size as the coded size
Google Chrome 81.0.4044.92
Fixed:
- Use after free in extensions
- Use after free in audio
- Out of bounds read in WebSQL
- Type Confusion in V8
- Insufficient validation of untrusted input in clipboard
- Insufficient policy enforcement in full screen
- Insufficient policy enforcement in navigations
- Insufficient policy enforcement in extensions
- Use after free in devtools
- Insufficient policy enforcement in extensions
- Use after free in window management
- Inappropriate implementation in WebView
- Insufficient policy enforcement in extensions
- Insufficient policy enforcement in navigations
- Inappropriate implementation in extensions
- Insufficient policy enforcement in omnibox
- Inappropriate implementation in cache
- Insufficient data validation in developer tools
- Uninitialized Use in WebRTC
- Insufficient policy enforcement in trusted types
- Insufficient policy enforcement in trusted types
- Inappropriate implementation in developer tools
- Use after free in V8
- Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 80.0.3987.163
- media/gpu/v4l2(s)vda: stop accessing device members from child thread
- [Picture-in-Picture] Fix crash when closing window
- [Sync] Add feature flag to disable cache guid mismatch logic
- Fix sync Nigori cache GUID left empty upon mismatch
- [Sync] Implement Nigori cache guid mismatch
- [M81] OOBE - Make recommended apps illustration smaller
- [M81] OOBE - Add scroll shadows to the sign in screen
- M81 merge: Fix themes for supervised users on extensions lite
- [M81] Batch whitelist Imprivata extensions
- Android: Update Play Core
- Fixes bad code affected by -ftrivial-auto-var-init=pattern
- [M81] [Extensions] Fix couple of ProcessManager UaF issues
- [M81 Merge] Disallow pasting SVG use elements data URI
- remoting: Check autorepeat on keydown
- Do not attempt update for Tether networks
- M81 Merge: Add UMA for child installing extensions from
- Wait until native is loaded before issuing voice search queries
- Remove pref store initialization check from
- Fix in-session password change success detection for Ping IdP
- [Merge to M-81] Desks: Add a flag to limit windows in Alt-Tab to the current active desk
- Update help center URL of ADB sideloading
Google Chrome 80.0.3987.162
- Revert "3987: pin v8 to 9c25291e705136181ede345dabcf05fb054812af."
- 3987: [iOS]Updated "shard size" to "swarming tasks" for EG tests
- Android: Update Play Core
- [Merge to M80] Worker: Stop passing creator's origin for starting a dedicated worker
- M80 merge: Enable supervised users to install extensions from policy allowlist
- Pepper: support GpuMemoryBuffer-based frame in MediaStream Video
- Clear context from orphan handlers when BaseAudioContext is going away
- [PM] Fix invariant tracking
- Crash when a process node is destroyed while still hosting worker nodes
- Protect AutofillPopupControllerImpl from being destroyed in Show()
- Protect automatic pull handlers with Mutex
- 3987: pin v8 to 9c25291e705136181ede345dabcf05fb054812af
- Make finished_source_handlers_ hold scoped_refptrs
- [Merge] Reland: Sequentialise access to callbacks in DWriteFontLookupTableBuilder
- [M80 merge] Verify if the context is still available
- Reland "Use SupportsWeakPtr for messaging from rendering thread to main thread"
- Reland "[Merge M80] - Point usrsctp to a68325e7d9ed844cc84ec134192d788586ea6cc1."
- Update comment now that the speculative fix is (mostly) confirmed
- Speculative fix for crashes in ~FileChooserImpl()
- Use WeakPtr for cross-thread posting
- MojoVideoEncodeAcceleratorService: handle potential later Initialize()
- Break connections before removing from active_source_handlers_
- Revert "[Merge M81] - Point usrsctp to a68325e7d9ed844cc84ec134192d788586ea6cc1."
- [Merge M81] - Point usrsctp to a68325e7d9ed844cc84ec134192d788586ea6cc1
- Revert "Use SupportsWeakPtr for messaging from rendering thread to main thread"
- Use SupportsWeakPtr for messaging from rendering thread to main thread
- Reland "media/gpu/vaapi: Create VAImage with va surface size on UploadVideoFrameToSurface()"
- M80 "Fix flicker on Dru when capturing"
- 3987: Move all public ios swarming tests to new template pool
Google Chrome 80.0.3987.149
- Make finished_source_handlers_ hold scoped_refptrs
- Verify if the context is still available
- 3987_137: Roll v8 to 9c25291e705136181ede345dabcf05fb054812af
- [Merge] Reland: Sequentialise access to callbacks in DWriteFontLookupTableBuilder
- Update comment now that the speculative fix is (mostly) confirmed
- Speculative fix for crashes in ~FileChooserImpl()
- Use WeakPtr for cross-thread posting
- MojoVideoEncodeAcceleratorService: handle potential later Initialize()
- Break connections before removing from active_source_handlers_
- Use SupportsWeakPtr for messaging from rendering thread to main thread
- [Merge M80 minibranch] - Point usrsctp to a68325e7d9ed844cc84ec134192d788586ea6cc1
- arc: net: Prevent Service property update loops
- arc: net: print NetworkConfiguration service name
- media/gpu/vaapi: fix kNone VaapiVDA decode case
- media/gpu/vaapi: fix VASurfaceID leak in VaapiVideoDecodeAccelerator
- arc: net: Consistently get IP configs of host networks
- Cherry pick to M80
- Roll airmont AFDO profile from 80-3987.89-1581937220-benchmark-80.0.3987.133-r1 to 80-3987.89-1581937220-benchmark-80.0.3987.134-r1 by Chrome Release Autoroll
- Fix crash in OwnerSettingsServiceChromeOS::StorePendingChanges
- Roll airmont AFDO profile from 80-3987.89-1581937220-benchmark-80.0.3987.131-r1 to 80-3987.89-1581937220-benchmark-80.0.3987.133-r1 by Chrome Release Autoroll
- Roll airmont AFDO profile from 80-3987.89-1581937220-benchmark-80.0.3987.129-r1 to 80-3987.89-1581937220-benchmark-80.0.3987.131-r1 by Chrome Release Autoroll
Google Chrome 80.0.3987.132
Security fixes:
- High CVE-2020-6420: Insufficient policy enforcement in media
- Various fixes from internal audits, fuzzing and other initiatives
Google Chrome 80.0.3987.122
- Change log not available for this version
Google Chrome 80.0.3987.116
- Change log not available for this version
Google Chrome 80.0.3987.106
- Performance: Respect navigation's AllowTimingDetails() override in workerStart()
- Disable NV12 dynamic textures on AMD GPUs in general
- Revert "Remove scroll offset rounding in position:sticky"
- Roll broadwell AFDO profile from 80-3987.76-1581332381-benchmark-80.0.3987.100-r1 to 80-3987.76-1581332381-benchmark-80.0.3987.104-r1
- Roll airmont AFDO profile from 80-3987.76-1581334369-benchmark-80.0.3987.100-r1 to 80-3987.76-1581334369-benchmark-80.0.3987.104-r1
- [M80] Revert "FrameHost::SubresourceResponseStarted: s/ url / origin_of_final_url /."
- Roll silvermont AFDO profile from 80-3987.76-1581334760-benchmark-80.0.3987.100-r1 to 80-3987.76-1581334760-benchmark-80.0.3987.104-r1
- [ChromeDriver] Restore Chrome binary search order by Tricia Crichton · 2 days ago
- Roll ChromeOS orderfile from 80-3987.76-1581334760-benchmark-80.0.3987.98-r1 to 80-3987.76-1581334760-benchmark-80.0.3987.100-r1
- Updating XTBs based on .GRDs from branch 3987 by Ben Mason
- Roll broadwell AFDO profile from 80-3987.76-1581332381-benchmark-80.0.3987.98-r1 to 80-3987.76-1581332381-benchmark-80.0.3987.100-r1
- Roll airmont AFDO profile from 80-3987.76-1581334369-benchmark-80.0.3987.98-r1 to 80-3987.76-1581334369-benchmark-80.0.3987.100-r1
- Roll silvermont AFDO profile from 80-3987.76-1581334760-benchmark-80.0.3987.98-r1 to 80-3987.76-1581334760-benchmark-80.0.3987.100-r1
- Roll ChromeOS orderfile from 80-3987.76-1580727679-benchmark-80.0.3987.97-r1 to 80-3987.76-1581334760-benchmark-80.0.3987.98-r1
Google Chrome 80.0.3987.100
- Change log not available for this version
Google Chrome 80.0.3987.87
- Change log not available for this version
Google Chrome 79.0.3945.117
- Change log not available for this version
Google Chrome 79.0.3945.88
- Change log not available for this version
Google Chrome 79.0.3945.79
- Change log not available for this version
Google Chrome 78.0.3904.108
- Reland "Fix ownership of BluetoothAdapter in BluetoothDeviceChooserController"
- Fix OOB in OnBluetoothScanningPromptEvent
- Revert "Fix ownership of BluetoothAdapter in BluetoothDeviceChooserController"
- Fix ownership of BluetoothAdapter in BluetoothDeviceChooserController
- [libusb] Fix racy UAF in libusb_get_next_timeout
- Add to rendering orphan handlers when destination is running
- [TransactionalLevelDB] Fix iterating 'Prev' from evicted iterators
- Avoid unexpected render frame host reentrancy during Window destruction
- Fix a crash in ManagePasswordsState with use-after-free
- Updating XTBs based on .GRDs from branch 3904
- Fix compile
- Get the element central location correctly if there is drop down menu
- Re-add "Close Other Tabs" to tabstrip context menu
- [Feed] Import [email protected]
- Fix IsInitialScrollHitTestReliable for fixed elements
- Fix main thread viewport pan from outside root scroller
- OOBE: Fix high CPU usage on login screen
- [Passwords] Fix for LoginDatabase that got downgraded from 25 to 24
- Revise SameSite cookie warning messages to correct misleading wording
Google Chrome 78.0.3904.97
- Change log not available for this version
Google Chrome 78.0.3904.70
Security Fixes:
This update includes 37 security fixes. Below, we highlight fixes that were contributed by external researchers:
- Use-after-free in media
- Buffer overrun in Blink
- URL spoof in navigation
- Privilege elevation in Installer
- URL bar spoofing
- CSP bypass
- Extension permission bypass
- Out-of-bounds read in PDFium
- File storage disclosure
- HTTP authentication spoof
- File download protection bypass
- File download protection bypass
- Cross-context information leak
- Buffer overflow in expat
- Cross-origin data leak
- CSS injection
- Address bar spoofing
- Service worker state error
- Notification obscured
- IDN spoof
- Notification obscured
As usual, our ongoing internal security work was responsible for a wide range of fixes:
- Various fixes from internal audits, fuzzing and other initiatives |
