Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <>
Subject: Accepted chromium 149.0.7827.102-1~deb12u1 (source) into oldstable-security
Date: Wed, 10 Jun 2026 21:48:19 +0000
Signed by: Andres Salomon <dilinger@debian.org>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 09 Jun 2026 04:00:45 -0400
Source: chromium
Architecture: source
Version: 149.0.7827.102-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Changes:
 chromium (149.0.7827.102-1~deb12u1) bookworm-security; urgency=high
 .
   [ Andres Salomon ]
   * New upstream security release.
     - CVE-2026-11628: Use after free in Ozone. Reported by Google.
     - CVE-2026-11629: Use after free in Ozone. Reported by Google.
     - CVE-2026-11630: Use after free in File Input. Reported by Google.
     - CVE-2026-11631: Use after free in Aura. Reported by Google.
     - CVE-2026-11632: Use after free in TabStrip. Reported by Google.
     - CVE-2026-11633: Use after free in Bluetooth. Reported by Google.
     - CVE-2026-11634: Use after free in Gamepad. Reported by Google.
     - CVE-2026-11635: Use after free in Bluetooth. Reported by Google.
     - CVE-2026-11636: Use after free in Autofill. Reported by Google.
     - CVE-2026-11637: Use after free in Views. Reported by Google.
     - CVE-2026-11638: Use after free in Printing. Reported by Google.
     - CVE-2026-11639: Use after free in Compositing. Reported by Google.
     - CVE-2026-11640: Integer overflow in libyuv. Reported by Google.
     - CVE-2026-11641: Use after free in Bluetooth. Reported by Google.
     - CVE-2026-11642: Use after free in Web Apps. Reported by Google.
     - CVE-2026-11643: Use after free in Proxy. Reported by Google.
     - CVE-2026-11644: Use after free in Views. Reported by Google.
     - CVE-2026-11645: Out of bounds memory access in V8. Reported by 303f06e3
     - CVE-2026-11646: Use after free in ViewTransitions.
       Reported by Quac Tran.
     - CVE-2026-11647: Use after free in Printing. Reported by Google.
     - CVE-2026-11648: Use after free in FullScreen.
       Reported by Mihnea Nicolau.
     - CVE-2026-11649: Use after free in V8. Reported by Google.
     - CVE-2026-11650: Use after free in V8. Reported by Google.
     - CVE-2026-11651: Use after free in Network. Reported by Google.
     - CVE-2026-11652: Use after free in Extensions. Reported by Google.
     - CVE-2026-11653: Insufficient validation of untrusted input in
       Extensions. Reported by Google.
     - CVE-2026-11654: Use after free in CameraCapture. Reported by Google.
     - CVE-2026-11655: Integer overflow in Media. Reported by Google.
     - CVE-2026-11656: Use after free in ServiceWorker. Reported by Google.
     - CVE-2026-11657: Use after free in Payments. Reported by Google.
     - CVE-2026-11658: Insufficient validation of untrusted input in
       Extensions. Reported by Google.
     - CVE-2026-11659: Insufficient validation of untrusted input in UI.
       Reported by Google.
     - CVE-2026-11660: Insufficient validation of untrusted input in
       New Tab Page. Reported by Google.
     - CVE-2026-11661: Use after free in Views. Reported by Google.
     - CVE-2026-11662: Type Confusion in Bindings. Reported by Google.
     - CVE-2026-11663: Use after free in Skia. Reported by Google.
     - CVE-2026-11664: Use after free in Payments. Reported by Google.
     - CVE-2026-11665: Out of bounds read in Dawn. Reported by Google.
     - CVE-2026-11666: Insufficient validation of untrusted input in Input.
       Reported by Google.
     - CVE-2026-11667: Out of bounds read in WebRTC. Reported by Google.
     - CVE-2026-11668: Uninitialized Use in Codecs. Reported by Google.
     - CVE-2026-11669: Integer overflow in Media. Reported by Google.
     - CVE-2026-11670: Use after free in PDF. Reported by Google.
     - CVE-2026-11671: Use after free in Navigation. Reported by Google.
     - CVE-2026-11672: Out of bounds write in GPU. Reported by Google.
     - CVE-2026-11673: Use after free in InterestGroups. Reported by Google.
     - CVE-2026-11674: Use after free in Guest View. Reported by Google.
     - CVE-2026-11675: Insufficient validation of untrusted input in Skia.
       Reported by Google.
     - CVE-2026-11676: Insufficient validation of untrusted input in Dawn.
       Reported by Google.
     - CVE-2026-11677: Race in Network. Reported by Google.
     - CVE-2026-11678: Integer overflow in libyuv. Reported by Google.
     - CVE-2026-11679: Use after free in Codecs. Reported by Google.
     - CVE-2026-11680: Use after free in Media. Reported by Google.
     - CVE-2026-11681: Use after free in Ozone. Reported by Google.
     - CVE-2026-11682: Insufficient validation of untrusted input in Views.
       Reported by Google.
     - CVE-2026-11683: Use after free in WebCodecs. Reported by Google.
     - CVE-2026-11684: Insufficient policy enforcement in Network.
       Reported by Google.
     - CVE-2026-11685: Insufficient data validation in MediaCapture.
       Reported by Google.
     - CVE-2026-11686: Insufficient validation of untrusted input in Dawn.
       Reported by Google.
     - CVE-2026-11687: Use after free in Dawn. Reported by Google.
     - CVE-2026-11688: Object lifecycle issue in SVG. Reported by Google.
     - CVE-2026-11689: Insufficient validation of untrusted input in
       Passwords. Reported by Google.
     - CVE-2026-11690: Out of bounds read and write in Media.
       Reported by Google.
     - CVE-2026-11691: Insufficient validation of untrusted input in
       New Tab Page. Reported by Google.
     - CVE-2026-11692: Use after free in Read Anything. Reported by Google.
     - CVE-2026-11693: Inappropriate implementation in Plugins.
       Reported by Google.
     - CVE-2026-11694: Use after free in ServiceWorker. Reported by Google.
     - CVE-2026-11695: Inappropriate implementation in Passwords.
       Reported by Google.
     - CVE-2026-11696: Uninitialized Use in Video. Reported by Google.
     - CVE-2026-11697: Insufficient validation of untrusted input in UI.
       Reported by Google.
     - CVE-2026-11698: Use after free in Bluetooth. Reported by Google.
     - CVE-2026-11699: Use after free in Bluetooth. Reported by Google.
     - CVE-2026-11700: Use after free in Tracing. Reported by Google.
     - CVE-2026-11701: Insufficient validation of untrusted input in Guest
       View. Reported by Google.
   * d/patches:
     - fixes/arm-logging.patch: add patch to hopefully fix build failure
       on arm*.
     - loongarch64/0024-fix-libyuv-lsx.patch: refresh.
 .
   [ Timothy Pearson ]
   * d/patches/ppc64le:
     - 0001-Add-pregenerated-config-for-libaom-on-ppc64.patch: refresh for
       upstream changes
     - core/baseline-isa-3-0.patch: refresh
Checksums-Sha1:
 856966bd7b9983309793163a2b960d3dc749428c 4068 chromium_149.0.7827.102-1~deb12u1.dsc
 af23b283e8e76592011c20ec891b03161567054b 929270484 chromium_149.0.7827.102.orig.tar.xz
 d070140ad5569fbfd659ad76d44304e46ed37a9c 8583856 chromium_149.0.7827.102-1~deb12u1.debian.tar.xz
 9905a165a785b1201a239583da61042cdfbd457c 26842 chromium_149.0.7827.102-1~deb12u1_source.buildinfo
Checksums-Sha256:
 6cc27fc595188d874c5319b7b28d45e5a8f3fa3dca4f03b5fba84423111067a1 4068 chromium_149.0.7827.102-1~deb12u1.dsc
 57eaea7881f8c6674426982fd7ed0b3165a6c884fbc62f7a782b0321a38c6e01 929270484 chromium_149.0.7827.102.orig.tar.xz
 5e1a9374f5514772219fb00d242ce271a45c9e10a0302c2d7a3a9af28aa805a8 8583856 chromium_149.0.7827.102-1~deb12u1.debian.tar.xz
 f13f5332b488e03a51209c00c75e0d0624d9ec0629adefa11236cc06c56eabca 26842 chromium_149.0.7827.102-1~deb12u1_source.buildinfo
Files:
 4589dda01a4470641a30b939fcbed0e2 4068 web optional chromium_149.0.7827.102-1~deb12u1.dsc
 fe4c454742bc2f18315cc7ebb3cf4f0a 929270484 web optional chromium_149.0.7827.102.orig.tar.xz
 e8041b70a6552d5af47ffc240692f0d0 8583856 web optional chromium_149.0.7827.102-1~deb12u1.debian.tar.xz
 c28ff66397b85db5168c61617affae85 26842 web optional chromium_149.0.7827.102-1~deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmoouXEUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjcJLhAAhUbJL+yL1VTLlYaLbqm+j2JL76xP
EBXUb4O3gbdr6iSgFboAZAc3dAdEpzs+4pKniILaM0yoplV9IuiPxDihMd+bELYd
5IFw/cr5R16AmW1D8Ilqg6XlvrqM6LuL9a/FYIeujM0tB1B+qPxsQLE226HJnnIR
63BQtGfiV9rT7h/UEtdoIhTsryVVN65Kgx/ws4lTm0RnYGeXL+pNNj+sPnz3GFi+
GFKl1kyxnEovxu4oZvKC/NOvqjDU6pF4wCP9C0+SzyE7iS0TMQtcX5lxCN+NHuU4
1DqzB2YWlDWpP1Rno27jHkA8aHynXP64YjRTQ059wRJ1qytUjrshYZ5JGHX/+9xZ
Q+TbiCtuRR3NK2m5/CjtU8TalvSyFpLUrtdgM7RAdw0WaBjCm/mTTfnAEmyQl1Vr
KKWCuVX6lMXBkg9KDD7n9fgSH6yCH0abTJBrA4cr9ckVEY4kT+kI8/zhKtJNh9Xv
7wxTCt3MUlmhvJ3SCZp26dDELMxPcIQ6qHjUzzsSJHiYSBlu3TaC4ZgFq/JM1fac
5WhQvCC2jTu0ETYDBKX2EE4+yPcTN7LcixaVq1H23wyaCbbmyX2Fs0qW78oceMch
dkdO0wBfX6GWXddnYEDcqN02VRiyoAbjKNOMRDWGlXVKoKeXd3CSwO2XnnciNXx2
0BUfMN7i6Y+pjy8=
=haKD
-----END PGP SIGNATURE-----
News for package chromium
