-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 29 Apr 2026 04:36:38 -0400
Source: chromium
Architecture: source
Version: 147.0.7727.137-1~deb12u1
Distribution: bookworm-security
Urgency: high
Maintainer: Debian Chromium Team <chromium@packages.debian.org>
Changed-By: Andres Salomon <dilinger@debian.org>
Closes: 1052440
Changes:
 chromium (147.0.7727.137-1~deb12u1) bookworm-security; urgency=high
 .
   [ Andres Salomon ]
   * New upstream security release.
     - CVE-2026-7363: Use after free in Canvas. Reported by heapracer.
     - CVE-2026-7361: Use after free in iOS. Reported by Google.
     - CVE-2026-7344: Use after free in Accessibility. Reported by Google.
     - CVE-2026-7343: Use after free in Views. Reported by Google.
     - CVE-2026-7333: Use after free in GPU.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-7360: Insufficient validation of untrusted input in Compositing.
       Reported by Google.
     - CVE-2026-7359: Use after free in ANGLE. Reported by Google.
     - CVE-2026-7358: Use after free in Animation. Reported by Google.
     - CVE-2026-7334: Use after free in Views. Reported by Batuhan Eşref KOÇ.
     - CVE-2026-7357: Use after free in GPU. Reported by Google.
     - CVE-2026-7356: Use after free in Navigation. Reported by Google.
     - CVE-2026-7354: Out of bounds read and write in Angle. Reported by Google.
     - CVE-2026-7353: Heap buffer overflow in Skia. Reported by Google.
     - CVE-2026-7352: Use after free in Media. Reported by Google.
     - CVE-2026-7351: Race in MHTML. Reported by Google.
     - CVE-2026-7350: Use after free in WebMIDI. Reported by Google.
     - CVE-2026-7349: Use after free in Cast. Reported by Google.
     - CVE-2026-7348: Use after free in Codecs. Reported by Google.
     - CVE-2026-7335: Use after free in media.
       Reported by Jungwoo Lee (@physicube) and Wongi Lee (@_qwerty_po).
     - CVE-2026-7336: Use after free in WebRTC. Reported by Mozilla.
     - CVE-2026-7337: Type Confusion in V8. Reported by q@calif.io.
     - CVE-2026-7347: Use after free in Chromoting. Reported by Google.
     - CVE-2026-7346: Inappropriate implementation in Tint. Reported by Google.
     - CVE-2026-7345: Insufficient validation of untrusted input in Feedback.
       Reported by Google.
     - CVE-2026-7338: Use after free in Cast. Reported by Krace.
     - CVE-2026-7342: Use after free in WebView. Reported by Google.
     - CVE-2026-7341: Use after free in WebRTC. Reported by Google.
     - CVE-2026-7339: Heap buffer overflow in WebRTC.
       Reported by c6eed09fc8b174b0f3eebedcceb1e792.
     - CVE-2026-7340: Integer overflow in ANGLE.
       Reported by 86ac1f1587b71893ed2ad792cd7dde32.
     - CVE-2026-7355: Use after free in Media. Reported by Google.
 .
   [ Jianfeng Liu ]
   * d/patches:
     - upstream/Fix-GL-native-pixmap-import-support-reset-in-GpuInit.patch:
       Fixes upstream issue https://crbug.com/501115509. This issue is
       introduced in v147, and unfortunately the fix won't get into v147. This
       issue affects both vaapi and v4l2 decoding under ozone wayland.
     - fixes/enable-widevine-on-arm64-linux-platform.patch: Enable widevine
       support on arm64. There is no official support for widevine on arm64
       linux while there are libwidevine binaries extracted from chromeos,
       which can work on linux (closes: #1052440).
Checksums-Sha1:
 6594aace5dae69d2c33e58101c08f8047cc99b1c 4068 chromium_147.0.7727.137-1~deb12u1.dsc
 0916bd66a6ae05ad5a1dff42a960c56d29c29aee 787224144 chromium_147.0.7727.137.orig.tar.xz
 25317403f937c2e4d60fccd3027b7382001585b8 8569248 chromium_147.0.7727.137-1~deb12u1.debian.tar.xz
 66d18c81e37d5562f4358dbd8e883687cb9ebb37 26842 chromium_147.0.7727.137-1~deb12u1_source.buildinfo
Checksums-Sha256:
 5a4f62a865c3adfdd145f0f64ee49b6143d9673692d06d3853dc40f649fa3ae6 4068 chromium_147.0.7727.137-1~deb12u1.dsc
 f186528758c082ec3b25992677633918cd0012436613c04da0f62a613063ac51 787224144 chromium_147.0.7727.137.orig.tar.xz
 9201a8b880fe28f89cd0d3f0d87ffb15eb4c7c58198e101a45fec9af06d41e03 8569248 chromium_147.0.7727.137-1~deb12u1.debian.tar.xz
 042f159844e7b1a660f4044ba2c99161f0559fa31f93508557d6c9cde4228dd5 26842 chromium_147.0.7727.137-1~deb12u1_source.buildinfo
Files:
 cc7b82ce0f28b01b05644a31ea04bdf2 4068 web optional chromium_147.0.7727.137-1~deb12u1.dsc
 950fb971a06c30b674b09620be44fc38 787224144 web optional chromium_147.0.7727.137.orig.tar.xz
 1eb443fc529b32d37c57f6d7f42b45d8 8569248 web optional chromium_147.0.7727.137-1~deb12u1.debian.tar.xz
 2ef746b0396f35b0d6f9bfdf3eb52b28 26842 web optional chromium_147.0.7727.137-1~deb12u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEUAUk+X1YiTIjs19qZF0CR8NudjcFAmnzdwkUHGRpbGluZ2Vy
QGRlYmlhbi5vcmcACgkQZF0CR8NudjfUehAAp8kf8meorQB2Ip8bgqpbAReITShN
A6hc5msg/1JOwIWvnV9ap2OOeCxAS9DnkwC/LBW5Qm1E7pCNR5Hcty50YeKEugBW
uw7ki3jRCzrkFgUntonHpwPNUlQU9QavYSsHi+CUQiJeAujGq68mF4h/ssmm0ybE
l+MKJDLhIY7Jr0G/fxkeCe7dQokZSub+ol3/TmhaDFtnRUibe4zLQMXA/wfAwbHW
6dw4vyasMu4Pe7FuNie3Y7J/YhPJ+fdUislSo525SGUW7Qn874BORpxEm9rAZh7p
UiK7wMKVKhEZo6ulMtd5Oz5A8ee2p92eam5TO7rNMUJ8t+l9wYH/gqRrRnCmzvvp
sLziz2+tP0neAqimsDe4cxoDkesObvqGw94fo3vbi9CqI06/WVULeUnGaLFnGHGQ
2PZv9vbIeO7lOM+lN8al5IQPHxSeVr+YjpWmVt5Rlzz+nCe9YeWfBtqxUSXSUhMB
GMhXKlprggRGh7qnbnPJcdfbEHEVtHKRN4FI9IXtvIk68T3MEH5/N35yQVOz0uja
rZODhnoqOHGfiVjdXxX3UDVQgG73Wy89pRXpxCaO3Sji62ujyBgJPLX+MSEe5UPf
lMCTbVaBsccLkcLc9rzpxpC5garEaKhCbs0FJsIn1x3yYMtmquOxdTKbhmyfpfB2
reQzVnv6adMcrqI=
=2Gke
-----END PGP SIGNATURE-----