Wednesday, March 2, 2016

Stable Channel Update

The Chrome team is delighted to announce the promotion of Chrome 49 to the stable channel for Windows, Mac and Linux.


Chrome 49.0.2623.75 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 49.


Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 26 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chromium security page for more information.

[$8000][560011] High CVE-2016-1630: Same-origin bypass in Blink. Credit to Mariusz Mlynski.
[$7500][569496] High CVE-2016-1631: Same-origin bypass in Pepper Plugin. Credit to Mariusz Mlynski.
[$5000][549986] High CVE-2016-1632: Bad cast in Extensions. Credit to anonymous.
[$3000][572537] High CVE-2016-1633: Use-after-free in Blink. Credit to cloudfuzzer.
[$3000][559292] High CVE-2016-1634: Use-after-free in Blink. Credit to cloudfuzzer.
[$2000][585268] High CVE-2016-1635: Use-after-free in Blink. Credit to Rob Wu.
[$2000][584155] High CVE-2016-1636: SRI Validation Bypass. Credit to Ryan Lester and Bryant Zadegan.
[$500][560291] High CVE-2015-8126: Out-of-bounds access in libpng. Credit to joerg.bornemann.
[$2000][555544] Medium CVE-2016-1637: Information Leak in Skia. Credit to Keve Nagy.
[$1000][585282] Medium CVE-2016-1638: WebAPI Bypass. Credit to Rob Wu.
[$1000][572224] Medium CVE-2016-1639: Use-after-free in WebRTC. Credit to Khalil Zhani.
[$1000][550047] Medium CVE-2016-1640: Origin confusion in Extensions UI. Credit to Luan Herrera.
[$500][583718] Medium CVE-2016-1641: Use-after-free in Favicon. Credit to Atte Kettunen of OUSPG.

We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. An additional $14,500 in rewards were issued for security bugs present on non-stable channels.

As usual, our ongoing internal security work was responsible for a wide range of fixes:
  • [591402] CVE-2016-1642: Various fixes from internal audits, fuzzing and other initiatives.
  • Multiple vulnerabilities in V8 fixed at the tip of the 4.9 branch (currently 4.9.385.26).

Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, Control Flow Integrity or LibFuzzer.


Interested in switching release channels? Find out how.  If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.


Krishna Govind
Google Chrome

Labels:

75 Comments:

Blogger Rafael Hilário said...

I think that after the update 49 to scroll the page is slower and locked. This is only happening to me?

12:59 PM, March 02, 2016  
Blogger Gus Dreyer said...

WEB GL particles effects are not working anymore. And yes, it´s because of the update.

1:05 PM, March 02, 2016  
Blogger DeAxes said...

Anyone else having trouble with the new way that Chrome manages hidden extensions? There are certain extensions, like Dropbox for Gmail, Google Docs Offline, or No MouseWheel Zoom, that I want the functionality of but don't need to see at any point. Let me get hide them so they're not either in the toolbar or chrome menu.

1:30 PM, March 02, 2016  
Blogger Nick McManus said...

To Rafael Hilário,

The flag for smooth scrolling, previously set to disabled, is now enabled by default. This is what's causing your delayed and smooth scrolling.

You can disable it here: chrome://flags/#disable-smooth-scrolling

1:36 PM, March 02, 2016  
Blogger Rafael Hilário said...

To Nick McManus,

Thank you for your information, I'll try it, but do you recommend me to leave the smooth scrolling enabled by default or off it?

Thanks for your help.

1:42 PM, March 02, 2016  
Blogger Rafael Hilário said...

To Nick McManus,

It seems that Google Chrome is much slower using the smooth scroll. Looks like your browser is locked. Google could go back and remove this option as a default.

1:46 PM, March 02, 2016  
Blogger Avalanche Tsunami said...

Wait a second, why are the beta channel version of Chrome and the stable channel of Chrome the same? Shouldn't Beta be ahead of Stable?

2:35 PM, March 02, 2016  
Blogger Andres Jimenez said...

Why have you not made extension hiding normal again? It's bad UI design having them all clogged up in the chrome menu and the ones that were in the omnibar aren't there anymore.

4:16 PM, March 02, 2016  
Blogger Lee Brown said...

I'm thankful for some of the backend security updates and the improvement on page load speed, but...

- Hiding extensions needs to be made available again.
- Smooth scrolling should still be off by default, at least until it actually scrolls smoothly.

5:01 PM, March 02, 2016  
Blogger 节操帝の碧落歌音的根据地 said...

After updating, the Chinese font on tab bar became bold.

5:17 PM, March 02, 2016  
Blogger Matt said...

Upgrade your package list for Linux please. Getting a bunch of error messages about not being able to fetch the 32bit packages. I'm not even using 32bit.

7:23 PM, March 02, 2016  
Blogger George Korosy said...

+1 Lee Brown: please re-enable hiding extensions.

7:46 PM, March 02, 2016  
Blogger Thomas Beling said...

I'm writing for the Chrome Help Forum Germany and we have lots of users stating that after this update ALL extension-icons will be displayed, even those that noamally don't show any icon. This must be a bug.

9:55 PM, March 02, 2016  
Blogger Milan Onderka said...

After update SSL client certificate authentization failed :(

10:06 PM, March 02, 2016  
Blogger Ronnie Smith said...

It doesn't download correctly for Linux.

10:56 PM, March 02, 2016  
Blogger Chen Xie said...

Chrome 49 Stable is not inconvenient in use extensions.
Plz let hiding extensions back, and let extensions show icon in address bar.

11:48 PM, March 02, 2016  
Blogger lyl yuan said...

up , uBlock can't use

12:09 AM, March 03, 2016  
Blogger lyl yuan said...

up , uBlock can't use

12:09 AM, March 03, 2016  
Blogger lyl yuan said...

up , uBlock can't use

12:10 AM, March 03, 2016  
Blogger Hero HL said...

better and better

1:17 AM, March 03, 2016  
Blogger xr said...

https://www.reddit.com/r/chrome/comments/48oahd/the_chrome_team_is_delighted_to_announce_the/

1:26 AM, March 03, 2016  
Anonymous Anonymous said...

There's no icon in my address bar though it should be.

2:31 AM, March 03, 2016  
Blogger Megadyptes said...

I really dislike the way extension icons are now handled. Extensions that showed icons on the address bar for specific pages now cluttering up the extensions icon list to the right unless I hide them, which defeats the point of having them only show up on specific sites in the address bar. Also extensions with no actions on the button like dictionary having the icon visible either on the toolbar or in the menu is pretty annoying and clutters things up. Please make an option for icons to be handled as before.

7:30 AM, March 03, 2016  
Blogger Saro Jooren said...

@Thomas Beling and others,

All extensions icons showing all the time, has been a feature since v.48 already:
https://productforums.google.com/forum/#!topic/chrome/t9AHfd90OAE

7:41 AM, March 03, 2016  
Blogger 犬神イッキ小 said...

why i can't access the channell to update in ubuntu linux? http://dl.google.com/linux/chrome/deb/

7:43 AM, March 03, 2016  
Blogger Stephen Loeckle said...

Can't download for linux. From the web:

Not Found Error 404

and from the command line in debian:

W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/Release Unable to find expected entry 'main/binary-i386/Packages' in Release file (Wrong sources.list entry or malformed file)

E: Some index files failed to download. They have been ignored, or old ones used instead.

8:19 AM, March 03, 2016  
Blogger Chris McCoy said...

some extensions that added icons into the address bar, like adblock, bookmark manager, no longer are able to access via this way, they are now grouped into the rest of the plugin icons.

8:43 AM, March 03, 2016  
Blogger Bortnyák Roland said...

@Stephen Loeckle I have the same error on Ubuntu 14.04 LTS. Subscribing..

10:52 AM, March 03, 2016  
Blogger Gopinath M S said...

hidden extensions like google docs offline etc reappeared

extensions like "bookmark manager" by google,turn off the lights is moved inside hamburger menu instead of being inside address bar

10:53 AM, March 03, 2016  
Anonymous Anonymous said...

W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/Release Unable to find expected entry 'main/binary-i386/Packages' in Release file (Wrong sources.list entry or malformed file)

E: Some index files failed to download. They have been ignored, or old ones used instead.
building file list ... done

Ubuntu 15.10, amd64, before and after I downloaded deb package v49.

11:12 AM, March 03, 2016  
Blogger Jesica Love said...

Chrome 49 Stable is not inconvenient in use extensions.
Plz let hiding extensions back, and let extensions show icon in address bar.
Berita Bola

11:51 AM, March 03, 2016  
Blogger XEOXTH said...

i Cant save Webpages, stays paused.

1:00 PM, March 03, 2016  
Blogger viperx143 said...

Those with failing apt update should look at this: https://askubuntu.com/questions/394653/ubuntu-64-bit-failed-to-fetch-file-binary-i386-packages-error-while-updat

1:02 PM, March 03, 2016  
Blogger Dave said...

This comment has been removed by the author.

1:18 PM, March 03, 2016  
Blogger Dave said...

This comment has been removed by the author.

1:19 PM, March 03, 2016  
Blogger Bortnyák Roland said...

Thanks @viperx143, worked for me! (Add it to /etc/apt/sources.list.d/google-chrome.list after "deb" keyword!)

1:51 PM, March 03, 2016  
Blogger Dennis Lockhart said...

Yes, thanx @viperx143, that [arch=amd64] solution works.

Strange that, even though I'm on an x86_64 machine, I now have to specify that in the sources file. Hope this gets straightened out soon 'cause I think a lot of linux users are going to be alarmed with the error messages.

3:31 PM, March 03, 2016  
Blogger XEOXTH said...

1 Hour later:

http://imgur.com/tTmgXss

4:15 PM, March 03, 2016  
Blogger jblog said...

Any update on this issue guys?

W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/s...

5:59 PM, March 03, 2016  
Blogger Eric Carlsen said...

I'm also getting the error on linux. Is there no i386 release anymore? It looks like the Release file only lists amd64 architecture.

W: Failed to fetch http://dl.google.com/linux/chrome/deb/dists/stable/Release Unable to find expected entry 'main/binary-i386/Packages' in Release file

6:26 PM, March 03, 2016  
Anonymous Anonymous said...

Guys, I downloaded deb package v48 and, for a long time, there was no error message so no apt-related files editing was needed.
I uninstalled v48 and I downloaded chrome deb v49 and the error message still appears.
Can't Google do his/its job?

10:10 PM, March 03, 2016  
Blogger arcade said...

So, the i386 stuff is rather sad.

Even more sad is that even if you fix the sources file, the /opt/google/chrome/cron/google-chrome crontab is still wrong .. which means .. the problem will return!

Folks - please fix.

10:33 PM, March 03, 2016  
Blogger L. Wu said...

pls extensions show icon in address bar!!!!

1:08 AM, March 04, 2016  
Blogger Richard A. Downing said...

Still not fixed the broken 'clicking in the URL bar' bug. It still selects the whole thing. Dork-like behaviour.

3:00 AM, March 04, 2016  
Blogger /mnt said...

sudo gedit /etc/apt/sources.list.d/google-chrome.list


Change to:


deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main

6:58 AM, March 04, 2016  
Blogger /mnt said...

Nevermind my last. It didn't work either. :(

7:24 AM, March 04, 2016  
Blogger Jeff Dickens said...

See https://www.reddit.com/r/chrome/comments/48oje6/linux_how_to_fix_failed_to_fetch/

For pity's sake Google.

7:50 AM, March 04, 2016  
Blogger Piotr Żółtowski said...

Guys, please disable that awful new way with extensions' bar. I don't like it, because I have 2 extensions, which should be on omnibar no matter what, but because of this change is not possible to put 2 extenions' icons into omnibar instead having them in extensions' bar :/

9:01 AM, March 04, 2016  
Blogger Gerald G said...

are you serious with the extension bar?!?

previous version had 4 well defined states for extension icons:
- visible in the extension bar, for everything often used;
- in the drop-down/overflow area of the bar, for everything seldom used, to avoid clutter
- in the omni bar - when it makes sense; i.e. for cookie-managers (like chrome's own cookie button).
- completely hidden, i.e. for extensions that have no accessible methods (by the icon), or because of any other good reason.


NOW...
- if you make the bar smaller, the previous drop-down/overflow area appears as another bar on top of the option menu; what the hell? ui guide lines anyone?
- extensions that should be completely hidden are just put into the same "option menu part" of the extension bar... what is not to understand about the direction "hide from the menu"???
- if you happen to click an icon from _there_ (option menu part of the bar), which would open some input window, the icon jumps into the visible area of the extension bar, until interaction ends? WTF? seriously? ui guide lines ANYONE?
- extensions that should _rightfully_ appear only in the omni bar - because it just makes sense from a context pov - are now stuffed into the omni bar like everything else. just bad; and a drawback.

10:03 AM, March 04, 2016  
Blogger TMHKR_AK said...

Font kerning is messed up, both in standard and DirectWrite rendering. Mostly noticeable on words with a leading uppercase T / V / Y letter. Plase revert the kerning as it was in the previous version.

Another thing - the option to disable Material Design on internal PDF viewer is gone, please bring it back.

10:42 AM, March 04, 2016  
Blogger Andrew Stilliard said...

Looks like this version or maybe previous too has broken "page_action" behavior in apps, see apps like: https://chrome.google.com/webstore/detail/twitter-detector-detect-t/papcdbgfejihdinhieggiamjnkclhkck

No longer appear in the url bar, instead show next to it with the rest of apps.
Code is here for ref: https://github.com/stilliard/Twitter-detector

12:42 PM, March 04, 2016  
Blogger Paul Perkins said...

Not only has Google dropped 32-bit Chrome, they did it in a way that breaks Debian-family Linux systems with 64-bit Chrome installed -- the "apt" update routine complains of a malformed sources.list that Google not only broke, but re-breaks via a cron job if you fix it. Seriously uncool.

7:45 PM, March 04, 2016  
Blogger Miszkurka2000 said...

When for Windows 10 Mobile?

2:30 AM, March 05, 2016  
Blogger MThorner said...

dear Google techies, please inform us about the best fix for the Chrome on Linux issue.
The solution found by several people https://www.reddit.com/r/chrome/comments/48oje6/linux_how_to_fix_failed_to_fetch/ is just a dirty workaround.

5:49 AM, March 05, 2016  
Blogger Jesica Love said...

Nice post n thanks for u informatioan Agen Judi Online Terpercaya
Berita Bola

12:46 PM, March 05, 2016  
Blogger dumol said...

With Chromium 49, I think you broke scrolling for people that invert the scroll buttons in X. I have the following in the "Input Device" section of my xorg.conf file:

Option "ZAxisMapping" "5 4"

And this in my .xinitrc file:

xmodmap -e "pointer = 3 2 1 5 4"

I use my mouse with my left hand and also invert the direction of scrolling as it feels more natural. Have been using my scroll wheel this way for more than 6 years with no issues in any X applications. Now scrolling works backwards for me in Chromium 49 (and only in Chromium 49). Disabling smooth scrolling has no effect in this regard… :-/

1:50 AM, March 06, 2016  
Blogger /mnt said...

On LinuxMint 17
sudo gedit /etc/apt/sources.list.d/google-chrome.list
Change to:
deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main
Then
sudo gedit /opt/google/chrome/cron/google-chrome
Change Lines# 24 & 25 to:
REPOCONFIG="deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main"
SSLREPOCONFIG="deb [arch=amd64] https://dl.google.com/linux/chrome/deb/ stable main"

Update either with sudo apt-get update && upgrade or with Update manager "refresh"

I think it fixed it anyways...I don't get errors anymore. We'll see soon when a new version comes out. (?)

8:50 AM, March 06, 2016  
Blogger JerryZ said...

Win 7 64 bit. Intel I7 5960 16 proc CPU, 3.0 GHZ. 64 GB RAM. Graphics: AMD Radeon R9 200 Series, 4 GB.

After updating to 49, I noticed that Chrome apps were displaying. Scrolling was slow and sticky. Chrome started hanging. I went to extensions and noticed that Chrome had loaded a number of Google Docs Apps; I had not loaded them.

I went to chrome://flags/#disable-smooth-scrolling, and disabled/killed the flag (Thanks @Nick McManus). I then went to Extensions; I disabled/removed the various Google Docs apps/extensions (Thanks for nothing, Google).

I then closed Chrome and re-opened Chrome. That seems to have solved the hangs and solved the scrolling issues.

Oy vey, Google. Do you ever do perf testing and analysis before releasing an update? Are you using a profiler to see what has slowed/speeded up? Do you optimize your bits before you release? Come on, guys and gals. You are supposed to be world-class coders/devs and PMs.

10:05 AM, March 06, 2016  
Blogger Brian Fritz said...

After updating to 49 the CSS properties for word-wrapping stopped working:

word-break: break-all;
word-wrap: break-word;

1:27 PM, March 06, 2016  
Blogger Brian Fritz said...

I tracked the issue down to word-wrap used with a PRE tag. I created a fiddle of the issue and solution here: https://jsfiddle.net/8z978sbw/

1:55 PM, March 06, 2016  
Blogger JerryZ said...

@Brian Fitz

I noticed the same thing yesterday. Ironically, it occurred when I did my Chrome comment in Blogger.com. I pressed preview and comment did not wrap. Thanks, Google, for providing the opportunity for QED. SMH

It has even done this on the preview of this comment. LMTO

4:27 PM, March 06, 2016  
Blogger JerryZ said...

Sorry @Brian Fritz. I wrote Fitz. I erred.

4:51 PM, March 06, 2016  
Blogger Rohith said...

Thank you so much... your blog is giving very useful knowledge for all.i didn’t have the knowledge in this now i get an idea about this.. thks a lot:-)
Also do you want credit card to cash chennai at low interest.

11:32 PM, March 06, 2016  
Blogger Florian WATTIER said...

Listeners's leak on $ events and HammerJS events since chrome 49 update

2:32 AM, March 07, 2016  
Blogger Michael Parker said...

User today got a message from someone he knew in his Skype contact list to click on a link. He asked why and his friend said "trust me it's really cool".
He clicked on the link and his Windows Desktop was taken over using Google's screen share. He powered his machine off and booted up his laptop, his laptop was taken over the minute he launched Google Chrome because he was signed in on both machines to his google account.

He contacted his friend by phone who had no idea his machine had been compromised. He was able to clean his computer from Safe mode but this could get really bad if it is not patched.

2:19 PM, March 07, 2016  
Blogger Jameel said...

This comment has been removed by the author.

6:09 AM, March 08, 2016  
Blogger Syaiful wisata said...

very amazing post, I like It, Thank you for presenting a wide variety of information that is very interesting to see in this artikle, good job adnd succes For you


Ingin Liburan Ke karimun jawa dengan aman dan nyaman di karimunjawa ? Ingin Paket Wisata Karimunjawa dan gak murahan? Hubungi Kami "Raja Karimunjawa" biro lokal asli Karimunjawa . Untuk Book Paket Karimunjawa dan Tour Karimunjawa , silahkan hubungi kami karena kami biro karimunjawa dan trevel karimunjawa terpercaya. Paket wisata karimunjawa Murah tapi mewah, murah tapi gak murahan. Kepuasan Wisata Karimunjawa anda di pulau Karimunjawa adalah kebahagia'an dan tujuan kami. Terimakasih telah mempercayakan paket karimunjawa bersama kami Agen Wisata Karimunjawa.

6:12 AM, March 08, 2016  
Blogger Jameel said...

This update breaks our OWA 2013 with a 404 error...
The address bar shows (changed the domain name with abc.xyz.com)... "https://abc.xyz.com/owa/auth/errorfe.aspx?owaError=ClientError;exMsg%3dSys.InvalidOperationException:%20You%20are%20trying%20to%20get%20an%20instance%20of%20the%20UserConfiguration%20object%20before%20it%20is%20loaded%20from%20the%20server!%20%20%20%20at%20Function.Error.create%20(https://abc.xyz.com/owa/prem/15.0.913.22/scripts/preboot.js:35:41538)%20%20%20%20at%20Function.Error.invalidOperation%20(https://abc.xyz.com/owa/prem/15.0.913.22/scripts/preboot.js:35:43345)%20%20%20%20at%20.$hF%20"

along with the following line repeated 35 times in the same address
bar...

"(https://abc.xyz.com/owa/prem/15.0.913.22/scripts/boot.1.mouse.js:2:164092)%20%20%20%20at%20_js.$cC.$8s%20"

Can anyone please help?

6:14 AM, March 08, 2016  
Blogger James said...

Please please let me use the old device mode theme. I do not like the design of the new one, it is a huge step back.

8:24 AM, March 08, 2016  
Blogger unknownman72 said...

I don´t know, what you all have against the smooth scrolling. I don´t have any problems with it, it works awesome on my two computers.

3:35 AM, March 09, 2016  
Blogger Laura Baxter said...

Several MacBook users at my organization suddenly have Google Viewer broken and only way to continue is to use PDF View extension. But even with that, the print preview in Google is still broken. This happened March 8.

9:58 AM, March 09, 2016  
Blogger JerryZ said...

@unknownman72

Bully for you.

I have nothing against the concept of smooth scrolling. My Logitech wireless Performance Mouse MX & SetPoint software handle smooth scrolling. Chrome smooth scrolling was causing noticeable problems with scrolling. In addition to the smooth scrolling, Chrome 49 rolled out some Google Doc extensions. In addition to the scrolling problems, I was getting Chrome hangs which were hanging my whole system. Once I killed Chrome smooth scrolling (via Flags), and removed the Google Doc extensions, Chrome and my system are behaving well.

10:21 AM, March 09, 2016  
Blogger IanMcGarvey said...

I am INCREDIBLY disappointed by the new device mode. In addition to being harder to use, it actually renders the page incorrectly when entering custom widths and heights in the "Responsive" mode. I am tempted to log this as a bug, but really? I am a web developer that uses Chrome dev tools on a daily basis, and I am seriously tempted to DOWNGRADE my version of Chrome. Is there at least a command line argument to use the old device mode?

10:55 AM, March 09, 2016  
Blogger Seo serghey said...

Nice article, thanks from:
Website development company in New York

5:41 AM, March 11, 2016  
Blogger ABHISHEK said...

This is bad... My scroll no longer works..
Not only me anyone using the latest version of chrome, the scroll happens very slowly.
Need chrome to revert this , would be a problem otherwise.

4:35 AM, March 16, 2016  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home