From the debian security mailing list:
Several vulnerabilities have been discovered in the chromium web browser.
CVE-2016-1622
It was discovered that a maliciously crafted extension could bypass
the Same Origin Policy.
CVE-2016-1623
Mariusz Mlynski discovered a way to bypass the Same Origin Policy.
CVE-2016-1624
lukezli discovered a buffer overflow issue in the Brotli library.
CVE-2016-1625
Jann Horn discovered a way to cause the Chrome Instant feature to
navigate to unintended destinations.
CVE-2016-1626
An out-of-bounds read issue was discovered in the openjpeg library.
CVE-2016-1627
It was discovered that the Developer Tools did not validate URLs.
CVE-2016-1628
An out-of-bounds read issue was discovered in the pdfium library.
CVE-2016-1629
A way to bypass the Same Origin Policy was discovered in Blink/WebKit,
along with a way to escape the chromium sandbox.
New features
------------
* Processes under PRoot now appear with their real names, that is,
they are not renamed ld-linux.so or prooted-... anymore.
* Own ELF loader.
Fixes
-----
* Most bugs related to shebang support -- ie. #! at the beginning of
a program -- were fixed.
* It is now possible to use GDB against multi-threaded programs under
PRoot x86_64 and x86.
* It is possible to execute x86_64 programs from x86 programs again.
* It is possible to use x86 ptrace-based programs (strace, gdb, ...)
under PRoot x86_64 again.
* The loader is now built with the build-id linker option explicitly
disabled. This special section might interfere with loaded
programs.
* The loader can now load relocatable objects that have a predefined
base address.
Bugfix release; released on February 22 2016:
- Fix argument checks for interpreter invoke with `-m` and `-c`
on Windows.
- Fixed a bug that cased locale detection to error out on Python 3.
Re-builds many Python packages, but no new failures on x86-64.