Security update for chromium (important)

2019-11-0600:00:00

lists.opensuse.org

117

0.974 High

EPSS

Percentile

99.9%

JSON

An update that fixes 86 vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

Chromium was updated to 78.0.3904.87:
(boo#1155643,boo#1154806,boo#1153660,
boo#1151229,boo#1149143,boo#1145242,boo#1143492)

Security issues fixed with this version update:

 * CVE-2019-13721: Use-after-free in PDFium
 * CVE-2019-13720: Use-after-free in audio
 * CVE-2019-13699: Use-after-free in media
 * CVE-2019-13700: Buffer overrun in Blink
 * CVE-2019-13701: URL spoof in navigation
 * CVE-2019-13702: Privilege elevation in Installer
 * CVE-2019-13703: URL bar spoofing
 * CVE-2019-13704: CSP bypass
 * CVE-2019-13705: Extension permission bypass
 * CVE-2019-13706: Out-of-bounds read in PDFium
 * CVE-2019-13707: File storage disclosure
 * CVE-2019-13708: HTTP authentication spoof
 * CVE-2019-13709: File download protection bypass
 * CVE-2019-13710: File download protection bypass
 * CVE-2019-13711: Cross-context information leak
 * CVE-2019-15903: Buffer overflow in expat
 * CVE-2019-13713: Cross-origin data leak
 * CVE-2019-13714: CSS injection
 * CVE-2019-13715: Address bar spoofing
 * CVE-2019-13716: Service worker state error
 * CVE-2019-13717: Notification obscured
 * CVE-2019-13718: IDN spoof
 * CVE-2019-13719: Notification obscured
 * CVE-2019-13693: Use-after-free in IndexedDB
 * CVE-2019-13694: Use-after-free in WebRTC
 * CVE-2019-13695: Use-after-free in audio
 * CVE-2019-13696: Use-after-free in V8
 * CVE-2019-13697: Cross-origin size leak.
 * CVE-2019-13685: Use-after-free in UI
 * CVE-2019-13688: Use-after-free in media
 * CVE-2019-13687: Use-after-free in media
 * CVE-2019-13686: Use-after-free in offline pages
 * CVE-2019-5870: Use-after-free in media
 * CVE-2019-5871: Heap overflow in Skia
 * CVE-2019-5872: Use-after-free in Mojo
 * CVE-2019-5874: External URIs may trigger other browsers
 * CVE-2019-5875: URL bar spoof via download redirect
 * CVE-2019-5876: Use-after-free in media
 * CVE-2019-5877: Out-of-bounds access in V8
 * CVE-2019-5878: Use-after-free in V8
 * CVE-2019-5879: Extension can bypass same origin policy
 * CVE-2019-5880: SameSite cookie bypass
 * CVE-2019-5881: Arbitrary read in SwiftShader
 * CVE-2019-13659: URL spoof
 * CVE-2019-13660: Full screen notification overlap
 * CVE-2019-13661: Full screen notification spoof
 * CVE-2019-13662: CSP bypass
 * CVE-2019-13663: IDN spoof
 * CVE-2019-13664: CSRF bypass
 * CVE-2019-13665: Multiple file download protection bypass
 * CVE-2019-13666: Side channel using storage size estimate
 * CVE-2019-13667: URI bar spoof when using external app URIs
 * CVE-2019-13668: Global window leak via console
 * CVE-2019-13669: HTTP authentication spoof
 * CVE-2019-13670: V8 memory corruption in regex
 * CVE-2019-13671: Dialog box fails to show origin
 * CVE-2019-13673: Cross-origin information leak using devtools
 * CVE-2019-13674: IDN spoofing
 * CVE-2019-13675: Extensions can be disabled by trailing slash
 * CVE-2019-13676: Google URI shown for certificate warning
 * CVE-2019-13677: Chrome web store origin needs to be isolated
 * CVE-2019-13678: Download dialog spoofing
 * CVE-2019-13679: User gesture needed for printing
 * CVE-2019-13680: IP address spoofing to servers
 * CVE-2019-13681: Bypass on download restrictions
 * CVE-2019-13682: Site isolation bypass
 * CVE-2019-13683: Exceptions leaked by devtools
 * CVE-2019-5869: Use-after-free in Blink
 * CVE-2019-5868: Use-after-free in PDFium ExecuteFieldAction
 * CVE-2019-5867: Out-of-bounds read in V8
 * CVE-2019-5850: Use-after-free in offline page fetcher
 * CVE-2019-5860: Use-after-free in PDFium
 * CVE-2019-5853: Memory corruption in regexp length check
 * CVE-2019-5851: Use-after-poison in offline audio context
 * CVE-2019-5859: res: URIs can load alternative browsers
 * CVE-2019-5856: Insufficient checks on filesystem: URI permissions
 * CVE-2019-5855: Integer overflow in PDFium
 * CVE-2019-5865: Site isolation bypass from compromised renderer
 * CVE-2019-5858: Insufficient filtering of Open URL service parameters
 * CVE-2019-5864: Insufficient port filtering in CORS for extensions
 * CVE-2019-5862: AppCache not robust to compromised renderers
 * CVE-2019-5861: Click location incorrectly checked
 * CVE-2019-5857: Comparison of -0 and null yields crash
 * CVE-2019-5854: Integer overflow in PDFium text rendering
 * CVE-2019-5852: Object leak of utility functions

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

SUSE Package Hub for SUSE Linux Enterprise 12:

zypper in -t patch openSUSE-2019-2447=1

OSVersionArchitecturePackageVersionFilename
SUSE Package Hub for SUSE Linux Enterprise12aarch64< - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 x86_64):- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 x86_64):.aarch64.rpm
SUSE Package Hub for SUSE Linux Enterprise12x86_64< - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 x86_64):- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 x86_64):.x86_64.rpm

OS	Version	Architecture	Package	Version	Filename
SUSE Package Hub for SUSE Linux Enterprise	12	aarch64		< - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 x86_64):	- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 x86_64):.aarch64.rpm
SUSE Package Hub for SUSE Linux Enterprise	12	x86_64		< - SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 x86_64):	- SUSE Package Hub for SUSE Linux Enterprise 12 (aarch64 x86_64):.x86_64.rpm