openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2018:1042-1
Rating:             important
References:         #1086199 #1090000 
Cross-References:   CVE-2018-6085 CVE-2018-6086 CVE-2018-6087
                    CVE-2018-6088 CVE-2018-6089 CVE-2018-6090
                    CVE-2018-6091 CVE-2018-6092 CVE-2018-6093
                    CVE-2018-6094 CVE-2018-6095 CVE-2018-6096
                    CVE-2018-6097 CVE-2018-6098 CVE-2018-6099
                    CVE-2018-6100 CVE-2018-6101 CVE-2018-6102
                    CVE-2018-6103 CVE-2018-6104 CVE-2018-6105
                    CVE-2018-6106 CVE-2018-6107 CVE-2018-6108
                    CVE-2018-6109 CVE-2018-6110 CVE-2018-6111
                    CVE-2018-6112 CVE-2018-6113 CVE-2018-6114
                    CVE-2018-6115 CVE-2018-6116 CVE-2018-6117
                   
Affected Products:
                    openSUSE Leap 42.3
______________________________________________________________________________

   An update that fixes 33 vulnerabilities is now available.

Description:

   This update for Chromium to version 66.0.3359.117 fixes the following
   issues:

   Security issues fixed (boo#1090000):

   - CVE-2018-6085: Use after free in Disk Cache
   - CVE-2018-6086: Use after free in Disk Cache
   - CVE-2018-6087: Use after free in WebAssembly
   - CVE-2018-6088: Use after free in PDFium
   - CVE-2018-6089: Same origin policy bypass in Service Worker
   - CVE-2018-6090: Heap buffer overflow in Skia
   - CVE-2018-6091: Incorrect handling of plug-ins by Service Worker
   - CVE-2018-6092: Integer overflow in WebAssembly
   - CVE-2018-6093: Same origin bypass in Service Worker
   - CVE-2018-6094: Exploit hardening regression in Oilpan
   - CVE-2018-6095: Lack of meaningful user interaction requirement before
     file upload
   - CVE-2018-6096: Fullscreen UI spoof
   - CVE-2018-6097: Fullscreen UI spoof
   - CVE-2018-6098: URL spoof in Omnibox
   - CVE-2018-6099: CORS bypass in ServiceWorker
   - CVE-2018-6100: URL spoof in Omnibox
   - CVE-2018-6101: Insufficient protection of remote debugging prototol in
     DevTools
   - CVE-2018-6102: URL spoof in Omnibox
   - CVE-2018-6103: UI spoof in Permissions
   - CVE-2018-6104: URL spoof in Omnibox
   - CVE-2018-6105: URL spoof in Omnibox
   - CVE-2018-6106: Incorrect handling of promises in V8
   - CVE-2018-6107: URL spoof in Omnibox
   - CVE-2018-6108: URL spoof in Omnibox
   - CVE-2018-6109: Incorrect handling of files by FileAPI
   - CVE-2018-6110: Incorrect handling of plaintext files via file://
   - CVE-2018-6111: Heap-use-after-free in DevTools
   - CVE-2018-6112: Incorrect URL handling in DevTools
   - CVE-2018-6113: URL spoof in Navigation
   - CVE-2018-6114: CSP bypass
   - CVE-2018-6115: SmartScreen bypass in downloads
   - CVE-2018-6116: Incorrect low memory handling in WebAssembly
   - CVE-2018-6117: Confusing autofill settings
   - Various fixes from internal audits, fuzzing and other initiatives

   This update also supports mitigation against the Spectre vulnerabilities:
   "Strict site isolation" is disabled for most users and can be turned on
   via: chrome://flags/#enable-site-per-process This feature is undergoing a
   small percentage trial. Out out of the trial is possible via:
   chrome://flags/#site-isolation-trial-opt-out

   The following other changes are included:

   - distrust certificates issued by Symantec before 2016-06-01
   - add option to export saved passwords
   - Reduce videos that auto-play with sound
   - boo#1086199: Fix UI freezing when loading/scaling down large images

   This update also contains a number of upstream bug fixes and improvements.


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 42.3:

      zypper in -t patch openSUSE-2018-381=1



Package List:

   - openSUSE Leap 42.3 (x86_64):

      chromedriver-66.0.3359.117-152.1
      chromedriver-debuginfo-66.0.3359.117-152.1
      chromium-66.0.3359.117-152.1
      chromium-debuginfo-66.0.3359.117-152.1
      chromium-debugsource-66.0.3359.117-152.1


References:

   https://www.suse.com/security/cve/CVE-2018-6085.html
   https://www.suse.com/security/cve/CVE-2018-6086.html
   https://www.suse.com/security/cve/CVE-2018-6087.html
   https://www.suse.com/security/cve/CVE-2018-6088.html
   https://www.suse.com/security/cve/CVE-2018-6089.html
   https://www.suse.com/security/cve/CVE-2018-6090.html
   https://www.suse.com/security/cve/CVE-2018-6091.html
   https://www.suse.com/security/cve/CVE-2018-6092.html
   https://www.suse.com/security/cve/CVE-2018-6093.html
   https://www.suse.com/security/cve/CVE-2018-6094.html
   https://www.suse.com/security/cve/CVE-2018-6095.html
   https://www.suse.com/security/cve/CVE-2018-6096.html
   https://www.suse.com/security/cve/CVE-2018-6097.html
   https://www.suse.com/security/cve/CVE-2018-6098.html
   https://www.suse.com/security/cve/CVE-2018-6099.html
   https://www.suse.com/security/cve/CVE-2018-6100.html
   https://www.suse.com/security/cve/CVE-2018-6101.html
   https://www.suse.com/security/cve/CVE-2018-6102.html
   https://www.suse.com/security/cve/CVE-2018-6103.html
   https://www.suse.com/security/cve/CVE-2018-6104.html
   https://www.suse.com/security/cve/CVE-2018-6105.html
   https://www.suse.com/security/cve/CVE-2018-6106.html
   https://www.suse.com/security/cve/CVE-2018-6107.html
   https://www.suse.com/security/cve/CVE-2018-6108.html
   https://www.suse.com/security/cve/CVE-2018-6109.html
   https://www.suse.com/security/cve/CVE-2018-6110.html
   https://www.suse.com/security/cve/CVE-2018-6111.html
   https://www.suse.com/security/cve/CVE-2018-6112.html
   https://www.suse.com/security/cve/CVE-2018-6113.html
   https://www.suse.com/security/cve/CVE-2018-6114.html
   https://www.suse.com/security/cve/CVE-2018-6115.html
   https://www.suse.com/security/cve/CVE-2018-6116.html
   https://www.suse.com/security/cve/CVE-2018-6117.html
   https://bugzilla.suse.com/1086199
   https://bugzilla.suse.com/1090000

--

openSUSE: 2018:1042-1: important: chromium

April 21, 2018
An update that fixes 33 vulnerabilities is now available.

Description

This update for Chromium to version 66.0.3359.117 fixes the following issues: Security issues fixed (boo#1090000): - CVE-2018-6085: Use after free in Disk Cache - CVE-2018-6086: Use after free in Disk Cache - CVE-2018-6087: Use after free in WebAssembly - CVE-2018-6088: Use after free in PDFium - CVE-2018-6089: Same origin policy bypass in Service Worker - CVE-2018-6090: Heap buffer overflow in Skia - CVE-2018-6091: Incorrect handling of plug-ins by Service Worker - CVE-2018-6092: Integer overflow in WebAssembly - CVE-2018-6093: Same origin bypass in Service Worker - CVE-2018-6094: Exploit hardening regression in Oilpan - CVE-2018-6095: Lack of meaningful user interaction requirement before file upload - CVE-2018-6096: Fullscreen UI spoof - CVE-2018-6097: Fullscreen UI spoof - CVE-2018-6098: URL spoof in Omnibox - CVE-2018-6099: CORS bypass in ServiceWorker - CVE-2018-6100: URL spoof in Omnibox - CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools - CVE-2018-6102: URL spoof in Omnibox - CVE-2018-6103: UI spoof in Permissions - CVE-2018-6104: URL spoof in Omnibox - CVE-2018-6105: URL spoof in Omnibox - CVE-2018-6106: Incorrect handling of promises in V8 - CVE-2018-6107: URL spoof in Omnibox - CVE-2018-6108: URL spoof in Omnibox - CVE-2018-6109: Incorrect handling of files by FileAPI - CVE-2018-6110: Incorrect handling of plaintext files via file:// - CVE-2018-6111: Heap-use-after-free in DevTools - CVE-2018-6112: Incorrect URL handling in DevTools - CVE-2018-6113: URL spoof in Navigation - CVE-2018-6114: CSP bypass - CVE-2018-6115: SmartScreen bypass in downloads - CVE-2018-6116: Incorrect low memory handling in WebAssembly - CVE-2018-6117: Confusing autofill settings - Various fixes from internal audits, fuzzing and other initiatives This update also supports mitigation against the Spectre vulnerabilities: "Strict site isolation" is disabled for most users and can be turned on via: chrome://flags/#enable-site-per-process This feature is undergoing a small percentage trial. Out out of the trial is possible via: chrome://flags/#site-isolation-trial-opt-out The following other changes are included: - distrust certificates issued by Symantec before 2016-06-01 - add option to export saved passwords - Reduce videos that auto-play with sound - boo#1086199: Fix UI freezing when loading/scaling down large images This update also contains a number of upstream bug fixes and improvements.

 

Patch

Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 42.3: zypper in -t patch openSUSE-2018-381=1


Package List

- openSUSE Leap 42.3 (x86_64): chromedriver-66.0.3359.117-152.1 chromedriver-debuginfo-66.0.3359.117-152.1 chromium-66.0.3359.117-152.1 chromium-debuginfo-66.0.3359.117-152.1 chromium-debugsource-66.0.3359.117-152.1


References

https://www.suse.com/security/cve/CVE-2018-6085.html https://www.suse.com/security/cve/CVE-2018-6086.html https://www.suse.com/security/cve/CVE-2018-6087.html https://www.suse.com/security/cve/CVE-2018-6088.html https://www.suse.com/security/cve/CVE-2018-6089.html https://www.suse.com/security/cve/CVE-2018-6090.html https://www.suse.com/security/cve/CVE-2018-6091.html https://www.suse.com/security/cve/CVE-2018-6092.html https://www.suse.com/security/cve/CVE-2018-6093.html https://www.suse.com/security/cve/CVE-2018-6094.html https://www.suse.com/security/cve/CVE-2018-6095.html https://www.suse.com/security/cve/CVE-2018-6096.html https://www.suse.com/security/cve/CVE-2018-6097.html https://www.suse.com/security/cve/CVE-2018-6098.html https://www.suse.com/security/cve/CVE-2018-6099.html https://www.suse.com/security/cve/CVE-2018-6100.html https://www.suse.com/security/cve/CVE-2018-6101.html https://www.suse.com/security/cve/CVE-2018-6102.html https://www.suse.com/security/cve/CVE-2018-6103.html https://www.suse.com/security/cve/CVE-2018-6104.html https://www.suse.com/security/cve/CVE-2018-6105.html https://www.suse.com/security/cve/CVE-2018-6106.html https://www.suse.com/security/cve/CVE-2018-6107.html https://www.suse.com/security/cve/CVE-2018-6108.html https://www.suse.com/security/cve/CVE-2018-6109.html https://www.suse.com/security/cve/CVE-2018-6110.html https://www.suse.com/security/cve/CVE-2018-6111.html https://www.suse.com/security/cve/CVE-2018-6112.html https://www.suse.com/security/cve/CVE-2018-6113.html https://www.suse.com/security/cve/CVE-2018-6114.html https://www.suse.com/security/cve/CVE-2018-6115.html https://www.suse.com/security/cve/CVE-2018-6116.html https://www.suse.com/security/cve/CVE-2018-6117.html https://bugzilla.suse.com/1086199 https://bugzilla.suse.com/1090000--


Severity
Announcement ID: openSUSE-SU-2018:1042-1
Rating: important
Affected Products: openSUSE Leap 42.3

Related News

30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
8.Locks HexConnections CodeGlobe Esm H320
2 - 3 min read
Canonical has launched Ubuntu Pro for Devices , a comprehensive offering emphasizing security and compliance for IoT device deployments. This
2.Motherboard Esm H320
2 - 3 min read
The recently uncovered "Native Branch History Injection (BHI)" exploit against the Linux kernel marks a significant milestone in the ongoing battle

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved