An update that fixes 53 vulnerabilities is now available.
Description:
This update for chromium fixes the following issues:
Chromium was updated to 75.0.3770.90 (boo#1137332 boo#1138287):
- CVE-2019-5842: Use-after-free in Blink.
Also updated to 75.0.3770.80 boo#1137332:
- CVE-2019-5828: Use after free in ServiceWorker
- CVE-2019-5829: Use after free in Download Manager
- CVE-2019-5830: Incorrectly credentialed requests in CORS
- CVE-2019-5831: Incorrect map processing in V8
- CVE-2019-5832: Incorrect CORS handling in XHR
- CVE-2019-5833: Inconsistent security UI placemen
- CVE-2019-5835: Out of bounds read in Swiftshader
- CVE-2019-5836: Heap buffer overflow in Angle
- CVE-2019-5837: Cross-origin resources size disclosure in Appcache
- CVE-2019-5838: Overly permissive tab access in Extensions
- CVE-2019-5839: Incorrect handling of certain code points in Blink
- CVE-2019-5840: Popup blocker bypass
- Various fixes from internal audits, fuzzing and other initiatives
- CVE-2019-5834: URL spoof in Omnibox on iOS
Update to 74.0.3729.169:
- Feature fixes update only
Update to 74.0.3729.157:
- Various security fixes from internal audits, fuzzing and other
initiatives
Includes security fixes from 74.0.3729.131 (boo#1134218):
- CVE-2019-5827: Out-of-bounds access in SQLite
- CVE-2019-5824: Parameter passing error in media player
Update to 74.0.3729.108 boo#1133313:
- CVE-2019-5805: Use after free in PDFium
- CVE-2019-5806: Integer overflow in Angle
- CVE-2019-5807: Memory corruption in V8
- CVE-2019-5808: Use after free in Blink
- CVE-2019-5809: Use after free in Blink
- CVE-2019-5810: User information disclosure in Autofill
- CVE-2019-5811: CORS bypass in Blink
- CVE-2019-5813: Out of bounds read in V8
- CVE-2019-5814: CORS bypass in Blink
- CVE-2019-5815: Heap buffer overflow in Blink
- CVE-2019-5818: Uninitialized value in media reader
- CVE-2019-5819: Incorrect escaping in developer tools
- CVE-2019-5820: Integer overflow in PDFium
- CVE-2019-5821: Integer overflow in PDFium
- CVE-2019-5822: CORS bypass in download manager
- CVE-2019-5823: Forced navigation from service worker
- CVE-2019-5812: URL spoof in Omnibox on iOS
- CVE-2019-5816: Exploit persistence extension on Android
- CVE-2019-5817: Heap buffer overflow in Angle on Windows
Update to 73.0.3686.103:
Update to 73.0.3683.86:
- Just feature fixes around
- Update conditions to use system harfbuzz on TW+
- Require java during build
- Enable using pipewire when available
- Rebase chromium-vaapi.patch to match up the Fedora one
Update to 73.0.3683.75 boo#1129059:
- CVE-2019-5787: Use after free in Canvas.
- CVE-2019-5788: Use after free in FileAPI.
- CVE-2019-5789: Use after free in WebMIDI.
- CVE-2019-5790: Heap buffer overflow in V8.
- CVE-2019-5791: Type confusion in V8.
- CVE-2019-5792: Integer overflow in PDFium.
- CVE-2019-5793: Excessive permissions for private API in Extensions.
- CVE-2019-5794: Security UI spoofing.
- CVE-2019-5795: Integer overflow in PDFium.
- CVE-2019-5796: Race condition in Extensions.
- CVE-2019-5797: Race condition in DOMStorage.
- CVE-2019-5798: Out of bounds read in Skia.
- CVE-2019-5799: CSP bypass with blob URL.
- CVE-2019-5800: CSP bypass with blob URL.
- CVE-2019-5801: Incorrect Omnibox display on iOS.
- CVE-2019-5802: Security UI spoofing.
- CVE-2019-5803: CSP bypass with Javascript URLs’.
- CVE-2019-5804: Command line command injection on Windows.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.
Alternatively you can run the command listed for your product:
-
openSUSE Leap 42.3:
zypper in -t patch openSUSE-2019-1666=1
-
openSUSE Leap 15.1:
zypper in -t patch openSUSE-2019-1666=1
-
openSUSE Leap 15.0:
zypper in -t patch openSUSE-2019-1666=1
-
openSUSE Backports SLE-15:
zypper in -t patch openSUSE-2019-1666=1
-
SUSE Package Hub for SUSE Linux Enterprise 12:
zypper in -t patch openSUSE-2019-1666=1