openSUSE-SU-2020:0010

https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html

https://crbug.com/986063

The remote host is affected by the vulnerability described in GLSA-201911-06 (Chromium, Google Chrome: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Chromium and Google       Chrome. Please review the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

Several vulnerabilities have been discovered in the chromium web browser.

  - CVE-2019-5869     Zhe Jin discovered a use-after-free issue.

  - CVE-2019-5870     Guang Gong discovered a use-after-free issue.

  - CVE-2019-5871     A buffer overflow issue was discovered in the skia     library.

  - CVE-2019-5872     Zhe Jin discovered a use-after-free issue.

  - CVE-2019-5874     James Lee discovered an issue with external Uniform     Resource Identifiers.

  - CVE-2019-5875     Khalil Zhani discovered a URL spoofing issue.

  - CVE-2019-5876     Man Yue Mo discovered a use-after-free issue.

  - CVE-2019-5877     Guang Gong discovered an out-of-bounds read issue.

  - CVE-2019-5878     Guang Gong discovered an use-after-free issue in the v8     JavaScript library.

  - CVE-2019-5879     Jinseo Kim discover that extensions could read files on     the local system.

  - CVE-2019-5880     Jun Kokatsu discovered a way to bypass the SameSite     cookie feature.

  - CVE-2019-13659     Lnyas Zhang discovered a URL spoofing issue.

  - CVE-2019-13660     Wenxu Wu discovered a user interface error in full     screen mode.

  - CVE-2019-13661     Wenxu Wu discovered a user interface spoofing issue in     full screen mode.

  - CVE-2019-13662     David Erceg discovered a way to bypass the Content     Security Policy.

  - CVE-2019-13663     Lnyas Zhang discovered a way to spoof Internationalized     Domain Names.

  - CVE-2019-13664     Thomas Shadwell discovered a way to bypass the SameSite     cookie feature.

  - CVE-2019-13665     Jun Kokatsu discovered a way to bypass the multiple file     download protection feature.

  - CVE-2019-13666     Tom Van Goethem discovered an information leak.

  - CVE-2019-13667     Khalil Zhani discovered a URL spoofing issue.

  - CVE-2019-13668     David Erceg discovered an information leak.

  - CVE-2019-13669     Khalil Zhani discovered an authentication spoofing     issue.

  - CVE-2019-13670     Guang Gong discovered a memory corruption issue in the     v8 JavaScript library.

  - CVE-2019-13671     xisigr discovered a user interface error.

  - CVE-2019-13673     David Erceg discovered an information leak.

  - CVE-2019-13674     Khalil Zhani discovered a way to spoof Internationalized     Domain Names.

  - CVE-2019-13675     Jun Kokatsu discovered a way to disable extensions.

  - CVE-2019-13676     Wenxu Wu discovered an error in a certificate warning.

  - CVE-2019-13677     Jun Kokatsu discovered an error in the chrome web store.

  - CVE-2019-13678     Ronni Skansing discovered a spoofing issue in the     download dialog window.

  - CVE-2019-13679     Conrad Irwin discovered that user activation was not     required for printing.

  - CVE-2019-13680     Thijs Alkamade discovered an IP address spoofing issue.

  - CVE-2019-13681     David Erceg discovered a way to bypass download     restrictions.

  - CVE-2019-13682     Jun Kokatsu discovered a way to bypass the site     isolation feature.

  - CVE-2019-13683     David Erceg discovered an information leak.

  - CVE-2019-13685     Khalil Zhani discovered a use-after-free issue.

  - CVE-2019-13686     Brendon discovered a use-after-free issue.

  - CVE-2019-13687     Man Yue Mo discovered a use-after-free issue.

  - CVE-2019-13688     Man Yue Mo discovered a use-after-free issue.

  - CVE-2019-13691     David Erceg discovered a user interface spoofing issue.

  - CVE-2019-13692     Jun Kokatsu discovered a way to bypass the Same Origin     Policy.

  - CVE-2019-13693     Guang Gong discovered a use-after-free issue.

  - CVE-2019-13694     banananapenguin discovered a use-after-free issue.

  - CVE-2019-13695     Man Yue Mo discovered a use-after-free issue.

  - CVE-2019-13696     Guang Gong discovered a use-after-free issue in the v8     JavaScript library.

  - CVE-2019-13697     Luan Herrera discovered an information leak.

  - CVE-2019-13699     Man Yue Mo discovered a use-after-free issue.

  - CVE-2019-13700     Man Yue Mo discovered a buffer overflow issue.

  - CVE-2019-13701     David Erceg discovered a URL spoofing issue.

  - CVE-2019-13702     Phillip Langlois and Edward Torkington discovered a     privilege escalation issue in the installer.

  - CVE-2019-13703     Khalil Zhani discovered a URL spoofing issue.

  - CVE-2019-13704     Jun Kokatsu discovered a way to bypass the Content     Security Policy.

  - CVE-2019-13705     Luan Herrera discovered a way to bypass extension     permissions.

  - CVE-2019-13706     pdknsk discovered an out-of-bounds read issue in the     pdfium library.

  - CVE-2019-13707     Andrea Palazzo discovered an information leak.

  - CVE-2019-13708     Khalil Zhani discovered an authentication spoofing     issue.

  - CVE-2019-13709     Zhong Zhaochen discovered a way to bypass download     restrictions.

  - CVE-2019-13710     bernardo.mrod discovered a way to bypass download     restrictions.

  - CVE-2019-13711     David Erceg discovered an information leak.

  - CVE-2019-13713     David Erceg discovered an information leak.

  - CVE-2019-13714     Jun Kokatsu discovered an issue with Cascading Style     Sheets.

  - CVE-2019-13715     xisigr discovered a URL spoofing issue.

  - CVE-2019-13716     Barron Hagerman discovered an error in the service     worker implementation.

  - CVE-2019-13717     xisigr discovered a user interface spoofing issue.

  - CVE-2019-13718     Khalil Zhani discovered a way to spoof Internationalized     Domain Names.

  - CVE-2019-13719     Khalil Zhani discovered a user interface spoofing issue.

  - CVE-2019-13720     Anton Ivanov and Alexey Kulaev discovered a     use-after-free issue.

  - CVE-2019-13721     banananapenguin discovered a use-after-free issue in the     pdfium library.

An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Chromium is an open source web browser, powered by WebKit (Blink).

This update upgrades Chromium to version 78.0.3904.70.

Security Fix(es) :

* chromium-browser: Use-after-free in media (CVE-2019-13699)

* chromium-browser: Buffer overrun in Blink (CVE-2019-13700)

* chromium-browser: URL spoof in navigation (CVE-2019-13701)

* chromium-browser: Privilege elevation in Installer (CVE-2019-13702)

* chromium-browser: URL bar spoofing (CVE-2019-13703)

* chromium-browser: CSP bypass (CVE-2019-13704)

* chromium-browser: Extension permission bypass (CVE-2019-13705)

* chromium-browser: Out-of-bounds read in PDFium (CVE-2019-13706)

* chromium-browser: File storage disclosure (CVE-2019-13707)

* chromium-browser: HTTP authentication spoof (CVE-2019-13708)

* chromium-browser: File download protection bypass (CVE-2019-13709)

* chromium-browser: File download protection bypass (CVE-2019-13710)

* chromium-browser: Cross-context information leak (CVE-2019-13711)

* chromium-browser: Cross-origin data leak (CVE-2019-13713)

* chromium-browser: CSS injection (CVE-2019-13714)

* chromium-browser: Address bar spoofing (CVE-2019-13715)

* chromium-browser: Service worker state error (CVE-2019-13716)

* chromium-browser: Notification obscured (CVE-2019-13717)

* chromium-browser: IDN spoof (CVE-2019-13718)

* chromium-browser: Notification obscured (CVE-2019-13719)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This update for chromium, re2 fixes the following issues :

Chromium was updated to 78.0.3904.70 boo#1154806 :

  - CVE-2019-13699: Use-after-free in media

  - CVE-2019-13700: Buffer overrun in Blink

  - CVE-2019-13701: URL spoof in navigation

  - CVE-2019-13702: Privilege elevation in Installer

  - CVE-2019-13703: URL bar spoofing

  - CVE-2019-13704: CSP bypass

  - CVE-2019-13705: Extension permission bypass

  - CVE-2019-13706: Out-of-bounds read in PDFium

  - CVE-2019-13707: File storage disclosure

  - CVE-2019-13708: HTTP authentication spoof

  - CVE-2019-13709: File download protection bypass

  - CVE-2019-13710: File download protection bypass

  - CVE-2019-13711: Cross-context information leak

  - CVE-2019-15903: Buffer overflow in expat

  - CVE-2019-13713: Cross-origin data leak

  - CVE-2019-13714: CSS injection

  - CVE-2019-13715: Address bar spoofing

  - CVE-2019-13716: Service worker state error

  - CVE-2019-13717: Notification obscured

  - CVE-2019-13718: IDN spoof

  - CVE-2019-13719: Notification obscured

  - Various fixes from internal audits, fuzzing and other     initiatives

  - Use internal resources for icon and appdata

The version of Google Chrome installed on the remote Windows host is prior to 78.0.3904.70. It is, therefore, affected by multiple vulnerabilities as referenced in the 2019_10_stable-channel-update-for-desktop_22 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Google Chrome installed on the remote macOS host is prior to 78.0.3904.70. It is, therefore, affected by multiple vulnerabilities as referenced in the 2019_10_stable-channel-update-for-desktop_22 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
131266	GLSA-201911-06 : Chromium, Google Chrome: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
130774	Debian DSA-4562-1 : chromium - security update	Nessus	Debian Local Security Checks	medium
130745	RHEL 6 : chromium-browser (RHSA-2019:3759)	Nessus	Red Hat Local Security Checks	medium
130500	openSUSE Security Update : chromium / re2 (openSUSE-2019-2420)	Nessus	SuSE Local Security Checks	medium
130275	Google Chrome < 78.0.3904.70 Multiple Vulnerabilities	Nessus	Windows	medium
130274	Google Chrome < 78.0.3904.70 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	medium

CVE-2019-13711

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins