https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html

https://crbug.com/1139411

Multiple security issues were discovered in the Chromium web browser, which could result in the execution of arbitrary code, denial of service or information disclosure.

The remote host is affected by the vulnerability described in GLSA-202012-05 (Chromium, Google Chrome: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Chromium and Google       Chrome. Please review the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

This update for chromium fixes the following issues :

  - Update to 87.0.4280.66 (boo#1178923)

  - Wayland support by default

  - CVE-2020-16018: Use after free in payments. 

  - CVE-2020-16019: Inappropriate implementation in     filesystem. 

  - CVE-2020-16020: Inappropriate implementation in     cryptohome. 

  - CVE-2020-16021: Race in ImageBurner. 

  - CVE-2020-16022: Insufficient policy enforcement in     networking. 

  - CVE-2020-16015: Insufficient data validation in WASM. R

  - CVE-2020-16014: Use after free in PPAPI. 

  - CVE-2020-16023: Use after free in WebCodecs. 

  - CVE-2020-16024: Heap buffer overflow in UI.

  - CVE-2020-16025: Heap buffer overflow in clipboard. 

  - CVE-2020-16026: Use after free in WebRTC. 

  - CVE-2020-16027: Insufficient policy enforcement in     developer tools. R

  - CVE-2020-16028: Heap buffer overflow in WebRTC. 

  - CVE-2020-16029: Inappropriate implementation in PDFium. 

  - CVE-2020-16030: Insufficient data validation in Blink. 

  - CVE-2019-8075: Insufficient data validation in Flash. 

  - CVE-2020-16031: Incorrect security UI in tab preview. 

  - CVE-2020-16032: Incorrect security UI in sharing.

  - CVE-2020-16033: Incorrect security UI in WebUSB. 

  - CVE-2020-16034: Inappropriate implementation in WebRTC. 

  - CVE-2020-16035: Insufficient data validation in     cros-disks.

  - CVE-2020-16012: Side-channel information leakage in     graphics. 

  - CVE-2020-16036: Inappropriate implementation in cookies.

Update to 87.0.4280.66. Fixes bugs and security holes. Yay!

CVE-2020-16012 CVE-2020-16018 CVE-2020-16019 CVE-2020-16020 CVE-2020-16021 CVE-2020-16022 CVE-2020-16015 CVE-2020-16014 CVE-2020-16023 CVE-2020-16024 CVE-2020-16025 CVE-2020-16026 CVE-2020-16027 CVE-2020-16028 CVE-2020-16029 CVE-2020-16030 CVE-2020-16031 CVE-2020-16032 CVE-2020-16033 CVE-2020-16034 CVE-2020-16035 CVE-2020-16036

----

Update to 86.0.4240.198. Fixes the following security issues :

CVE-2020-16013 CVE-2020-16016 CVE-2020-16017

----

Update to 86.0.4240.183.

Fixes the following security issues: CVE-2020-16004 CVE-2020-16005 CVE-2020-16006 CVE-2020-16008 CVE-2020-16009

Also disables the very verbose output going to stdout.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Update to 87.0.4280.66. Fixes bugs and security holes. Yay!

CVE-2020-16012 CVE-2020-16018 CVE-2020-16019 CVE-2020-16020 CVE-2020-16021 CVE-2020-16022 CVE-2020-16015 CVE-2020-16014 CVE-2020-16023 CVE-2020-16024 CVE-2020-16025 CVE-2020-16026 CVE-2020-16027 CVE-2020-16028 CVE-2020-16029 CVE-2020-16030 CVE-2020-16031 CVE-2020-16032 CVE-2020-16033 CVE-2020-16034 CVE-2020-16035 CVE-2020-16036

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Google Chrome installed on the remote Windows host is prior to 87.0.4280.66. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_11_stable-channel-update-for-desktop_17 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Google Chrome installed on the remote macOS host is prior to 87.0.4280.66. It is, therefore, affected by multiple vulnerabilities as referenced in the 2020_11_stable-channel-update-for-desktop_17 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
144672	Debian DSA-4824-1 : chromium - security update	Nessus	Debian Local Security Checks	high
143495	GLSA-202012-05 : Chromium, Google Chrome: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
143333	openSUSE Security Update : chromium (openSUSE-2020-2021)	Nessus	SuSE Local Security Checks	high
143303	openSUSE Security Update : chromium (openSUSE-2020-2032)	Nessus	SuSE Local Security Checks	high
143227	Fedora 32 : chromium (2020-3e005ce2e0)	Nessus	Fedora Local Security Checks	high
143176	Fedora 33 : chromium (2020-10ec8aca61)	Nessus	Fedora Local Security Checks	high
142971	Google Chrome < 87.0.4280.66 Multiple Vulnerabilities	Nessus	Windows	high
142970	Google Chrome < 87.0.4280.66 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high

CVE-2020-16020

HIGH

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

high

high

high

high

high

high