openSUSE Security Update : Chromium (openSUSE-2016-1453)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update to Chromium 55.0.2883.75 fixes the following
vulnerabilities :

- CVE-2016-9651: Private property access in V8

- CVE-2016-5208: Universal XSS in Blink

- CVE-2016-5207: Universal XSS in Blink

- CVE-2016-5206: Same-origin bypass in PDFium

- CVE-2016-5205: Universal XSS in Blink

- CVE-2016-5204: Universal XSS in Blink

- CVE-2016-5209: Out of bounds write in Blink

- CVE-2016-5203: Use after free in PDFium

- CVE-2016-5210: Out of bounds write in PDFium

- CVE-2016-5212: Local file disclosure in DevTools

- CVE-2016-5211: Use after free in PDFium

- CVE-2016-5213: Use after free in V8

- CVE-2016-5214: File download protection bypass

- CVE-2016-5216: Use after free in PDFium

- CVE-2016-5215: Use after free in Webaudio

- CVE-2016-5217: Use of unvalidated data in PDFium

- CVE-2016-5218: Address spoofing in Omnibox

- CVE-2016-5219: Use after free in V8

- CVE-2016-5221: Integer overflow in ANGLE

- CVE-2016-5220: Local file access in PDFium

- CVE-2016-5222: Address spoofing in Omnibox

- CVE-2016-9650: CSP Referrer disclosure

- CVE-2016-5223: Integer overflow in PDFium

- CVE-2016-5226: Limited XSS in Blink

- CVE-2016-5225: CSP bypass in Blink

- CVE-2016-5224: Same-origin bypass in SVG

- CVE-2016-9652: Various fixes from internal audits,
fuzzing and other initiatives

The default bookmarks override was removed.

The following packaging changes are included :

- Switch to system libraries: harfbuzz, zlib, ffmpeg,
where available.

- Chromium now requires harfbuzz >= 1.3.0

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=1013236

Solution :

Update the affected Chromium packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)