openSUSE Security Update: Security update for chromium, re2 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2019:2424-1 Rating: important References: #1154806 Cross-References: CVE-2019-13699 CVE-2019-13700 CVE-2019-13701 CVE-2019-13702 CVE-2019-13703 CVE-2019-13704 CVE-2019-13705 CVE-2019-13706 CVE-2019-13707 CVE-2019-13708 CVE-2019-13709 CVE-2019-13710 CVE-2019-13711 CVE-2019-13713 CVE-2019-13714 CVE-2019-13715 CVE-2019-13716 CVE-2019-13717 CVE-2019-13718 CVE-2019-13719 CVE-2019-15903 Affected Products: openSUSE Backports SLE-15 ______________________________________________________________________________ An update that fixes 21 vulnerabilities is now available. Description: This update for chromium, re2 fixes the following issues: Chromium was updated to 78.0.3904.70 boo#1154806: * CVE-2019-13699: Use-after-free in media * CVE-2019-13700: Buffer overrun in Blink * CVE-2019-13701: URL spoof in navigation * CVE-2019-13702: Privilege elevation in Installer * CVE-2019-13703: URL bar spoofing * CVE-2019-13704: CSP bypass * CVE-2019-13705: Extension permission bypass * CVE-2019-13706: Out-of-bounds read in PDFium * CVE-2019-13707: File storage disclosure * CVE-2019-13708: HTTP authentication spoof * CVE-2019-13709: File download protection bypass * CVE-2019-13710: File download protection bypass * CVE-2019-13711: Cross-context information leak * CVE-2019-15903: Buffer overflow in expat * CVE-2019-13713: Cross-origin data leak * CVE-2019-13714: CSS injection * CVE-2019-13715: Address bar spoofing * CVE-2019-13716: Service worker state error * CVE-2019-13717: Notification obscured * CVE-2019-13718: IDN spoof * CVE-2019-13719: Notification obscured * Various fixes from internal audits, fuzzing and other initiatives - Use internal resources for icon and appdata This update was imported from the openSUSE:Leap:15.0:Update update project. Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15: zypper in -t patch openSUSE-2019-2424=1 Package List: - openSUSE Backports SLE-15 (aarch64 ppc64le s390x x86_64): libre2-0-20190901-bp150.25.1 libre2-0-debuginfo-20190901-bp150.25.1 re2-debugsource-20190901-bp150.25.1 re2-devel-20190901-bp150.25.1 - openSUSE Backports SLE-15 (aarch64 x86_64): chromedriver-78.0.3904.70-bp150.240.1 chromium-78.0.3904.70-bp150.240.1 - openSUSE Backports SLE-15 (aarch64_ilp32): libre2-0-64bit-20190901-bp150.25.1 libre2-0-64bit-debuginfo-20190901-bp150.25.1 References: https://www.suse.com/security/cve/CVE-2019-13699.html https://www.suse.com/security/cve/CVE-2019-13700.html https://www.suse.com/security/cve/CVE-2019-13701.html https://www.suse.com/security/cve/CVE-2019-13702.html https://www.suse.com/security/cve/CVE-2019-13703.html https://www.suse.com/security/cve/CVE-2019-13704.html https://www.suse.com/security/cve/CVE-2019-13705.html https://www.suse.com/security/cve/CVE-2019-13706.html https://www.suse.com/security/cve/CVE-2019-13707.html https://www.suse.com/security/cve/CVE-2019-13708.html https://www.suse.com/security/cve/CVE-2019-13709.html https://www.suse.com/security/cve/CVE-2019-13710.html https://www.suse.com/security/cve/CVE-2019-13711.html https://www.suse.com/security/cve/CVE-2019-13713.html https://www.suse.com/security/cve/CVE-2019-13714.html https://www.suse.com/security/cve/CVE-2019-13715.html https://www.suse.com/security/cve/CVE-2019-13716.html https://www.suse.com/security/cve/CVE-2019-13717.html https://www.suse.com/security/cve/CVE-2019-13718.html https://www.suse.com/security/cve/CVE-2019-13719.html https://www.suse.com/security/cve/CVE-2019-15903.html https://bugzilla.suse.com/1154806 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org