openSUSE Security Update: Security update for chromium ______________________________________________________________________________ Announcement ID: openSUSE-SU-2023:0193-1 Rating: important References: #1213462 Cross-References: CVE-2023-3727 CVE-2023-3728 CVE-2023-3730 CVE-2023-3732 CVE-2023-3733 CVE-2023-3734 CVE-2023-3735 CVE-2023-3736 CVE-2023-3737 CVE-2023-3738 CVE-2023-3740 Affected Products: openSUSE Backports SLE-15-SP4 openSUSE Backports SLE-15-SP5 ______________________________________________________________________________ An update that fixes 11 vulnerabilities is now available. Description: This update for chromium fixes the following issues: Chromium 115.0.5790.102: * stability fix Chromium 115.0.5790.98: * Security: The Storage, Service Worker, and Communication APIs are now partitioned in third-party contexts to prevent certain types of side-channel cross-site tracking * HTTPS: Automatically and optimistically upgrade all main-frame navigations to HTTPS, with fast fallback to HTTP. * CSS: accept multiple values of the display property * CSS: support boolean context style container queries * CSS: support scroll-driven animations * Increase the maximum size of a WebAssembly.Module() on the main thread to 8 MB * FedCM: Support credential management mediation requirements for auto re-authentication * Deprecate the document.domain setter * Deprecate mutation events * Security fixes (boo#1213462): - CVE-2023-3727: Use after free in WebRTC - CVE-2023-3728: Use after free in WebRTC - CVE-2023-3730: Use after free in Tab Groups - CVE-2023-3732: Out of bounds memory access in Mojo - CVE-2023-3733: Inappropriate implementation in WebApp Installs - CVE-2023-3734: Inappropriate implementation in Picture In Picture - CVE-2023-3735: Inappropriate implementation in Web API Permission Prompts - CVE-2023-3736: Inappropriate implementation in Custom Tabs - CVE-2023-3737: Inappropriate implementation in Notifications - CVE-2023-3738: Inappropriate implementation in Autofill - CVE-2023-3740: Insufficient validation of untrusted input in Themes - Various fixes from internal audits, fuzzing and other initiatives Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP5: zypper in -t patch openSUSE-2023-193=1 - openSUSE Backports SLE-15-SP4: zypper in -t patch openSUSE-2023-193=1 Package List: - openSUSE Backports SLE-15-SP5 (aarch64 x86_64): chromedriver-115.0.5790.102-bp155.2.13.1 chromedriver-debuginfo-115.0.5790.102-bp155.2.13.1 chromium-115.0.5790.102-bp155.2.13.1 chromium-debuginfo-115.0.5790.102-bp155.2.13.1 - openSUSE Backports SLE-15-SP4 (aarch64 x86_64): chromedriver-115.0.5790.102-bp154.2.99.1 chromium-115.0.5790.102-bp154.2.99.1 References: https://www.suse.com/security/cve/CVE-2023-3727.html https://www.suse.com/security/cve/CVE-2023-3728.html https://www.suse.com/security/cve/CVE-2023-3730.html https://www.suse.com/security/cve/CVE-2023-3732.html https://www.suse.com/security/cve/CVE-2023-3733.html https://www.suse.com/security/cve/CVE-2023-3734.html https://www.suse.com/security/cve/CVE-2023-3735.html https://www.suse.com/security/cve/CVE-2023-3736.html https://www.suse.com/security/cve/CVE-2023-3737.html https://www.suse.com/security/cve/CVE-2023-3738.html https://www.suse.com/security/cve/CVE-2023-3740.html https://bugzilla.suse.com/1213462