openSUSE Security Update: update for chromium ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1378-1 Rating: moderate References: #896106 Cross-References: CVE-2014-3178 CVE-2014-3188 CVE-2014-3189 CVE-2014-3190 CVE-2014-3191 CVE-2014-3192 CVE-2014-3193 CVE-2014-3194 CVE-2014-3195 CVE-2014-3196 CVE-2014-3197 CVE-2014-3198 CVE-2014-3199 CVE-2014-3200 Affected Products: openSUSE 13.1 ______________________________________________________________________________ An update that fixes 14 vulnerabilities is now available. Description: - Update to Chromium 38.0.2125.101 This update includes 159 security fixes, including 113 relatively minor fixes. Highlighted securtiy fixes are: CVE-2014-3188: A combination of V8 and IPC bugs that can lead to remote code execution outside of the sandbox CVE-2014-3189: Out-of-bounds read in PDFium CVE-2014-3190: Use-after-free in Events CVE-2014-3191: Use-after-free in Rendering CVE-2014-3192: Use-after-free in DOM CVE-2014-3193: Type confusion in Session Management CVE-2014-3194: Use-after-free in Web Workers CVE-2014-3195: Information Leak in V8 CVE-2014-3196: Permissions bypass in Windows Sandbox CVE-2014-3197: Information Leak in XSS Auditor CVE-2014-3198: Out-of-bounds read in PDFium CVE-2014-3199: Release Assert in V8 bindings CVE-2014-3200: Various fixes from internal audits, fuzzing and other initiatives - Drop the build of the Native Client. This is actually not a build as that prebuild binaries are being shipped. Also Google no longer provides prebuild binaries for the NativeClient for 32bit. Chromium as webbrowser is not affected by this and it bring Chromium inline with the regulations that prebuild binaries should not be shipped. * toolchaing_linux tarball dropped * Spec-file cleaned for NaCl stuff - Added patch no-clang-on-packman.diff to prevent the usage of clang on packman, which is not supported there Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-634 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): chromedriver-38.0.2125.104-54.4 chromedriver-debuginfo-38.0.2125.104-54.4 chromium-38.0.2125.104-54.4 chromium-debuginfo-38.0.2125.104-54.4 chromium-debugsource-38.0.2125.104-54.4 chromium-desktop-gnome-38.0.2125.104-54.4 chromium-desktop-kde-38.0.2125.104-54.4 chromium-ffmpegsumo-38.0.2125.104-54.4 chromium-ffmpegsumo-debuginfo-38.0.2125.104-54.4 References: http://support.novell.com/security/cve/CVE-2014-3178.html http://support.novell.com/security/cve/CVE-2014-3188.html http://support.novell.com/security/cve/CVE-2014-3189.html http://support.novell.com/security/cve/CVE-2014-3190.html http://support.novell.com/security/cve/CVE-2014-3191.html http://support.novell.com/security/cve/CVE-2014-3192.html http://support.novell.com/security/cve/CVE-2014-3193.html http://support.novell.com/security/cve/CVE-2014-3194.html http://support.novell.com/security/cve/CVE-2014-3195.html http://support.novell.com/security/cve/CVE-2014-3196.html http://support.novell.com/security/cve/CVE-2014-3197.html http://support.novell.com/security/cve/CVE-2014-3198.html http://support.novell.com/security/cve/CVE-2014-3199.html http://support.novell.com/security/cve/CVE-2014-3200.html https://bugzilla.suse.com/show_bug.cgi?id=896106