SUSE 5181 Published by

The following two security updates are available for SUSE Linux Enterprise 15:

openSUSE-SU-2024:0021-1: moderate: Security update for perl-Spreadsheet-ParseXLSX
openSUSE-SU-2024:0020-1: important: Security update for chromium




openSUSE-SU-2024:0021-1: moderate: Security update for perl-Spreadsheet-ParseXLSX


openSUSE Security Update: Security update for perl-Spreadsheet-ParseXLSX
_______________________________

Announcement ID: openSUSE-SU-2024:0021-1
Rating: moderate
References: #1218651
Cross-References: CVE-2024-22368
Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes one vulnerability is now available.

Description:

This update for perl-Spreadsheet-ParseXLSX fixes the following issues:

Updated to 0.29:

see /usr/share/doc/packages/perl-Spreadsheet-ParseXLSX/Changes

0.29:

- Fix for 'Argument "" isn't numeric in addition (+) at /usr/local/sharâ¦
- Incorrect cell values due to phonetic data doy#72
- Fix die message in parse()
- Cannot open password protected SHA1 encrypted files. doy#68
- use date format detection based on Spreadsheet::XLSX
- Add rudimentary support for hyperlinks in cells

0.28:

- CVE-2024-22368: out-of-memory condition during parsing of a crafted XLSX
document (boo#1218651)

- Fix possible memory bomb as reported in
https://github.com/haile01/perl_spreadsheet_excel_rce_poc/blob/main/parse_x
lsx_bomb.md
- Updated Dist::Zilla configuration fixing deprecation warnings

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-21=1

Package List:

- openSUSE Backports SLE-15-SP5 (noarch):

perl-Spreadsheet-ParseXLSX-0.290.0-bp155.2.3.1

References:

https://www.suse.com/security/cve/CVE-2024-22368.html
https://bugzilla.suse.com/1218651



openSUSE-SU-2024:0020-1: important: Security update for chromium


openSUSE Security Update: Security update for chromium
_______________________________

Announcement ID: openSUSE-SU-2024:0020-1
Rating: important
References: #1217839 #1218048 #1218302 #1218303 #1218533
#1218719
Cross-References: CVE-2023-6508 CVE-2023-6509 CVE-2023-6510
CVE-2023-6511 CVE-2023-6512 CVE-2023-6702
CVE-2023-6703 CVE-2023-6704 CVE-2023-6705
CVE-2023-6706 CVE-2023-6707 CVE-2023-7024
CVE-2024-0222 CVE-2024-0223 CVE-2024-0224
CVE-2024-0225 CVE-2024-0333
CVSS scores:
CVE-2023-6508 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-6509 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-6510 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-6511 (NVD) : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CVE-2023-6512 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVE-2023-6702 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-6703 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-6704 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-6704 (SUSE): 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-6705 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-6706 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-6707 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-7024 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-0222 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-0223 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-0224 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2024-0225 (NVD) : 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products:
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes 17 vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

- Chromium 120.0.6099.216 (boo#1217839, boo#1218048, boo#1218302,
boo#1218533, boo#1218719)

* CVE-2024-0333: Insufficient data validation in Extensions
* CVE-2024-0222: Use after free in ANGLE
* CVE-2024-0223: Heap buffer overflow in ANGLE
* CVE-2024-0224: Use after free in WebAudio
* CVE-2024-0225: Use after free in WebGPU
* CVE-2023-7024: Heap buffer overflow in WebRTC
* CVE-2023-6702: Type Confusion in V8
* CVE-2023-6703: Use after free in Blink
* CVE-2023-6704: Use after free in libavif (boo#1218303)
* CVE-2023-6705: Use after free in WebRTC
* CVE-2023-6706: Use after free in FedCM
* CVE-2023-6707: Use after free in CSS
* CVE-2023-6508: Use after free in Media Stream
* CVE-2023-6509: Use after free in Side Panel Search
* CVE-2023-6510: Use after free in Media Capture
* CVE-2023-6511: Inappropriate implementation in Autofill
* CVE-2023-6512: Inappropriate implementation in Web Browser UI

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2024-20=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 x86_64):

chromedriver-120.0.6099.216-bp155.2.64.1
chromium-120.0.6099.216-bp155.2.64.1

References:

https://www.suse.com/security/cve/CVE-2023-6508.html
https://www.suse.com/security/cve/CVE-2023-6509.html
https://www.suse.com/security/cve/CVE-2023-6510.html
https://www.suse.com/security/cve/CVE-2023-6511.html
https://www.suse.com/security/cve/CVE-2023-6512.html
https://www.suse.com/security/cve/CVE-2023-6702.html
https://www.suse.com/security/cve/CVE-2023-6703.html
https://www.suse.com/security/cve/CVE-2023-6704.html
https://www.suse.com/security/cve/CVE-2023-6705.html
https://www.suse.com/security/cve/CVE-2023-6706.html
https://www.suse.com/security/cve/CVE-2023-6707.html
https://www.suse.com/security/cve/CVE-2023-7024.html
https://www.suse.com/security/cve/CVE-2024-0222.html
https://www.suse.com/security/cve/CVE-2024-0223.html
https://www.suse.com/security/cve/CVE-2024-0224.html
https://www.suse.com/security/cve/CVE-2024-0225.html
https://www.suse.com/security/cve/CVE-2024-0333.html
https://bugzilla.suse.com/1217839
https://bugzilla.suse.com/1218048
https://bugzilla.suse.com/1218302
https://bugzilla.suse.com/1218303
https://bugzilla.suse.com/1218533
https://bugzilla.suse.com/1218719