SUSE 5182 Published by

A chromium security update has been released for SUSE Linux Enterprise 15 SP4/SP5.



openSUSE-SU-2023:0234-1: important: Security update for chromium


openSUSE Security Update: Security update for chromium
_______________________________

Announcement ID: openSUSE-SU-2023:0234-1
Rating: important
References: #1214003 #1214301
Cross-References: CVE-2023-2312 CVE-2023-4349 CVE-2023-4350
CVE-2023-4351 CVE-2023-4352 CVE-2023-4353
CVE-2023-4354 CVE-2023-4355 CVE-2023-4356
CVE-2023-4357 CVE-2023-4358 CVE-2023-4359
CVE-2023-4360 CVE-2023-4361 CVE-2023-4362
CVE-2023-4363 CVE-2023-4364 CVE-2023-4365
CVE-2023-4366 CVE-2023-4367 CVE-2023-4368

Affected Products:
openSUSE Backports SLE-15-SP4
openSUSE Backports SLE-15-SP5
_______________________________

An update that fixes 21 vulnerabilities is now available.

Description:

This update for chromium fixes the following issues:

Chromium 116.0.5845.96

* New CSS features: Motion Path, and "display" and "content-visibility"
animations
* Web APIs: AbortSignal.any(), BYOB support for Fetch, Back/ forward cache
NotRestoredReason API, Document Picture-in- Picture, Expanded Wildcards
in Permissions Policy Origins, FedCM bundle: Login Hint API, User Info
API, and RP Context API, Non-composed Mouse and Pointer enter/leave
events, Remove document.open sandbox inheritance, Report Critical-CH
caused restart in NavigationTiming

This update fixes a number of security issues (boo#1214301):

* CVE-2023-2312: Use after free in Offline
* CVE-2023-4349: Use after free in Device Trust Connectors
* CVE-2023-4350: Inappropriate implementation in Fullscreen
* CVE-2023-4351: Use after free in Network
* CVE-2023-4352: Type Confusion in V8
* CVE-2023-4353: Heap buffer overflow in ANGLE
* CVE-2023-4354: Heap buffer overflow in Skia
* CVE-2023-4355: Out of bounds memory access in V8
* CVE-2023-4356: Use after free in Audio
* CVE-2023-4357: Insufficient validation of untrusted input in XML
* CVE-2023-4358: Use after free in DNS
* CVE-2023-4359: Inappropriate implementation in App Launcher
* CVE-2023-4360: Inappropriate implementation in Color
* CVE-2023-4361: Inappropriate implementation in Autofill
* CVE-2023-4362: Heap buffer overflow in Mojom IDL
* CVE-2023-4363: Inappropriate implementation in WebShare
* CVE-2023-4364: Inappropriate implementation in Permission Prompts
* CVE-2023-4365: Inappropriate implementation in Fullscreen
* CVE-2023-4366: Use after free in Extensions
* CVE-2023-4367: Insufficient policy enforcement in Extensions API
* CVE-2023-4368: Insufficient policy enforcement in Extensions API

- Fix crash with extensions (boo#1214003)

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP5:

zypper in -t patch openSUSE-2023-234=1

- openSUSE Backports SLE-15-SP4:

zypper in -t patch openSUSE-2023-234=1

Package List:

- openSUSE Backports SLE-15-SP5 (aarch64 x86_64):

chromedriver-116.0.5845.96-bp155.2.19.1
chromedriver-debuginfo-116.0.5845.96-bp155.2.19.1
chromium-116.0.5845.96-bp155.2.19.1
chromium-debuginfo-116.0.5845.96-bp155.2.19.1

- openSUSE Backports SLE-15-SP4 (aarch64 x86_64):

chromedriver-116.0.5845.96-bp154.2.105.1
chromium-116.0.5845.96-bp154.2.105.1

References:

https://www.suse.com/security/cve/CVE-2023-2312.html
https://www.suse.com/security/cve/CVE-2023-4349.html
https://www.suse.com/security/cve/CVE-2023-4350.html
https://www.suse.com/security/cve/CVE-2023-4351.html
https://www.suse.com/security/cve/CVE-2023-4352.html
https://www.suse.com/security/cve/CVE-2023-4353.html
https://www.suse.com/security/cve/CVE-2023-4354.html
https://www.suse.com/security/cve/CVE-2023-4355.html
https://www.suse.com/security/cve/CVE-2023-4356.html
https://www.suse.com/security/cve/CVE-2023-4357.html
https://www.suse.com/security/cve/CVE-2023-4358.html
https://www.suse.com/security/cve/CVE-2023-4359.html
https://www.suse.com/security/cve/CVE-2023-4360.html
https://www.suse.com/security/cve/CVE-2023-4361.html
https://www.suse.com/security/cve/CVE-2023-4362.html
https://www.suse.com/security/cve/CVE-2023-4363.html
https://www.suse.com/security/cve/CVE-2023-4364.html
https://www.suse.com/security/cve/CVE-2023-4365.html
https://www.suse.com/security/cve/CVE-2023-4366.html
https://www.suse.com/security/cve/CVE-2023-4367.html
https://www.suse.com/security/cve/CVE-2023-4368.html
https://bugzilla.suse.com/1214003
https://bugzilla.suse.com/1214301