Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1462-1 Final 1 1 2021-11-08T14:24:30Z current 2021-11-08T14:24:30Z 2021-11-08T14:24:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update for chromium fixes the following issues: Chromium 95.0.4638.69 (boo#1192184): * CVE-2021-37997: Use after free in Sign-In * CVE-2021-37998: Use after free in Garbage Collection * CVE-2021-37999: Insufficient data validation in New Tab Page * CVE-2021-38000: Insufficient validation of untrusted input in Intents * CVE-2021-38001: Type Confusion in V8 * CVE-2021-38002: Use after free in Web Transport * CVE-2021-38003: Inappropriate implementation in V8 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1462 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LILU2Q77SAPFWPTS2P4ZOLY6WZ3NJCJN/ E-Mail link for openSUSE-SU-2021:1462-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1192184 SUSE Bug 1192184 https://www.suse.com/security/cve/CVE-2021-37997/ SUSE CVE CVE-2021-37997 page https://www.suse.com/security/cve/CVE-2021-37998/ SUSE CVE CVE-2021-37998 page https://www.suse.com/security/cve/CVE-2021-37999/ SUSE CVE CVE-2021-37999 page https://www.suse.com/security/cve/CVE-2021-38000/ SUSE CVE CVE-2021-38000 page https://www.suse.com/security/cve/CVE-2021-38001/ SUSE CVE CVE-2021-38001 page https://www.suse.com/security/cve/CVE-2021-38002/ SUSE CVE CVE-2021-38002 page https://www.suse.com/security/cve/CVE-2021-38003/ SUSE CVE CVE-2021-38003 page SUSE Package Hub 15 SP3 openSUSE Leap 15.2 openSUSE Leap 15.3 chromedriver-95.0.4638.69-bp153.2.40.3 chromium-95.0.4638.69-bp153.2.40.3 chromedriver-95.0.4638.69-bp153.2.40.3 as a component of SUSE Package Hub 15 SP3 chromium-95.0.4638.69-bp153.2.40.3 as a component of SUSE Package Hub 15 SP3 chromedriver-95.0.4638.69-bp153.2.40.3 as a component of openSUSE Leap 15.2 chromium-95.0.4638.69-bp153.2.40.3 as a component of openSUSE Leap 15.2 chromedriver-95.0.4638.69-bp153.2.40.3 as a component of openSUSE Leap 15.3 chromium-95.0.4638.69-bp153.2.40.3 as a component of openSUSE Leap 15.3 Use after free in Sign-In in Google Chrome prior to 95.0.4638.69 allowed a remote attacker who convinced a user to sign into Chrome to potentially exploit heap corruption via a crafted HTML page. CVE-2021-37997 SUSE Package Hub 15 SP3:chromedriver-95.0.4638.69-bp153.2.40.3 SUSE Package Hub 15 SP3:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromium-95.0.4638.69-bp153.2.40.3 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LILU2Q77SAPFWPTS2P4ZOLY6WZ3NJCJN/ https://www.suse.com/security/cve/CVE-2021-37997.html CVE-2021-37997 https://bugzilla.suse.com/1192184 SUSE Bug 1192184 Use after free in Garbage Collection in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-37998 SUSE Package Hub 15 SP3:chromedriver-95.0.4638.69-bp153.2.40.3 SUSE Package Hub 15 SP3:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromium-95.0.4638.69-bp153.2.40.3 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LILU2Q77SAPFWPTS2P4ZOLY6WZ3NJCJN/ https://www.suse.com/security/cve/CVE-2021-37998.html CVE-2021-37998 https://bugzilla.suse.com/1192184 SUSE Bug 1192184 Insufficient data validation in New Tab Page in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to inject arbitrary scripts or HTML in a new browser tab via a crafted HTML page. CVE-2021-37999 SUSE Package Hub 15 SP3:chromedriver-95.0.4638.69-bp153.2.40.3 SUSE Package Hub 15 SP3:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromium-95.0.4638.69-bp153.2.40.3 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LILU2Q77SAPFWPTS2P4ZOLY6WZ3NJCJN/ https://www.suse.com/security/cve/CVE-2021-37999.html CVE-2021-37999 https://bugzilla.suse.com/1192184 SUSE Bug 1192184 Insufficient validation of untrusted input in Intents in Google Chrome on Android prior to 95.0.4638.69 allowed a remote attacker to arbitrarily browser to a malicious URL via a crafted HTML page. CVE-2021-38000 SUSE Package Hub 15 SP3:chromedriver-95.0.4638.69-bp153.2.40.3 SUSE Package Hub 15 SP3:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromium-95.0.4638.69-bp153.2.40.3 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LILU2Q77SAPFWPTS2P4ZOLY6WZ3NJCJN/ https://www.suse.com/security/cve/CVE-2021-38000.html CVE-2021-38000 https://bugzilla.suse.com/1192184 SUSE Bug 1192184 Type confusion in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-38001 SUSE Package Hub 15 SP3:chromedriver-95.0.4638.69-bp153.2.40.3 SUSE Package Hub 15 SP3:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromium-95.0.4638.69-bp153.2.40.3 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LILU2Q77SAPFWPTS2P4ZOLY6WZ3NJCJN/ https://www.suse.com/security/cve/CVE-2021-38001.html CVE-2021-38001 https://bugzilla.suse.com/1192184 SUSE Bug 1192184 Use after free in Web Transport in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. CVE-2021-38002 SUSE Package Hub 15 SP3:chromedriver-95.0.4638.69-bp153.2.40.3 SUSE Package Hub 15 SP3:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromium-95.0.4638.69-bp153.2.40.3 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LILU2Q77SAPFWPTS2P4ZOLY6WZ3NJCJN/ https://www.suse.com/security/cve/CVE-2021-38002.html CVE-2021-38002 https://bugzilla.suse.com/1192184 SUSE Bug 1192184 Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2021-38003 SUSE Package Hub 15 SP3:chromedriver-95.0.4638.69-bp153.2.40.3 SUSE Package Hub 15 SP3:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.2:chromium-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromedriver-95.0.4638.69-bp153.2.40.3 openSUSE Leap 15.3:chromium-95.0.4638.69-bp153.2.40.3 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LILU2Q77SAPFWPTS2P4ZOLY6WZ3NJCJN/ https://www.suse.com/security/cve/CVE-2021-38003.html CVE-2021-38003 https://bugzilla.suse.com/1192184 SUSE Bug 1192184