openSUSE Security Update: Security update for chromium

Announcement ID:    openSUSE-SU-2021:0840-1
Rating:             important
References:         #1186458 
Cross-References:   CVE-2021-21212 CVE-2021-30521 CVE-2021-30522
                    CVE-2021-30523 CVE-2021-30524 CVE-2021-30525
                    CVE-2021-30526 CVE-2021-30527 CVE-2021-30528
                    CVE-2021-30529 CVE-2021-30530 CVE-2021-30531
                    CVE-2021-30532 CVE-2021-30533 CVE-2021-30534
                    CVE-2021-30535 CVE-2021-30536 CVE-2021-30537
                    CVE-2021-30538 CVE-2021-30539 CVE-2021-30540
CVSS scores:
                    CVE-2021-21212 (NVD) : 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Affected Products:
                    openSUSE Backports SLE-15-SP3

   An update that fixes 21 vulnerabilities is now available.


   This update for chromium fixes the following issues:

   Chromium 91.0.4472.77 (boo#1186458):

   * Support Managed configuration API for Web Applications
   * WebOTP API: cross-origin iframe support
   * CSS custom counter styles
   * Support JSON Modules
   * Clipboard: read-only files support
   * Remove webkitBeforeTextInserted & webkitEditableCOntentChanged JS events
   * Honor media HTML attribute for link icon
   * Import Assertions
   * Class static initializer blocks
   * Ergonomic brand checks for private fields
   * Expose WebAssembly SIMD
   * New Feature: WebTransport
   * ES Modules for service workers ('module' type option)
   * Suggested file name and location for the File System Access API
   * adaptivePTime property for RTCRtpEncodingParameters
   * Block HTTP port 10080 - mitigation for NAT Slipstream 2.0 attack
   * Support WebSockets over HTTP/2
   * Support 103 Early Hints for Navigation
   * CVE-2021-30521: Heap buffer overflow in Autofill
   * CVE-2021-30522: Use after free in WebAudio
   * CVE-2021-30523: Use after free in WebRTC
   * CVE-2021-30524: Use after free in TabStrip
   * CVE-2021-30525: Use after free in TabGroups
   * CVE-2021-30526: Out of bounds write in TabStrip
   * CVE-2021-30527: Use after free in WebUI
   * CVE-2021-30528: Use after free in WebAuthentication
   * CVE-2021-30529: Use after free in Bookmarks
   * CVE-2021-30530: Out of bounds memory access in WebAudio
   * CVE-2021-30531: Insufficient policy enforcement in Content Security
   * CVE-2021-30532: Insufficient policy enforcement in Content Security
   * CVE-2021-30533: Insufficient policy enforcement in PopupBlocker
   * CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox
   * CVE-2021-30535: Double free in ICU
   * CVE-2021-21212: Insufficient data validation in networking
   * CVE-2021-30536: Out of bounds read in V8
   * CVE-2021-30537: Insufficient policy enforcement in cookies
   * CVE-2021-30538: Insufficient policy enforcement in content security
   * CVE-2021-30539: Insufficient policy enforcement in content security
   * CVE-2021-30540: Incorrect security UI in payments
   * Various fixes from internal audits, fuzzing and other initiatives

Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2021-840=1

Package List:

   - openSUSE Backports SLE-15-SP3 (x86_64):