RedHat: RHSA-2019-3211:01 Critical: chromium-browser security update

    Date 29 Oct 2019
    673
    Posted By LinuxSecurity Advisories
    An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256
    
    =====================================================================
                       Red Hat Security Advisory
    
    Synopsis:          Critical: chromium-browser security update
    Advisory ID:       RHSA-2019:3211-01
    Product:           Red Hat Enterprise Linux Supplementary
    Advisory URL:      https://access.redhat.com/errata/RHSA-2019:3211
    Issue date:        2019-10-29
    CVE Names:         CVE-2019-5870 CVE-2019-5871 CVE-2019-5872 
                       CVE-2019-5874 CVE-2019-5875 CVE-2019-5876 
                       CVE-2019-5877 CVE-2019-5878 CVE-2019-5879 
                       CVE-2019-5880 CVE-2019-5881 CVE-2019-13659 
                       CVE-2019-13660 CVE-2019-13661 CVE-2019-13662 
                       CVE-2019-13663 CVE-2019-13664 CVE-2019-13665 
                       CVE-2019-13666 CVE-2019-13667 CVE-2019-13668 
                       CVE-2019-13669 CVE-2019-13670 CVE-2019-13671 
                       CVE-2019-13673 CVE-2019-13674 CVE-2019-13675 
                       CVE-2019-13676 CVE-2019-13677 CVE-2019-13678 
                       CVE-2019-13679 CVE-2019-13680 CVE-2019-13681 
                       CVE-2019-13682 CVE-2019-13686 CVE-2019-13688 
                       CVE-2019-13691 CVE-2019-13692 CVE-2019-13693 
                       CVE-2019-13694 CVE-2019-13695 CVE-2019-13696 
                       CVE-2019-13697 
    =====================================================================
    
    1. Summary:
    
    An update for chromium-browser is now available for Red Hat Enterprise
    Linux 6 Supplementary.
    
    Red Hat Product Security has rated this update as having a security impact
    of Critical. A Common Vulnerability Scoring System (CVSS) base score, which
    gives a detailed severity rating, is available for each vulnerability from
    the CVE link(s) in the References section.
    
    2. Relevant releases/architectures:
    
    Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, i686, x86_64
    Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - i686, x86_64
    Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, i686, x86_64
    Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, i686, x86_64
    
    3. Description:
    
    Chromium is an open-source web browser, powered by WebKit (Blink).
    
    This update upgrades Chromium to version 77.0.3865.120.
    
    Security Fix(es):
    
    * chromium-browser: Use-after-free in media (CVE-2019-5870)
    
    * chromium-browser: Heap overflow in Skia (CVE-2019-5871)
    
    * chromium-browser: Use-after-free in Mojo (CVE-2019-5872)
    
    * chromium-browser: External URIs may trigger other browsers
    (CVE-2019-5874)
    
    * chromium-browser: URL bar spoof via download redirect (CVE-2019-5875)
    
    * chromium-browser: Use-after-free in media (CVE-2019-5876)
    
    * chromium-browser: Out-of-bounds access in V8 (CVE-2019-5877)
    
    * chromium-browser: Use-after-free in V8 (CVE-2019-5878)
    
    * chromium-browser: Use-after-free in offline pages (CVE-2019-13686)
    
    * chromium-browser: Use-after-free in media (CVE-2019-13688)
    
    * chromium-browser: Omnibox spoof (CVE-2019-13691)
    
    * chromium-browser: SOP bypass (CVE-2019-13692)
    
    * chromium-browser: Use-after-free in IndexedDB (CVE-2019-13693)
    
    * chromium-browser: Use-after-free in WebRTC (CVE-2019-13694)
    
    * chromium-browser: Use-after-free in audio (CVE-2019-13695)
    
    * chromium-browser: Use-after-free in V8 (CVE-2019-13696)
    
    * chromium-browser: Cross-origin size leak (CVE-2019-13697)
    
    * chromium-browser: Extensions can read some local files (CVE-2019-5879)
    
    * chromium-browser: SameSite cookie bypass (CVE-2019-5880)
    
    * chromium-browser: Arbitrary read in SwiftShader (CVE-2019-5881)
    
    * chromium-browser: URL spoof (CVE-2019-13659)
    
    * chromium-browser: Full screen notification overlap (CVE-2019-13660)
    
    * chromium-browser: Full screen notification spoof (CVE-2019-13661)
    
    * chromium-browser: CSP bypass (CVE-2019-13662)
    
    * chromium-browser: IDN spoof (CVE-2019-13663)
    
    * chromium-browser: CSRF bypass (CVE-2019-13664)
    
    * chromium-browser: Multiple file download protection bypass
    (CVE-2019-13665)
    
    * chromium-browser: Side channel using storage size estimate
    (CVE-2019-13666)
    
    * chromium-browser: URI bar spoof when using external app URIs
    (CVE-2019-13667)
    
    * chromium-browser: Global window leak via console (CVE-2019-13668)
    
    * chromium-browser: HTTP authentication spoof (CVE-2019-13669)
    
    * chromium-browser: V8 memory corruption in regex (CVE-2019-13670)
    
    * chromium-browser: Dialog box fails to show origin (CVE-2019-13671)
    
    * chromium-browser: Cross-origin information leak using devtools
    (CVE-2019-13673)
    
    * chromium-browser: IDN spoofing (CVE-2019-13674)
    
    * chromium-browser: Extensions can be disabled by trailing slash
    (CVE-2019-13675)
    
    * chromium-browser: Google URI shown for certificate warning
    (CVE-2019-13676)
    
    * chromium-browser: Chrome web store origin needs to be isolated
    (CVE-2019-13677)
    
    * chromium-browser: Download dialog spoofing (CVE-2019-13678)
    
    * chromium-browser: User gesture needed for printing (CVE-2019-13679)
    
    * chromium-browser: IP address spoofing to servers (CVE-2019-13680)
    
    * chromium-browser: Bypass on download restrictions (CVE-2019-13681)
    
    * chromium-browser: Site isolation bypass (CVE-2019-13682)
    
    For more details about the security issue(s), including the impact, a CVSS
    score, acknowledgments, and other related information, refer to the CVE
    page(s) listed in the References section.
    
    4. Solution:
    
    For details on how to apply this update, which includes the changes
    described in this advisory, refer to:
    
    https://access.redhat.com/articles/11258
    
    After installing the update, Chromium must be restarted for the changes to
    take effect.
    
    5. Bugs fixed (https://bugzilla.redhat.com/):
    
    1762366 - CVE-2019-5870 chromium-browser: Use-after-free in media
    1762367 - CVE-2019-5871 chromium-browser: Heap overflow in Skia
    1762368 - CVE-2019-5872 chromium-browser: Use-after-free in Mojo
    1762370 - CVE-2019-5874 chromium-browser: External URIs may trigger other browsers
    1762371 - CVE-2019-5875 chromium-browser: URL bar spoof via download redirect
    1762372 - CVE-2019-13691 chromium-browser: Omnibox spoof
    1762373 - CVE-2019-13692 chromium-browser: SOP bypass
    1762374 - CVE-2019-5876 chromium-browser: Use-after-free in media
    1762375 - CVE-2019-5877 chromium-browser: Out-of-bounds access in V8
    1762376 - CVE-2019-5878 chromium-browser: Use-after-free in V8
    1762377 - CVE-2019-5879 chromium-browser: Extensions can read some local files
    1762378 - CVE-2019-5880 chromium-browser: SameSite cookie bypass
    1762379 - CVE-2019-5881 chromium-browser: Arbitrary read in SwiftShader
    1762380 - CVE-2019-13659 chromium-browser: URL spoof
    1762381 - CVE-2019-13660 chromium-browser: Full screen notification overlap
    1762382 - CVE-2019-13661 chromium-browser: Full screen notification spoof
    1762383 - CVE-2019-13662 chromium-browser: CSP bypass
    1762384 - CVE-2019-13663 chromium-browser: IDN spoof
    1762385 - CVE-2019-13664 chromium-browser: CSRF bypass
    1762386 - CVE-2019-13665 chromium-browser: Multiple file download protection bypass
    1762387 - CVE-2019-13666 chromium-browser: Side channel using storage size estimate
    1762388 - CVE-2019-13667 chromium-browser: URI bar spoof when using external app URIs
    1762389 - CVE-2019-13668 chromium-browser: Global window leak via console
    1762390 - CVE-2019-13669 chromium-browser: HTTP authentication spoof
    1762391 - CVE-2019-13670 chromium-browser: V8 memory corruption in regex
    1762392 - CVE-2019-13671 chromium-browser: Dialog box fails to show origin
    1762393 - CVE-2019-13673 chromium-browser: Cross-origin information leak using devtools
    1762394 - CVE-2019-13674 chromium-browser: IDN spoofing
    1762395 - CVE-2019-13675 chromium-browser: Extensions can be disabled by trailing slash
    1762396 - CVE-2019-13676 chromium-browser: Google URI shown for certificate warning
    1762397 - CVE-2019-13677 chromium-browser: Chrome web store origin needs to be isolated
    1762398 - CVE-2019-13678 chromium-browser: Download dialog spoofing
    1762399 - CVE-2019-13679 chromium-browser: User gesture needed for printing
    1762400 - CVE-2019-13680 chromium-browser: IP address spoofing to servers
    1762401 - CVE-2019-13681 chromium-browser: Bypass on download restrictions
    1762402 - CVE-2019-13682 chromium-browser: Site isolation bypass
    1762474 - CVE-2019-13688 chromium-browser: Use-after-free in media
    1762476 - CVE-2019-13686 chromium-browser: Use-after-free in offline pages
    1762518 - CVE-2019-13693 chromium-browser: Use-after-free in IndexedDB
    1762519 - CVE-2019-13694 chromium-browser: Use-after-free in WebRTC
    1762520 - CVE-2019-13695 chromium-browser: Use-after-free in audio
    1762521 - CVE-2019-13696 chromium-browser: Use-after-free in V8
    1762522 - CVE-2019-13697 chromium-browser: Cross-origin size leak
    
    6. Package List:
    
    Red Hat Enterprise Linux Desktop Supplementary (v. 6):
    
    i386:
    chromium-browser-77.0.3865.120-2.el6_10.i686.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.i686.rpm
    
    i686:
    chromium-browser-77.0.3865.120-2.el6_10.i686.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.i686.rpm
    
    x86_64:
    chromium-browser-77.0.3865.120-2.el6_10.x86_64.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.x86_64.rpm
    
    Red Hat Enterprise Linux HPC Node Supplementary (v. 6):
    
    i686:
    chromium-browser-77.0.3865.120-2.el6_10.i686.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.i686.rpm
    
    x86_64:
    chromium-browser-77.0.3865.120-2.el6_10.x86_64.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.x86_64.rpm
    
    Red Hat Enterprise Linux Server Supplementary (v. 6):
    
    i386:
    chromium-browser-77.0.3865.120-2.el6_10.i686.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.i686.rpm
    
    i686:
    chromium-browser-77.0.3865.120-2.el6_10.i686.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.i686.rpm
    
    x86_64:
    chromium-browser-77.0.3865.120-2.el6_10.x86_64.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.x86_64.rpm
    
    Red Hat Enterprise Linux Workstation Supplementary (v. 6):
    
    i386:
    chromium-browser-77.0.3865.120-2.el6_10.i686.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.i686.rpm
    
    i686:
    chromium-browser-77.0.3865.120-2.el6_10.i686.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.i686.rpm
    
    x86_64:
    chromium-browser-77.0.3865.120-2.el6_10.x86_64.rpm
    chromium-browser-debuginfo-77.0.3865.120-2.el6_10.x86_64.rpm
    
    These packages are GPG signed by Red Hat for security.  Our key and
    details on how to verify the signature are available from
    https://access.redhat.com/security/team/key/
    
    7. References:
    
    https://access.redhat.com/security/cve/CVE-2019-5870
    https://access.redhat.com/security/cve/CVE-2019-5871
    https://access.redhat.com/security/cve/CVE-2019-5872
    https://access.redhat.com/security/cve/CVE-2019-5874
    https://access.redhat.com/security/cve/CVE-2019-5875
    https://access.redhat.com/security/cve/CVE-2019-5876
    https://access.redhat.com/security/cve/CVE-2019-5877
    https://access.redhat.com/security/cve/CVE-2019-5878
    https://access.redhat.com/security/cve/CVE-2019-5879
    https://access.redhat.com/security/cve/CVE-2019-5880
    https://access.redhat.com/security/cve/CVE-2019-5881
    https://access.redhat.com/security/cve/CVE-2019-13659
    https://access.redhat.com/security/cve/CVE-2019-13660
    https://access.redhat.com/security/cve/CVE-2019-13661
    https://access.redhat.com/security/cve/CVE-2019-13662
    https://access.redhat.com/security/cve/CVE-2019-13663
    https://access.redhat.com/security/cve/CVE-2019-13664
    https://access.redhat.com/security/cve/CVE-2019-13665
    https://access.redhat.com/security/cve/CVE-2019-13666
    https://access.redhat.com/security/cve/CVE-2019-13667
    https://access.redhat.com/security/cve/CVE-2019-13668
    https://access.redhat.com/security/cve/CVE-2019-13669
    https://access.redhat.com/security/cve/CVE-2019-13670
    https://access.redhat.com/security/cve/CVE-2019-13671
    https://access.redhat.com/security/cve/CVE-2019-13673
    https://access.redhat.com/security/cve/CVE-2019-13674
    https://access.redhat.com/security/cve/CVE-2019-13675
    https://access.redhat.com/security/cve/CVE-2019-13676
    https://access.redhat.com/security/cve/CVE-2019-13677
    https://access.redhat.com/security/cve/CVE-2019-13678
    https://access.redhat.com/security/cve/CVE-2019-13679
    https://access.redhat.com/security/cve/CVE-2019-13680
    https://access.redhat.com/security/cve/CVE-2019-13681
    https://access.redhat.com/security/cve/CVE-2019-13682
    https://access.redhat.com/security/cve/CVE-2019-13686
    https://access.redhat.com/security/cve/CVE-2019-13688
    https://access.redhat.com/security/cve/CVE-2019-13691
    https://access.redhat.com/security/cve/CVE-2019-13692
    https://access.redhat.com/security/cve/CVE-2019-13693
    https://access.redhat.com/security/cve/CVE-2019-13694
    https://access.redhat.com/security/cve/CVE-2019-13695
    https://access.redhat.com/security/cve/CVE-2019-13696
    https://access.redhat.com/security/cve/CVE-2019-13697
    https://access.redhat.com/security/updates/classification/#critical
    
    8. Contact:
    
    The Red Hat security contact is . More contact
    details at https://access.redhat.com/security/team/contact/
    
    Copyright 2019 Red Hat, Inc.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1
    
    iQIVAwUBXbgGY9zjgjWX9erEAQj5wRAAm+j/C5YBPVUg7udi96drwCfuSa6gmk9L
    NtbMW6kPN9zgCKb/hvB/jIzbn7OKUKUOvNc0oChsn2ZBUYoD807RWOs/yhAMw7qV
    p/9uNGAgSmX77rcvWF0IGSG5xcwoVpPcN18ZFRtz6c3QrRo24wSOygDZVuXFjZ2Y
    fBcwqtVDiwhCj2m64q9DXXdS0+Xf7h79xZYoBZHboHS5l/XupFL/E7VLp92uW/uX
    mxgaLFi+BWau1aMXxxyzDn/yWD19ImAZ+i3e8tsDVyMJqZspkIlb6Gvskp7vLyqw
    TtSxWUnopoR3LE5oEeBhnQoV6Pzuu5FFq+iQ/ZxM4vcKelUtNi/A6x/EQYsqRZ7v
    p002vFgQweppzKdZqybAzRLuPeWWuoCDqOoCWJHGtce2CHi+MIX0P9PYkBZHmdI8
    AI2L4CvH5xLwrZvQfNR/JwEr2TiC6WNkV96vGJcS10V7qPezRJWBTS6W/R26D9Wo
    IkjP6XWxBUti9wUZ5Ij4ozb/RPaRuAGjYl3Y56M2X0vcCqaRb76/3J3BsJi9xhe0
    InutsymfIQRhRoHNQWApvhNqu0pvPjpoArtssjvanKP1U92+jEp5SO3VoRHKm3Bk
    231kkQHF2G5wfIQoyaivZO6dWW0eelJyHKennFIG9kbTYdtq1DkqxwJElRqLEmEP
    eDhYjjUM1yo=
    =/Xwd
    -----END PGP SIGNATURE-----
    
    --
    RHSA-announce mailing list
    This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.redhat.com/mailman/listinfo/rhsa-announce
    
    

    LinuxSecurity Poll

    Do you feel that the Lawful Access to Encrypted Data Act, which aims to force encryption backdoors, is a threat to US citizens' privacy?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/30-do-you-feel-that-the-lawful-access-to-encrypted-data-act-which-aims-to-force-encryption-backdoors-is-a-threat-to-privacy?task=poll.vote&format=json
    30
    radio
    [{"id":"106","title":"Yes - I am a privacy advocate and I am strongly opposed to this bill.","votes":"7","type":"x","order":"1","pct":100,"resources":[]},{"id":"107","title":"I'm undecided - it has its pros and cons.","votes":"0","type":"x","order":"2","pct":0,"resources":[]},{"id":"108","title":"No - I support this bill and feel that it will help protect against crime and threats to our national security. ","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.