Security update for Chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2018:1175-1 Final 1 1 2018-05-27T11:26:33Z current 2018-05-27T11:26:33Z 2018-05-27T11:26:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for Chromium This update for Chromium to version 66.0.3359.181 fixes the following issues: - CVE-2018-6118: Use after free in Media Cache (bsc#1091288) - CVE-2018-6085: Use after free in Disk Cache - CVE-2018-6086: Use after free in Disk Cache - CVE-2018-6087: Use after free in WebAssembly - CVE-2018-6088: Use after free in PDFium - CVE-2018-6089: Same origin policy bypass in Service Worker - CVE-2018-6090: Heap buffer overflow in Skia - CVE-2018-6091: Incorrect handling of plug-ins by Service Worker - CVE-2018-6092: Integer overflow in WebAssembly - CVE-2018-6093: Same origin bypass in Service Worker - CVE-2018-6094: Exploit hardening regression in Oilpan - CVE-2018-6095: Lack of meaningful user interaction requirement before file upload - CVE-2018-6096: Fullscreen UI spoof - CVE-2018-6097: Fullscreen UI spoof - CVE-2018-6098: URL spoof in Omnibox - CVE-2018-6099: CORS bypass in ServiceWorker - CVE-2018-6100: URL spoof in Omnibox - CVE-2018-6101: Insufficient protection of remote debugging prototol in DevTools - CVE-2018-6102: URL spoof in Omnibox - CVE-2018-6103: UI spoof in Permissions - CVE-2018-6104: URL spoof in Omnibox - CVE-2018-6105: URL spoof in Omnibox - CVE-2018-6106: Incorrect handling of promises in V8 - CVE-2018-6107: URL spoof in Omnibox - CVE-2018-6108: URL spoof in Omnibox - CVE-2018-6109: Incorrect handling of files by FileAPI - CVE-2018-6110: Incorrect handling of plaintext files via file:// - CVE-2018-6111: Heap-use-after-free in DevTools - CVE-2018-6112: Incorrect URL handling in DevTools - CVE-2018-6113: URL spoof in Navigation - CVE-2018-6114: CSP bypass - CVE-2018-6115: SmartScreen bypass in downloads - CVE-2018-6116: Incorrect low memory handling in WebAssembly - CVE-2018-6117: Confusing autofill settings - CVE-2017-11215: Use after free in Flash - CVE-2017-11225: Use after free in Flash - CVE-2018-6060: Use after free in Blink - CVE-2018-6061: Race condition in V8 - CVE-2018-6062: Heap buffer overflow in Skia - CVE-2018-6057: Incorrect permissions on shared memory - CVE-2018-6063: Incorrect permissions on shared memory - CVE-2018-6064: Type confusion in V8 - CVE-2018-6065: Integer overflow in V8 - CVE-2018-6066: Same Origin Bypass via canvas - CVE-2018-6067: Buffer overflow in Skia - CVE-2018-6068: Object lifecycle issues in Chrome Custom Tab - CVE-2018-6069: Stack buffer overflow in Skia - CVE-2018-6070: CSP bypass through extensions - CVE-2018-6071: Heap bufffer overflow in Skia - CVE-2018-6072: Integer overflow in PDFium - CVE-2018-6073: Heap bufffer overflow in WebGL - CVE-2018-6074: Mark-of-the-Web bypass - CVE-2018-6075: Overly permissive cross origin downloads - CVE-2018-6076: Incorrect handling of URL fragment identifiers in Blink - CVE-2018-6077: Timing attack using SVG filters - CVE-2018-6078: URL Spoof in OmniBox - CVE-2018-6079: Information disclosure via texture data in WebGL - CVE-2018-6080: Information disclosure in IPC call - CVE-2018-6081: XSS in interstitials - CVE-2018-6082: Circumvention of port blocking - CVE-2018-6083: Incorrect processing of AppManifests - CVE-2018-6121: Privilege Escalation in extensions - CVE-2018-6122: Type confusion in V8 - CVE-2018-6120: Heap buffer overflow in PDFium - bsc#1086124: Various fixes from internal audits, fuzzing and other initiatives This update also supports mitigation against the Spectre vulnerabilities: 'Strict site isolation' is disabled for most users and can be turned on via: chrome://flags/#enable-site-per-process This feature is undergoing a small percentage trial. Out out of the trial is possible via: chrome://flags/#site-isolation-trial-opt-out The following tracked packaging bug were fixed: - Chromium could not be installed from SUSE PackageHub 12 without having the SDK enabled (bsc#1070421) - Chromium could not be installed when libminizip1 was not available (bsc#1093031) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2018-436 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ E-Mail link for openSUSE-SU-2018:1175-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1084296 SUSE Bug 1084296 https://bugzilla.suse.com/1086124 SUSE Bug 1086124 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 https://bugzilla.suse.com/1091288 SUSE Bug 1091288 https://bugzilla.suse.com/1092272 SUSE Bug 1092272 https://bugzilla.suse.com/1092923 SUSE Bug 1092923 https://bugzilla.suse.com/1093031 SUSE Bug 1093031 https://www.suse.com/security/cve/CVE-2017-11215/ SUSE CVE CVE-2017-11215 page https://www.suse.com/security/cve/CVE-2017-11225/ SUSE CVE CVE-2017-11225 page https://www.suse.com/security/cve/CVE-2018-6057/ SUSE CVE CVE-2018-6057 page https://www.suse.com/security/cve/CVE-2018-6060/ SUSE CVE CVE-2018-6060 page https://www.suse.com/security/cve/CVE-2018-6061/ SUSE CVE CVE-2018-6061 page https://www.suse.com/security/cve/CVE-2018-6062/ SUSE CVE CVE-2018-6062 page https://www.suse.com/security/cve/CVE-2018-6063/ SUSE CVE CVE-2018-6063 page https://www.suse.com/security/cve/CVE-2018-6064/ SUSE CVE CVE-2018-6064 page https://www.suse.com/security/cve/CVE-2018-6065/ SUSE CVE CVE-2018-6065 page https://www.suse.com/security/cve/CVE-2018-6066/ SUSE CVE CVE-2018-6066 page https://www.suse.com/security/cve/CVE-2018-6067/ SUSE CVE CVE-2018-6067 page https://www.suse.com/security/cve/CVE-2018-6068/ SUSE CVE CVE-2018-6068 page https://www.suse.com/security/cve/CVE-2018-6069/ SUSE CVE CVE-2018-6069 page https://www.suse.com/security/cve/CVE-2018-6070/ SUSE CVE CVE-2018-6070 page https://www.suse.com/security/cve/CVE-2018-6071/ SUSE CVE CVE-2018-6071 page https://www.suse.com/security/cve/CVE-2018-6072/ SUSE CVE CVE-2018-6072 page https://www.suse.com/security/cve/CVE-2018-6073/ SUSE CVE CVE-2018-6073 page https://www.suse.com/security/cve/CVE-2018-6074/ SUSE CVE CVE-2018-6074 page https://www.suse.com/security/cve/CVE-2018-6075/ SUSE CVE CVE-2018-6075 page https://www.suse.com/security/cve/CVE-2018-6076/ SUSE CVE CVE-2018-6076 page https://www.suse.com/security/cve/CVE-2018-6077/ SUSE CVE CVE-2018-6077 page https://www.suse.com/security/cve/CVE-2018-6078/ SUSE CVE CVE-2018-6078 page https://www.suse.com/security/cve/CVE-2018-6079/ SUSE CVE CVE-2018-6079 page https://www.suse.com/security/cve/CVE-2018-6080/ SUSE CVE CVE-2018-6080 page https://www.suse.com/security/cve/CVE-2018-6081/ SUSE CVE CVE-2018-6081 page https://www.suse.com/security/cve/CVE-2018-6082/ SUSE CVE CVE-2018-6082 page https://www.suse.com/security/cve/CVE-2018-6083/ SUSE CVE CVE-2018-6083 page https://www.suse.com/security/cve/CVE-2018-6085/ SUSE CVE CVE-2018-6085 page https://www.suse.com/security/cve/CVE-2018-6086/ SUSE CVE CVE-2018-6086 page https://www.suse.com/security/cve/CVE-2018-6087/ SUSE CVE CVE-2018-6087 page https://www.suse.com/security/cve/CVE-2018-6088/ SUSE CVE CVE-2018-6088 page https://www.suse.com/security/cve/CVE-2018-6089/ SUSE CVE CVE-2018-6089 page https://www.suse.com/security/cve/CVE-2018-6090/ SUSE CVE CVE-2018-6090 page https://www.suse.com/security/cve/CVE-2018-6091/ SUSE CVE CVE-2018-6091 page https://www.suse.com/security/cve/CVE-2018-6092/ SUSE CVE CVE-2018-6092 page https://www.suse.com/security/cve/CVE-2018-6093/ SUSE CVE CVE-2018-6093 page https://www.suse.com/security/cve/CVE-2018-6094/ SUSE CVE CVE-2018-6094 page https://www.suse.com/security/cve/CVE-2018-6095/ SUSE CVE CVE-2018-6095 page https://www.suse.com/security/cve/CVE-2018-6096/ SUSE CVE CVE-2018-6096 page https://www.suse.com/security/cve/CVE-2018-6097/ SUSE CVE CVE-2018-6097 page https://www.suse.com/security/cve/CVE-2018-6098/ SUSE CVE CVE-2018-6098 page https://www.suse.com/security/cve/CVE-2018-6099/ SUSE CVE CVE-2018-6099 page https://www.suse.com/security/cve/CVE-2018-6100/ SUSE CVE CVE-2018-6100 page https://www.suse.com/security/cve/CVE-2018-6101/ SUSE CVE CVE-2018-6101 page https://www.suse.com/security/cve/CVE-2018-6102/ SUSE CVE CVE-2018-6102 page https://www.suse.com/security/cve/CVE-2018-6103/ SUSE CVE CVE-2018-6103 page https://www.suse.com/security/cve/CVE-2018-6104/ SUSE CVE CVE-2018-6104 page https://www.suse.com/security/cve/CVE-2018-6105/ SUSE CVE CVE-2018-6105 page https://www.suse.com/security/cve/CVE-2018-6106/ SUSE CVE CVE-2018-6106 page https://www.suse.com/security/cve/CVE-2018-6107/ SUSE CVE CVE-2018-6107 page https://www.suse.com/security/cve/CVE-2018-6108/ SUSE CVE CVE-2018-6108 page https://www.suse.com/security/cve/CVE-2018-6109/ SUSE CVE CVE-2018-6109 page https://www.suse.com/security/cve/CVE-2018-6110/ SUSE CVE CVE-2018-6110 page https://www.suse.com/security/cve/CVE-2018-6111/ SUSE CVE CVE-2018-6111 page https://www.suse.com/security/cve/CVE-2018-6112/ SUSE CVE CVE-2018-6112 page https://www.suse.com/security/cve/CVE-2018-6113/ SUSE CVE CVE-2018-6113 page https://www.suse.com/security/cve/CVE-2018-6114/ SUSE CVE CVE-2018-6114 page https://www.suse.com/security/cve/CVE-2018-6115/ SUSE CVE CVE-2018-6115 page https://www.suse.com/security/cve/CVE-2018-6116/ SUSE CVE CVE-2018-6116 page https://www.suse.com/security/cve/CVE-2018-6117/ SUSE CVE CVE-2018-6117 page https://www.suse.com/security/cve/CVE-2018-6118/ SUSE CVE CVE-2018-6118 page https://www.suse.com/security/cve/CVE-2018-6120/ SUSE CVE CVE-2018-6120 page https://www.suse.com/security/cve/CVE-2018-6121/ SUSE CVE CVE-2018-6121 page https://www.suse.com/security/cve/CVE-2018-6122/ SUSE CVE CVE-2018-6122 page SUSE Package Hub 12 SP2 chromedriver-66.0.3359.181-55.1 chromium-66.0.3359.181-55.1 chromedriver-66.0.3359.181-55.1 as a component of SUSE Package Hub 12 SP2 chromium-66.0.3359.181-55.1 as a component of SUSE Package Hub 12 SP2 An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the Primetime SDK. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution. CVE-2017-11215 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2017-11215.html CVE-2017-11215 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 An issue was discovered in Adobe Flash Player 27.0.0.183 and earlier versions. This vulnerability is an instance of a use after free vulnerability in the Primetime SDK metadata functionality. The mismatch between an old and a new object can provide an attacker with unintended memory access -- potentially leading to code corruption, control-flow hijack, or an information leak attack. Successful exploitation could lead to arbitrary code execution. CVE-2017-11225 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 10 AV:N/AC:L/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2017-11225.html CVE-2017-11225 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Lack of special casing of Android ashmem in Google Chrome prior to 65.0.3325.146 allowed a remote attacker who had compromised the renderer process to bypass inter-process read only guarantees via a crafted HTML page. CVE-2018-6057 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6057.html CVE-2018-6057 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Use after free in WebAudio in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-6060 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6060.html CVE-2018-6060 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 A race in the handling of SharedArrayBuffers in WebAssembly in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-6061 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6061.html CVE-2018-6061 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Heap overflow write in Skia in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. CVE-2018-6062 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6062.html CVE-2018-6062 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Incorrect use of mojo::WrapSharedMemoryHandle in Mojo in Google Chrome prior to 65.0.3325.146 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory write via a crafted HTML page. CVE-2018-6063 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6063.html CVE-2018-6063 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Type Confusion in the implementation of __defineGetter__ in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-6064 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6064.html CVE-2018-6064 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Integer overflow in computing the required allocation size when instantiating a new javascript object in V8 in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-6065 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6065.html CVE-2018-6065 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Lack of CORS checking by ResourceFetcher/ResourceLoader in Blink in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2018-6066 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6066.html CVE-2018-6066 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Incorrect IPC serialization in Skia in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-6067 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6067.html CVE-2018-6067 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Object lifecycle issue in Chrome Custom Tab in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. CVE-2018-6068 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6068.html CVE-2018-6068 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Stack buffer overflow in Skia in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2018-6069 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6069.html CVE-2018-6069 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Lack of CSP enforcement on WebUI pages in Bink in Google Chrome prior to 65.0.3325.146 allowed an attacker who convinced a user to install a malicious extension to bypass content security policy via a crafted Chrome Extension. CVE-2018-6070 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6070.html CVE-2018-6070 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 An integer overflow in Skia in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. CVE-2018-6071 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6071.html CVE-2018-6071 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 An integer overflow leading to use after free in PDFium in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file. CVE-2018-6072 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6072.html CVE-2018-6072 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 A heap buffer overflow in WebGL in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. CVE-2018-6073 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6073.html CVE-2018-6073 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Failure to apply Mark-of-the-Web in Downloads in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to bypass OS level controls via a crafted HTML page. CVE-2018-6074 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6074.html CVE-2018-6074 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Incorrect handling of specified filenames in file downloads in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page and user interaction. CVE-2018-6075 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6075.html CVE-2018-6075 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Insufficient encoding of URL fragment identifiers in Blink in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to perform a DOM based XSS attack via a crafted HTML page. CVE-2018-6076 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6076.html CVE-2018-6076 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Displacement map filters being applied to cross-origin images in Blink SVG rendering in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2018-6077 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6077.html CVE-2018-6077 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Incorrect handling of confusable characters in Omnibox in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. CVE-2018-6078 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6078.html CVE-2018-6078 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Inappropriate sharing of TEXTURE_2D_ARRAY/TEXTURE_3D data between tabs in WebGL in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2018-6079 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6079.html CVE-2018-6079 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Lack of access control checks in Instrumentation in Google Chrome prior to 65.0.3325.146 allowed a remote attacker who had compromised the renderer process to obtain memory metadata from privileged processes . CVE-2018-6080 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6080.html CVE-2018-6080 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 XSS vulnerabilities in Interstitials in Google Chrome prior to 65.0.3325.146 allowed an attacker who convinced a user to install a malicious extension or open Developer Console to inject arbitrary scripts or HTML via a crafted HTML page. CVE-2018-6081 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6081.html CVE-2018-6081 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Including port 22 in the list of allowed FTP ports in Networking in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to potentially enumerate internal host services via a crafted HTML page. CVE-2018-6082 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6082.html CVE-2018-6082 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Failure to disallow PWA installation from CSP sandboxed pages in AppManifest in Google Chrome prior to 65.0.3325.146 allowed a remote attacker to access privileged APIs via a crafted HTML page. CVE-2018-6083 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6083.html CVE-2018-6083 https://bugzilla.suse.com/1084296 SUSE Bug 1084296 Re-entry of a destructor in Networking Disk Cache in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page. CVE-2018-6085 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6085.html CVE-2018-6085 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 A double-eviction in the Incognito mode cache that lead to a user-after-free in Networking Disk Cache in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page. CVE-2018-6086 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6086.html CVE-2018-6086 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 A use-after-free in WebAssembly in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. CVE-2018-6087 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6087.html CVE-2018-6087 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 An iterator-invalidation bug in PDFium in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. CVE-2018-6088 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6088.html CVE-2018-6088 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 A lack of CORS checks, after a Service Worker redirected to a cross-origin PDF, in Service Worker in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page. CVE-2018-6089 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6089.html CVE-2018-6089 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 An integer overflow that lead to a heap buffer-overflow in Skia in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. CVE-2018-6090 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6090.html CVE-2018-6090 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Service Workers can intercept any request made by an <embed> or <object> tag in Fetch API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2018-6091 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6091.html CVE-2018-6091 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 An integer overflow on 32-bit systems in WebAssembly in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. CVE-2018-6092 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6092.html CVE-2018-6092 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Insufficient origin checks in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2018-6093 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6093.html CVE-2018-6093 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Inline metadata in GarbageCollection in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-6094 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6094.html CVE-2018-6094 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Inappropriate dismissal of file picker on keyboard events in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to read local files via a crafted HTML page. CVE-2018-6095 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6095.html CVE-2018-6095 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 A JavaScript focused window could overlap the fullscreen notification in Fullscreen in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obscure the full screen warning via a crafted HTML page. CVE-2018-6096 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6096.html CVE-2018-6096 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Incorrect handling of asynchronous methods in Fullscreen in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to enter full screen without showing a warning via a crafted HTML page. CVE-2018-6097 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6097.html CVE-2018-6097 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. CVE-2018-6098 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6098.html CVE-2018-6098 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 A lack of CORS checks in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to leak limited cross-origin data via a crafted HTML page. CVE-2018-6099 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6099.html CVE-2018-6099 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Incorrect handling of confusable characters in URL Formatter in Google Chrome on macOS prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. CVE-2018-6100 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6100.html CVE-2018-6100 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 A lack of host validation in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to execute arbitrary code via a crafted HTML page, if the user is running a remote DevTools debugging server. CVE-2018-6101 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6101.html CVE-2018-6101 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Missing confusable characters in Internationalization in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted domain name. CVE-2018-6102 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6102.html CVE-2018-6102 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 A stagnant permission prompt in Prompts in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass permission policy via a crafted HTML page. CVE-2018-6103 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6103.html CVE-2018-6103 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. CVE-2018-6104 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6104.html CVE-2018-6104 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Incorrect handling of confusable characters in Omnibox in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. CVE-2018-6105 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6105.html CVE-2018-6105 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 An asynchronous generator may return an incorrect state in V8 in Google Chrome prior to 66.0.3359.117 allowing a remote attacker to potentially exploit object corruption via a crafted HTML page. CVE-2018-6106 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6106.html CVE-2018-6106 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. CVE-2018-6107 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6107.html CVE-2018-6107 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Incorrect handling of confusable characters in URL Formatter in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted HTML page. CVE-2018-6108 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6108.html CVE-2018-6108 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 readAsText() can indefinitely read the file picked by the user, rather than only once at the time the file is picked in File API in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to access data on the user file system without explicit consent via a crafted HTML page. CVE-2018-6109 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6109.html CVE-2018-6109 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Parsing documents as HTML in Downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to cause Chrome to execute scripts via a local non-HTML page. CVE-2018-6110 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6110.html CVE-2018-6110 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 An object lifetime issue in the developer tools network handler in Google Chrome prior to 66.0.3359.117 allowed a local attacker to execute arbitrary code via a crafted HTML page. CVE-2018-6111 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6111.html CVE-2018-6111 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Making URLs clickable and allowing them to be styled in DevTools in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. CVE-2018-6112 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6112.html CVE-2018-6112 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Improper handling of pending navigation entries in Navigation in Google Chrome on iOS prior to 66.0.3359.117 allowed a remote attacker to perform domain spoofing via a crafted HTML page. CVE-2018-6113 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6113.html CVE-2018-6113 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Incorrect enforcement of CSP for <object> tags in Blink in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to bypass content security policy via a crafted HTML page. CVE-2018-6114 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6114.html CVE-2018-6114 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Inappropriate setting of the SEE_MASK_FLAG_NO_UI flag in file downloads in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially bypass OS malware checks via a crafted HTML page. CVE-2018-6115 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6115.html CVE-2018-6115 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 A nullptr dereference in WebAssembly in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. CVE-2018-6116 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6116.html CVE-2018-6116 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 Confusing settings in Autofill in Google Chrome prior to 66.0.3359.117 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. CVE-2018-6117 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6117.html CVE-2018-6117 https://bugzilla.suse.com/1090000 SUSE Bug 1090000 A double-eviction in the Incognito mode cache that lead to a user-after-free in cache in Google Chrome prior to 66.0.3359.139 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. CVE-2018-6118 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6118.html CVE-2018-6118 https://bugzilla.suse.com/1091288 SUSE Bug 1091288 An integer overflow that could lead to an attacker-controlled heap out-of-bounds write in PDFium in Google Chrome prior to 66.0.3359.170 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. CVE-2018-6120 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6120.html CVE-2018-6120 https://bugzilla.suse.com/1092923 SUSE Bug 1092923 Insufficient validation of input in Blink in Google Chrome prior to 66.0.3359.170 allowed a remote attacker to perform privilege escalation via a crafted HTML page. CVE-2018-6121 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6121.html CVE-2018-6121 https://bugzilla.suse.com/1092923 SUSE Bug 1092923 Type confusion in WebAssembly in Google Chrome prior to 66.0.3359.139 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2018-6122 SUSE Package Hub 12 SP2:chromedriver-66.0.3359.181-55.1 SUSE Package Hub 12 SP2:chromium-66.0.3359.181-55.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ/#IDH7ZAFKSWX2J7H7ULZFAVM7KUQXQHZZ https://www.suse.com/security/cve/CVE-2018-6122.html CVE-2018-6122 https://bugzilla.suse.com/1092923 SUSE Bug 1092923