Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1306-1 Final 1 1 2020-08-31T16:23:00Z current 2020-08-31T16:23:00Z 2020-08-31T16:23:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update for chromium fixes the following issues: Chromium was updated to version 85.0.4183.83 (boo#1175757) fixing: - CVE-2020-6558: Insufficient policy enforcement in iOS - CVE-2020-6559: Use after free in presentation API - CVE-2020-6560: Insufficient policy enforcement in autofill - CVE-2020-6561: Inappropriate implementation in Content Security Policy - CVE-2020-6562: Insufficient policy enforcement in Blink - CVE-2020-6563: Insufficient policy enforcement in intent handling. - CVE-2020-6564: Incorrect security UI in permissions - CVE-2020-6565: Incorrect security UI in Omnibox. - CVE-2020-6566: Insufficient policy enforcement in media. - CVE-2020-6567: Insufficient validation of untrusted input in command line handling. - CVE-2020-6568: Insufficient policy enforcement in intent handling. - CVE-2020-6569: Integer overflow in WebUSB. - CVE-2020-6570: Side-channel information leakage in WebRTC. - CVE-2020-6571: Incorrect security UI in Omnibox. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1306 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ E-Mail link for openSUSE-SU-2020:1306-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1175757 SUSE Bug 1175757 https://www.suse.com/security/cve/CVE-2020-6558/ SUSE CVE CVE-2020-6558 page https://www.suse.com/security/cve/CVE-2020-6559/ SUSE CVE CVE-2020-6559 page https://www.suse.com/security/cve/CVE-2020-6560/ SUSE CVE CVE-2020-6560 page https://www.suse.com/security/cve/CVE-2020-6561/ SUSE CVE CVE-2020-6561 page https://www.suse.com/security/cve/CVE-2020-6562/ SUSE CVE CVE-2020-6562 page https://www.suse.com/security/cve/CVE-2020-6563/ SUSE CVE CVE-2020-6563 page https://www.suse.com/security/cve/CVE-2020-6564/ SUSE CVE CVE-2020-6564 page https://www.suse.com/security/cve/CVE-2020-6565/ SUSE CVE CVE-2020-6565 page https://www.suse.com/security/cve/CVE-2020-6566/ SUSE CVE CVE-2020-6566 page https://www.suse.com/security/cve/CVE-2020-6567/ SUSE CVE CVE-2020-6567 page https://www.suse.com/security/cve/CVE-2020-6568/ SUSE CVE CVE-2020-6568 page https://www.suse.com/security/cve/CVE-2020-6569/ SUSE CVE CVE-2020-6569 page https://www.suse.com/security/cve/CVE-2020-6570/ SUSE CVE CVE-2020-6570 page https://www.suse.com/security/cve/CVE-2020-6571/ SUSE CVE CVE-2020-6571 page openSUSE Leap 15.2 chromedriver-85.0.4183.69-lp152.2.20.1 chromium-85.0.4183.69-lp152.2.20.1 chromedriver-85.0.4183.69-lp152.2.20.1 as a component of openSUSE Leap 15.2 chromium-85.0.4183.69-lp152.2.20.1 as a component of openSUSE Leap 15.2 Insufficient policy enforcement in iOSWeb in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. CVE-2020-6558 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6558.html CVE-2020-6558 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Use after free in presentation API in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6559 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6559.html CVE-2020-6559 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Insufficient policy enforcement in autofill in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2020-6560 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6560.html CVE-2020-6560 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Inappropriate implementation in Content Security Policy in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2020-6561 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6561.html CVE-2020-6561 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Insufficient policy enforcement in Blink in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2020-6562 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6562.html CVE-2020-6562 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to obtain potentially sensitive information from disk via a crafted HTML page. CVE-2020-6563 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6563.html CVE-2020-6563 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Inappropriate implementation in permissions in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of a permission dialog via a crafted HTML page. CVE-2020-6564 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6564.html CVE-2020-6564 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Inappropriate implementation in Omnibox in Google Chrome on iOS prior to 85.0.4183.83 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. CVE-2020-6565 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6565.html CVE-2020-6565 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Insufficient policy enforcement in media in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to leak cross-origin data via a crafted HTML page. CVE-2020-6566 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6566.html CVE-2020-6566 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Insufficient validation of untrusted input in command line handling in Google Chrome on Windows prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. CVE-2020-6567 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6567.html CVE-2020-6567 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Insufficient policy enforcement in intent handling in Google Chrome on Android prior to 85.0.4183.83 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. CVE-2020-6568 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6568.html CVE-2020-6568 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Integer overflow in WebUSB in Google Chrome prior to 85.0.4183.83 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. CVE-2020-6569 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6569.html CVE-2020-6569 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Information leakage in WebRTC in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to obtain potentially sensitive information via a crafted WebRTC interaction. CVE-2020-6570 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6570.html CVE-2020-6570 https://bugzilla.suse.com/1175757 SUSE Bug 1175757 Insufficient data validation in Omnibox in Google Chrome prior to 85.0.4183.83 allowed a remote attacker to perform domain spoofing via IDN homographs via a crafted domain name. CVE-2020-6571 openSUSE Leap 15.2:chromedriver-85.0.4183.69-lp152.2.20.1 openSUSE Leap 15.2:chromium-85.0.4183.69-lp152.2.20.1 important 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LDVAE6GH5TJIGHPDXCFR6RPTV4U73WSD/ https://www.suse.com/security/cve/CVE-2020-6571.html CVE-2020-6571 https://bugzilla.suse.com/1175757 SUSE Bug 1175757