SUSE 5008 Published by

The following updates has been released for openSUSE Leap 42.3:

openSUSE-SU-2018:1038-1: important: Security update for cfitsio
openSUSE-SU-2018:1042-1: important: Security update for chromium



openSUSE-SU-2018:1038-1: important: Security update for cfitsio

openSUSE Security Update: Security update for cfitsio
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1038-1
Rating: important
References: #1082318 #1088590
Cross-References: CVE-2018-1000166
Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that solves one vulnerability and has one errata
is now available.

Description:

This update for cfitsio fixes the following issues:

Security issues fixed:

- CVE-2018-1000166: Unsafe use of sprintf() can allow a remote
unauthenticated attacker to execute arbitrary code (boo#1088590)

This update to version 3.430 also contains a number of upstream bug fixes.

The following tracked packaging changes are included:

- boo#1082318: package licence text as license, not as documentation


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-383=1



Package List:

- openSUSE Leap 42.3 (i586 x86_64):

cfitsio-3.430-4.3.1
cfitsio-debuginfo-3.430-4.3.1
cfitsio-debugsource-3.430-4.3.1
cfitsio-devel-3.430-4.3.1
cfitsio-devel-doc-3.430-4.3.1
libcfitsio5-3.430-4.3.1
libcfitsio5-debuginfo-3.430-4.3.1


References:

https://www.suse.com/security/cve/CVE-2018-1000166.html
https://bugzilla.suse.com/1082318
https://bugzilla.suse.com/1088590

openSUSE-SU-2018:1042-1: important: Security update for chromium

openSUSE Security Update: Security update for chromium
______________________________________________________________________________

Announcement ID: openSUSE-SU-2018:1042-1
Rating: important
References: #1086199 #1090000
Cross-References: CVE-2018-6085 CVE-2018-6086 CVE-2018-6087
CVE-2018-6088 CVE-2018-6089 CVE-2018-6090
CVE-2018-6091 CVE-2018-6092 CVE-2018-6093
CVE-2018-6094 CVE-2018-6095 CVE-2018-6096
CVE-2018-6097 CVE-2018-6098 CVE-2018-6099
CVE-2018-6100 CVE-2018-6101 CVE-2018-6102
CVE-2018-6103 CVE-2018-6104 CVE-2018-6105
CVE-2018-6106 CVE-2018-6107 CVE-2018-6108
CVE-2018-6109 CVE-2018-6110 CVE-2018-6111
CVE-2018-6112 CVE-2018-6113 CVE-2018-6114
CVE-2018-6115 CVE-2018-6116 CVE-2018-6117

Affected Products:
openSUSE Leap 42.3
______________________________________________________________________________

An update that fixes 33 vulnerabilities is now available.

Description:

This update for Chromium to version 66.0.3359.117 fixes the following
issues:

Security issues fixed (boo#1090000):

- CVE-2018-6085: Use after free in Disk Cache
- CVE-2018-6086: Use after free in Disk Cache
- CVE-2018-6087: Use after free in WebAssembly
- CVE-2018-6088: Use after free in PDFium
- CVE-2018-6089: Same origin policy bypass in Service Worker
- CVE-2018-6090: Heap buffer overflow in Skia
- CVE-2018-6091: Incorrect handling of plug-ins by Service Worker
- CVE-2018-6092: Integer overflow in WebAssembly
- CVE-2018-6093: Same origin bypass in Service Worker
- CVE-2018-6094: Exploit hardening regression in Oilpan
- CVE-2018-6095: Lack of meaningful user interaction requirement before
file upload
- CVE-2018-6096: Fullscreen UI spoof
- CVE-2018-6097: Fullscreen UI spoof
- CVE-2018-6098: URL spoof in Omnibox
- CVE-2018-6099: CORS bypass in ServiceWorker
- CVE-2018-6100: URL spoof in Omnibox
- CVE-2018-6101: Insufficient protection of remote debugging prototol in
DevTools
- CVE-2018-6102: URL spoof in Omnibox
- CVE-2018-6103: UI spoof in Permissions
- CVE-2018-6104: URL spoof in Omnibox
- CVE-2018-6105: URL spoof in Omnibox
- CVE-2018-6106: Incorrect handling of promises in V8
- CVE-2018-6107: URL spoof in Omnibox
- CVE-2018-6108: URL spoof in Omnibox
- CVE-2018-6109: Incorrect handling of files by FileAPI
- CVE-2018-6110: Incorrect handling of plaintext files via file://
- CVE-2018-6111: Heap-use-after-free in DevTools
- CVE-2018-6112: Incorrect URL handling in DevTools
- CVE-2018-6113: URL spoof in Navigation
- CVE-2018-6114: CSP bypass
- CVE-2018-6115: SmartScreen bypass in downloads
- CVE-2018-6116: Incorrect low memory handling in WebAssembly
- CVE-2018-6117: Confusing autofill settings
- Various fixes from internal audits, fuzzing and other initiatives

This update also supports mitigation against the Spectre vulnerabilities:
"Strict site isolation" is disabled for most users and can be turned on
via: chrome://flags/#enable-site-per-process This feature is undergoing a
small percentage trial. Out out of the trial is possible via:
chrome://flags/#site-isolation-trial-opt-out

The following other changes are included:

- distrust certificates issued by Symantec before 2016-06-01
- add option to export saved passwords
- Reduce videos that auto-play with sound
- boo#1086199: Fix UI freezing when loading/scaling down large images

This update also contains a number of upstream bug fixes and improvements.


Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.3:

zypper in -t patch openSUSE-2018-381=1



Package List:

- openSUSE Leap 42.3 (x86_64):

chromedriver-66.0.3359.117-152.1
chromedriver-debuginfo-66.0.3359.117-152.1
chromium-66.0.3359.117-152.1
chromium-debuginfo-66.0.3359.117-152.1
chromium-debugsource-66.0.3359.117-152.1


References:

https://www.suse.com/security/cve/CVE-2018-6085.html
https://www.suse.com/security/cve/CVE-2018-6086.html
https://www.suse.com/security/cve/CVE-2018-6087.html
https://www.suse.com/security/cve/CVE-2018-6088.html
https://www.suse.com/security/cve/CVE-2018-6089.html
https://www.suse.com/security/cve/CVE-2018-6090.html
https://www.suse.com/security/cve/CVE-2018-6091.html
https://www.suse.com/security/cve/CVE-2018-6092.html
https://www.suse.com/security/cve/CVE-2018-6093.html
https://www.suse.com/security/cve/CVE-2018-6094.html
https://www.suse.com/security/cve/CVE-2018-6095.html
https://www.suse.com/security/cve/CVE-2018-6096.html
https://www.suse.com/security/cve/CVE-2018-6097.html
https://www.suse.com/security/cve/CVE-2018-6098.html
https://www.suse.com/security/cve/CVE-2018-6099.html
https://www.suse.com/security/cve/CVE-2018-6100.html
https://www.suse.com/security/cve/CVE-2018-6101.html
https://www.suse.com/security/cve/CVE-2018-6102.html
https://www.suse.com/security/cve/CVE-2018-6103.html
https://www.suse.com/security/cve/CVE-2018-6104.html
https://www.suse.com/security/cve/CVE-2018-6105.html
https://www.suse.com/security/cve/CVE-2018-6106.html
https://www.suse.com/security/cve/CVE-2018-6107.html
https://www.suse.com/security/cve/CVE-2018-6108.html
https://www.suse.com/security/cve/CVE-2018-6109.html
https://www.suse.com/security/cve/CVE-2018-6110.html
https://www.suse.com/security/cve/CVE-2018-6111.html
https://www.suse.com/security/cve/CVE-2018-6112.html
https://www.suse.com/security/cve/CVE-2018-6113.html
https://www.suse.com/security/cve/CVE-2018-6114.html
https://www.suse.com/security/cve/CVE-2018-6115.html
https://www.suse.com/security/cve/CVE-2018-6116.html
https://www.suse.com/security/cve/CVE-2018-6117.html
https://bugzilla.suse.com/1086199
https://bugzilla.suse.com/1090000