-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: chromium-browser security update Advisory ID: RHSA-2020:1270-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://access.redhat.com/errata/RHSA-2020:1270 Issue date: 2020-04-01 CVE Names: CVE-2019-20503 CVE-2020-6422 CVE-2020-6424 CVE-2020-6425 CVE-2020-6426 CVE-2020-6427 CVE-2020-6428 CVE-2020-6429 CVE-2020-6449 ==================================================================== 1. Summary: An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, i686, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - i686, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, i686, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, i686, x86_64 3. Description: Chromium is an open-source web browser, powered by WebKit (Blink). This update upgrades Chromium to version 80.0.3987.149. Security Fix(es): * chromium-browser: Use after free in WebGL (CVE-2020-6422) * chromium-browser: Use after free in media (CVE-2020-6424) * chromium-browser: Insufficient policy enforcement in extensions (CVE-2020-6425) * chromium-browser: Inappropriate implementation in V8 (CVE-2020-6426) * chromium-browser: Use after free in audio (CVE-2020-6427) * chromium-browser: Use after free in audio (CVE-2020-6428) * chromium-browser: Use after free in audio (CVE-2020-6429) * chromium-browser: Use after free in audio (CVE-2020-6449) * usrsctp: Out of bounds reads in sctp_load_addresses_from_init() (CVE-2019-20503) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Chromium must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1812203 - CVE-2019-20503 usrsctp: Out of bounds reads in sctp_load_addresses_from_init() 1815241 - CVE-2020-6424 chromium-browser: Use after free in media 1815242 - CVE-2020-6425 chromium-browser: Insufficient policy enforcement in extensions 1815243 - CVE-2020-6426 chromium-browser: Inappropriate implementation in V8 1815244 - CVE-2020-6427 chromium-browser: Use after free in audio 1815245 - CVE-2020-6428 chromium-browser: Use after free in audio 1815247 - CVE-2020-6429 chromium-browser: Use after free in audio 1815248 - CVE-2020-6449 chromium-browser: Use after free in audio 1815259 - CVE-2020-6422 chromium-browser: Use after free in WebGL 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: chromium-browser-80.0.3987.149-1.el6_10.i686.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.i686.rpm i686: chromium-browser-80.0.3987.149-1.el6_10.i686.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.i686.rpm x86_64: chromium-browser-80.0.3987.149-1.el6_10.x86_64.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): i686: chromium-browser-80.0.3987.149-1.el6_10.i686.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.i686.rpm x86_64: chromium-browser-80.0.3987.149-1.el6_10.x86_64.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: chromium-browser-80.0.3987.149-1.el6_10.i686.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.i686.rpm i686: chromium-browser-80.0.3987.149-1.el6_10.i686.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.i686.rpm x86_64: chromium-browser-80.0.3987.149-1.el6_10.x86_64.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: chromium-browser-80.0.3987.149-1.el6_10.i686.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.i686.rpm i686: chromium-browser-80.0.3987.149-1.el6_10.i686.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.i686.rpm x86_64: chromium-browser-80.0.3987.149-1.el6_10.x86_64.rpm chromium-browser-debuginfo-80.0.3987.149-1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-20503 https://access.redhat.com/security/cve/CVE-2020-6422 https://access.redhat.com/security/cve/CVE-2020-6424 https://access.redhat.com/security/cve/CVE-2020-6425 https://access.redhat.com/security/cve/CVE-2020-6426 https://access.redhat.com/security/cve/CVE-2020-6427 https://access.redhat.com/security/cve/CVE-2020-6428 https://access.redhat.com/security/cve/CVE-2020-6429 https://access.redhat.com/security/cve/CVE-2020-6449 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXoRlONzjgjWX9erEAQglHA/+MucJ5We/todVAR7WaCs0Q8tgBi+eYVb7 MQQZEbeg7S/4SdfzWzuF11JeeVppeBiO+bowWoAd1xdgsjX9qphUWICuJFb8aZiL L+nWGjw+dcaHfxY2P82GOp2oFlg5xwbeZwtCdbWmNBzdBFIc4rvKYfr4shKrG4rK 1b/TGpwCH4oYuD4SQeejU4lbATRZz5Csc79e26eAwpDqIx2mM/W+ytSuF8UezGPv Hak0HfUs3/LIStUnCaaDwsWic+XnmgBwxkgOAaFWXw2psqNuINl39ALUKXox/sqR +oBbeTiCpOIftrJcFcIb+eamT2Q56NJWhbKPfbFnIf8LaHVG0M3MTTU4M8ukZ7Xf 88PNalzDQwb4rBU8htJqslvOgJCsgTLw7zotSHy5JPl+eDY8d9d6vLmEsfTsFECH /nYFU2KdeO0zfsQeIJDlpfT1tRpX7Hzbcjeuqz9Vg4/Ysu1mRkJLU7ip2CCS6pR/ M34kyJKQeUyzP6+H1Z9BWAwH5WAmaK7vq3F1SNQmcPUQUGB/mE/9JO0hv4cw0K+v nSROUQBElG1z2y44no5mwcjV5WWQvnx1Lv6OWGa4qn5GVZPcv3v0Knsu8DkYLu9p nV4Jty1pvBlcXE99vDyXDqmzslD+0pdTYwLq9QdcpR+kLUMIjCJ8tVbguVAFyEwS cZHG9ojAB2o=ZuB2 -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce