-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Important: chromium-browser security update Advisory ID: RHSA-2019:1021-01 Product: Red Hat Enterprise Linux Supplementary Advisory URL: https://access.redhat.com/errata/RHSA-2019:1021 Issue date: 2019-05-07 CVE Names: CVE-2019-5805 CVE-2019-5806 CVE-2019-5807 CVE-2019-5808 CVE-2019-5809 CVE-2019-5810 CVE-2019-5811 CVE-2019-5813 CVE-2019-5814 CVE-2019-5815 CVE-2019-5818 CVE-2019-5819 CVE-2019-5820 CVE-2019-5821 CVE-2019-5822 CVE-2019-5823 ==================================================================== 1. Summary: An update for chromium-browser is now available for Red Hat Enterprise Linux 6 Supplementary. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, i686, x86_64 Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - i686, x86_64 Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, i686, x86_64 Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, i686, x86_64 3. Description: Chromium is an open-source web browser, powered by WebKit (Blink). This update upgrades Chromium to version 74.0.3729.108. Security Fix(es): * chromium-browser: Use after free in PDFium (CVE-2019-5805) * chromium-browser: Integer overflow in Angle (CVE-2019-5806) * chromium-browser: Memory corruption in V8 (CVE-2019-5807) * chromium-browser: Use after free in Blink (CVE-2019-5808) * chromium-browser: Use after free in Blink (CVE-2019-5809) * chromium-browser: User information disclosure in Autofill (CVE-2019-5810) * chromium-browser: CORS bypass in Blink (CVE-2019-5811) * chromium-browser: Out of bounds read in V8 (CVE-2019-5813) * chromium-browser: CORS bypass in Blink (CVE-2019-5814) * chromium-browser: Heap buffer overflow in Blink (CVE-2019-5815) * chromium-browser: Uninitialized value in media reader (CVE-2019-5818) * chromium-browser: Incorrect escaping in developer tools (CVE-2019-5819) * chromium-browser: Integer overflow in PDFium (CVE-2019-5820) * chromium-browser: Integer overflow in PDFium (CVE-2019-5821) * chromium-browser: CORS bypass in download manager (CVE-2019-5822) * chromium-browser: Forced navigation from service worker (CVE-2019-5823) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 After installing the update, Chromium must be restarted for the changes to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1702895 - CVE-2019-5805 chromium-browser: Use after free in PDFium 1702896 - CVE-2019-5806 chromium-browser: Integer overflow in Angle 1702897 - CVE-2019-5807 chromium-browser: Memory corruption in V8 1702898 - CVE-2019-5808 chromium-browser: Use after free in Blink 1702899 - CVE-2019-5809 chromium-browser: Use after free in Blink 1702900 - CVE-2019-5810 chromium-browser: User information disclosure in Autofill 1702901 - CVE-2019-5811 chromium-browser: CORS bypass in Blink 1702903 - CVE-2019-5813 chromium-browser: Out of bounds read in V8 1702904 - CVE-2019-5814 chromium-browser: CORS bypass in Blink 1702905 - CVE-2019-5815 chromium-browser: Heap buffer overflow in Blink 1702908 - CVE-2019-5818 chromium-browser: Uninitialized value in media reader 1702909 - CVE-2019-5819 chromium-browser: Incorrect escaping in developer tools 1702910 - CVE-2019-5820 chromium-browser: Integer overflow in PDFium 1702911 - CVE-2019-5821 chromium-browser: Integer overflow in PDFium 1702912 - CVE-2019-5822 chromium-browser: CORS bypass in download manager 1702913 - CVE-2019-5823 chromium-browser: Forced navigation from service worker 6. Package List: Red Hat Enterprise Linux Desktop Supplementary (v. 6): i386: chromium-browser-74.0.3729.108-1.el6_10.i686.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.i686.rpm i686: chromium-browser-74.0.3729.108-1.el6_10.i686.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.i686.rpm x86_64: chromium-browser-74.0.3729.108-1.el6_10.x86_64.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.x86_64.rpm Red Hat Enterprise Linux HPC Node Supplementary (v. 6): i686: chromium-browser-74.0.3729.108-1.el6_10.i686.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.i686.rpm x86_64: chromium-browser-74.0.3729.108-1.el6_10.x86_64.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Server Supplementary (v. 6): i386: chromium-browser-74.0.3729.108-1.el6_10.i686.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.i686.rpm i686: chromium-browser-74.0.3729.108-1.el6_10.i686.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.i686.rpm x86_64: chromium-browser-74.0.3729.108-1.el6_10.x86_64.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.x86_64.rpm Red Hat Enterprise Linux Workstation Supplementary (v. 6): i386: chromium-browser-74.0.3729.108-1.el6_10.i686.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.i686.rpm i686: chromium-browser-74.0.3729.108-1.el6_10.i686.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.i686.rpm x86_64: chromium-browser-74.0.3729.108-1.el6_10.x86_64.rpm chromium-browser-debuginfo-74.0.3729.108-1.el6_10.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2019-5805 https://access.redhat.com/security/cve/CVE-2019-5806 https://access.redhat.com/security/cve/CVE-2019-5807 https://access.redhat.com/security/cve/CVE-2019-5808 https://access.redhat.com/security/cve/CVE-2019-5809 https://access.redhat.com/security/cve/CVE-2019-5810 https://access.redhat.com/security/cve/CVE-2019-5811 https://access.redhat.com/security/cve/CVE-2019-5813 https://access.redhat.com/security/cve/CVE-2019-5814 https://access.redhat.com/security/cve/CVE-2019-5815 https://access.redhat.com/security/cve/CVE-2019-5818 https://access.redhat.com/security/cve/CVE-2019-5819 https://access.redhat.com/security/cve/CVE-2019-5820 https://access.redhat.com/security/cve/CVE-2019-5821 https://access.redhat.com/security/cve/CVE-2019-5822 https://access.redhat.com/security/cve/CVE-2019-5823 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://access.redhat.com/security/team/contact/ Copyright 2019 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBXNG8V9zjgjWX9erEAQhAVw//RPjSkutsoyCC9g52XBNFShE39vmiNqRP wCmFCnIpzu+Cho5lpv5l21HckCVkwWoVsrQkhVgcGfd/aNI29f+mywCbEWYnwg/R aawOwBW40hEgTO2l+uSTWpC76KJnph2+jWnswVuH2PdqtoKX6RMoa9XXIBCtLZsd peudt7ICLtiS2LWrkFe9imBdMokFFLYKF6zmZn8dPOUy/AAB+NA3XWI0u1QfqY9O dXscTFoUeiR65JjIU+oIOs3l0F8G/gBvUYMxEMq+4dP6VXj4c/Tp9OkLGjC/ZQ3m lJ83V9fD/q516qiX8+Ja4cw/qNpD+H7Y3J3AlgraZTyaeaO2P7IxGdi4fsLS8Zc7 nWC5X+ceFrZISIcN1WCzo1Vyks6YZqs/qYYdVlTPwpcbCTYQEtUKFC6b78BhDuga qPN9BQGwKDtxhprFxNUyNWsStff62qpdEyvW9l6du0kzAmYXhtCEFMsLG8DMMEqR uUPFwOTSER8fmk+QLcSrAeu+lHVdx2fkZCPSN9s8L9Ipl341QyxSg3flYCxISvLe uoGbtowpVchMOb4xbUHwkPHU2pLMXWT4zM2UuZR6OrDbfKpIgdiSiHIdep7ryCWR WZX7Ynzx2uKDgjpRxsCiTOCqqRGrjaoMCGYvF+jdKXaAJOG7ZBqKU1bejbzv1vk5 VpNBSOgtXqk=G+CI -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce