Security update for chromium SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:0337-1 Final 1 1 2024-10-18T13:29:47Z current 2024-10-18T13:29:47Z 2024-10-18T13:29:47Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for chromium This update for chromium fixes the following issues: Chromium 130.0.6723.58 (boo#1231694) * CVE-2024-9954: Use after free in AI * CVE-2024-9955: Use after free in Web Authentication * CVE-2024-9956: Inappropriate implementation in Web Authentication * CVE-2024-9957: Use after free in UI * CVE-2024-9958: Inappropriate implementation in PictureInPicture * CVE-2024-9959: Use after free in DevTools * CVE-2024-9960: Use after free in Dawn * CVE-2024-9961: Use after free in Parcel Tracking * CVE-2024-9962: Inappropriate implementation in Permissions * CVE-2024-9963: Insufficient data validation in Downloads * CVE-2024-9964: Inappropriate implementation in Payments * CVE-2024-9965: Insufficient data validation in DevTools * CVE-2024-9966: Inappropriate implementation in Navigations The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2024-337 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ E-Mail link for openSUSE-SU-2024:0337-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1231694 SUSE Bug 1231694 https://www.suse.com/security/cve/CVE-2024-9954/ SUSE CVE CVE-2024-9954 page https://www.suse.com/security/cve/CVE-2024-9955/ SUSE CVE CVE-2024-9955 page https://www.suse.com/security/cve/CVE-2024-9956/ SUSE CVE CVE-2024-9956 page https://www.suse.com/security/cve/CVE-2024-9957/ SUSE CVE CVE-2024-9957 page https://www.suse.com/security/cve/CVE-2024-9958/ SUSE CVE CVE-2024-9958 page https://www.suse.com/security/cve/CVE-2024-9959/ SUSE CVE CVE-2024-9959 page https://www.suse.com/security/cve/CVE-2024-9960/ SUSE CVE CVE-2024-9960 page https://www.suse.com/security/cve/CVE-2024-9961/ SUSE CVE CVE-2024-9961 page https://www.suse.com/security/cve/CVE-2024-9962/ SUSE CVE CVE-2024-9962 page https://www.suse.com/security/cve/CVE-2024-9963/ SUSE CVE CVE-2024-9963 page https://www.suse.com/security/cve/CVE-2024-9964/ SUSE CVE CVE-2024-9964 page https://www.suse.com/security/cve/CVE-2024-9965/ SUSE CVE CVE-2024-9965 page https://www.suse.com/security/cve/CVE-2024-9966/ SUSE CVE CVE-2024-9966 page SUSE Package Hub 15 SP5 SUSE Package Hub 15 SP6 openSUSE Leap 15.5 openSUSE Leap 15.6 chromedriver-130.0.6723.58-bp156.2.41.1 chromium-130.0.6723.58-bp156.2.41.1 chromedriver-130.0.6723.58-bp156.2.41.1 as a component of SUSE Package Hub 15 SP5 chromium-130.0.6723.58-bp156.2.41.1 as a component of SUSE Package Hub 15 SP5 chromedriver-130.0.6723.58-bp156.2.41.1 as a component of SUSE Package Hub 15 SP6 chromium-130.0.6723.58-bp156.2.41.1 as a component of SUSE Package Hub 15 SP6 chromedriver-130.0.6723.58-bp156.2.41.1 as a component of openSUSE Leap 15.5 chromium-130.0.6723.58-bp156.2.41.1 as a component of openSUSE Leap 15.5 chromedriver-130.0.6723.58-bp156.2.41.1 as a component of openSUSE Leap 15.6 chromium-130.0.6723.58-bp156.2.41.1 as a component of openSUSE Leap 15.6 Use after free in AI in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) CVE-2024-9954 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9954.html CVE-2024-9954 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Use after free in WebAuthentication in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2024-9955 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9955.html CVE-2024-9955 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) CVE-2024-9956 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9956.html CVE-2024-9956 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Use after free in UI in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2024-9957 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9957.html CVE-2024-9957 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Inappropriate implementation in PictureInPicture in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) CVE-2024-9958 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9958.html CVE-2024-9958 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Use after free in DevTools in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Medium) CVE-2024-9959 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9959.html CVE-2024-9959 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Use after free in Dawn in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2024-9960 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9960.html CVE-2024-9960 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Use after free in ParcelTracking in Google Chrome on iOS prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium) CVE-2024-9961 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9961.html CVE-2024-9961 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Inappropriate implementation in Permissions in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) CVE-2024-9962 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9962.html CVE-2024-9962 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Insufficient data validation in Downloads in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) CVE-2024-9963 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9963.html CVE-2024-9963 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Inappropriate implementation in Payments in Google Chrome prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted Chrome Extension. (Chromium security severity: Low) CVE-2024-9964 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9964.html CVE-2024-9964 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Insufficient data validation in DevTools in Google Chrome on Windows prior to 130.0.6723.58 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: Low) CVE-2024-9965 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9965.html CVE-2024-9965 https://bugzilla.suse.com/1231694 SUSE Bug 1231694 Inappropriate implementation in Navigations in Google Chrome prior to 130.0.6723.58 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) CVE-2024-9966 SUSE Package Hub 15 SP5:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP5:chromium-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromedriver-130.0.6723.58-bp156.2.41.1 SUSE Package Hub 15 SP6:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.5:chromium-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromedriver-130.0.6723.58-bp156.2.41.1 openSUSE Leap 15.6:chromium-130.0.6723.58-bp156.2.41.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/T2MFLX2ZRDN67URDWGTQ2CAJVYDFICNP/ https://www.suse.com/security/cve/CVE-2024-9966.html CVE-2024-9966 https://bugzilla.suse.com/1231694 SUSE Bug 1231694