-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.1246
                     chromium-browser security update
                               8 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           chromium-browser
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 6
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Denial of Service               -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-6452 CVE-2020-6451 CVE-2020-6450

Reference:         ASB-2020.0068
                   ASB-2020.0067

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2020:1350

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: chromium-browser security update
Advisory ID:       RHSA-2020:1350-01
Product:           Red Hat Enterprise Linux Supplementary
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1350
Issue date:        2020-04-07
CVE Names:         CVE-2020-6450 CVE-2020-6451 CVE-2020-6452 
=====================================================================

1. Summary:

An update for chromium-browser is now available for Red Hat Enterprise
Linux 6 Supplementary.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Supplementary (v. 6) - i386, i686, x86_64
Red Hat Enterprise Linux HPC Node Supplementary (v. 6) - i686, x86_64
Red Hat Enterprise Linux Server Supplementary (v. 6) - i386, i686, x86_64
Red Hat Enterprise Linux Workstation Supplementary (v. 6) - i386, i686, x86_64

3. Description:

Chromium is an open-source web browser, powered by WebKit (Blink).

This update upgrades Chromium to version 80.0.3987.162.

Security Fix(es):

* chromium-browser: Use after free in WebAudio (CVE-2020-6450)

* chromium-browser: Use after free in WebAudio (CVE-2020-6451)

* chromium-browser: Heap buffer overflow in media (CVE-2020-6452)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the update, Chromium must be restarted for the changes to
take effect.

5. Bugs fixed (https://bugzilla.redhat.com/):

1820155 - CVE-2020-6450 chromium-browser: Use after free in WebAudio
1820156 - CVE-2020-6451 chromium-browser: Use after free in WebAudio
1820157 - CVE-2020-6452 chromium-browser: Heap buffer overflow in media

6. Package List:

Red Hat Enterprise Linux Desktop Supplementary (v. 6):

i386:
chromium-browser-80.0.3987.162-1.el6_10.i686.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.i686.rpm

i686:
chromium-browser-80.0.3987.162-1.el6_10.i686.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.i686.rpm

x86_64:
chromium-browser-80.0.3987.162-1.el6_10.x86_64.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.x86_64.rpm

Red Hat Enterprise Linux HPC Node Supplementary (v. 6):

i686:
chromium-browser-80.0.3987.162-1.el6_10.i686.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.i686.rpm

x86_64:
chromium-browser-80.0.3987.162-1.el6_10.x86_64.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Server Supplementary (v. 6):

i386:
chromium-browser-80.0.3987.162-1.el6_10.i686.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.i686.rpm

i686:
chromium-browser-80.0.3987.162-1.el6_10.i686.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.i686.rpm

x86_64:
chromium-browser-80.0.3987.162-1.el6_10.x86_64.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.x86_64.rpm

Red Hat Enterprise Linux Workstation Supplementary (v. 6):

i386:
chromium-browser-80.0.3987.162-1.el6_10.i686.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.i686.rpm

i686:
chromium-browser-80.0.3987.162-1.el6_10.i686.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.i686.rpm

x86_64:
chromium-browser-80.0.3987.162-1.el6_10.x86_64.rpm
chromium-browser-debuginfo-80.0.3987.162-1.el6_10.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-6450
https://access.redhat.com/security/cve/CVE-2020-6451
https://access.redhat.com/security/cve/CVE-2020-6452
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXoxT1tzjgjWX9erEAQhr1A/8DGYJIkBPAy9jr3prZ/HPc83vKUoZ5vIz
kP6zzJAjT9BjK8xhZrGGl1OHuF3Hrqa3f2KLP4AhU350kD1w/+JrUxhOYMDK0hAj
WSkF6EolNRhb8IzbMgFoUwvAHqIFvwlKRc5mQvZ81ufIGSKg8yWfJqr4iODT/URO
15YsyHPE3yFrjxNp0iEr1qy4TMiQpq+H58l9bRfXtlb/PX3YsICcaLfN8hlSf55y
icIPSVnVH7jdTvgIa5GAN41qQS+5YLazh+2pJ32SuDi488vKFaAaH19kAjJ8YJOg
b0wbCEjO3j2PtkC4WUBvbb86jjzuyjFIvhSmgwzzB53lSd543hbWKO+EhuSUrXE1
SzU6N9M61kSrOCehLo0bPI+KXa/r3GgERUZk7lAUcj1M6o/bPeG0iiqMPX4K6Jc7
0fWmSEzBZBCTYNf+y06i0MmorxjSL5kkd71UtxYjYoKpv8u3d39yGSjySgNWNQrd
/3tCl0RNwDMugfj1gNZ+osihMmR+6lhyVBOl9McIewGBeq9c5fDC6pf4Bh6LgW3a
kWIony8m2hNm8EzeoFTUwJSK4lJ1E1/nbo1jku6RWzEmt//nH5tAuUApwOA+MfwJ
F98cT4Ekk02xrSa32mzg5A4bScM6S9l7o5QwdqWBmbacNH3tcKPopiseq7Xy+y54
SAePS8+IihI=
=HRE8
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXo1Zx2aOgq3Tt24GAQjGMg//ZDry0PESsYweMi+woGvCiOFHQeg2ws1P
+y5pKjNeXlMVlyhRMKN9SydjvAfFVErexPm5X1qCr9GM/XOLKqldVQcpLKMnOiu/
TulFdp61LHT30uBsZgX91zcHK0a2bBZABtOpxgpNlDI11iRTm9eGUTIpMyyngZm0
vtYgJ+cXRXI+1AJL+KEs/Hm7Apyw3NTUq0lSG/vU/yy6FQU9Xfc0bRBOktEhYNQ3
6a6qmaFClcIlrhrbWuay/lvp8pGgX7SP6joRmhMMiYGZqkx5k4oqJW162KxJp54L
J8+smVpkV2+popHe8+86N0hrC21jbuNt5baGaEWJId97aZM5jOLK+rWrhRBcvenQ
1IeDaXUFHGiUudzo3AYVZKxWEZYl+oK0BExlJ4hSUAn/Hxco/HDkCa6T/YGMsAxZ
T2F4t4+jImbDFkJ6oOvBWK/XNq4+h8QoX2VjK2reFBmFZa509uX3FTaImH/uVCSu
Z7kql3NMKNOKT3V7sF7WPm6UHHguxjN2NHQLWP8Ve4Ha79nRQwm2MnRFimNDMk1x
JaFtRVHOvLb8qTVTiXMROpoLsfRdSdjEBOxzbL50CK4vrAGv4l6r+f6ywvUIu3RU
jQB8L1SPnRRLHWY6COSvBXYa9UXsnnzuqDV4GTR9uk46ZQ+LDcie3LNVbRKVJRCj
/mGNsCO55UU=
=y/Zy
-----END PGP SIGNATURE-----