Synopsis
The remote openSUSE host is missing one or more security updates.
Description
The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2024:0254-2 advisory.
- Chromium 127.0.6533.119 (boo#1228941)
* CVE-2024-7532: Out of bounds memory access in ANGLE
* CVE-2024-7533: Use after free in Sharing
* CVE-2024-7550: Type Confusion in V8
* CVE-2024-7534: Heap buffer overflow in Layout
* CVE-2024-7535: Inappropriate implementation in V8
* CVE-2024-7536: Use after free in WebAudio
- Chromium 127.0.6533.88 (boo#1228628, boo#1228940, boo#1228942)
* CVE-2024-6988: Use after free in Downloads
* CVE-2024-6989: Use after free in Loader
* CVE-2024-6991: Use after free in Dawn
* CVE-2024-6992: Out of bounds memory access in ANGLE
* CVE-2024-6993: Inappropriate implementation in Canvas
* CVE-2024-6994: Heap buffer overflow in Layout
* CVE-2024-6995: Inappropriate implementation in Fullscreen
* CVE-2024-6996: Race in Frames
* CVE-2024-6997: Use after free in Tabs
* CVE-2024-6998: Use after free in User Education
* CVE-2024-6999: Inappropriate implementation in FedCM
* CVE-2024-7000: Use after free in CSS. Reported by Anonymous
* CVE-2024-7001: Inappropriate implementation in HTML
* CVE-2024-7003: Inappropriate implementation in FedCM
* CVE-2024-7004: Insufficient validation of untrusted input in Safe Browsing
* CVE-2024-7005: Insufficient validation of untrusted input in Safe Browsing
* CVE-2024-6990: Uninitialized Use in Dawn
* CVE-2024-7255: Out of bounds read in WebTransport
* CVE-2024-7256: Insufficient data validation in Dawn
gh:
- Update to version 0.20240730:
* Rust: link_output, depend_output and runtime_outputs for dylibs
* Add missing reference section to function_toolchain.cc
* Do not cleanup args.gn imports located in the output directory.
* Fix expectations in NinjaRustBinaryTargetWriterTest.SwiftModule
* Do not add native dependencies to the library search path
* Support linking frameworks and swiftmodules in Rust targets
* [desc] Silence print() statements when outputing json
* infra: Move CI/try builds to Ubuntu-22.04
* [MinGW] Fix mingw building issues
* [gn] Fix 'link' in the //examples/simple_build/build/toolchain/BUILD.gn
* [template] Fix 'rule alink_thin' in the //build/build_linux.ninja.template
* Allow multiple --ide switches
* [src] Add '#include <limits>' in the //src/base/files/file_enumerator_win.cc
* Get updates to infra/recipes.py from upstream
* Revert 'Teach gn to handle systems with > 64 processors'
* [apple] Rename the code-signing properties of create_bundle
* Fix a typo in 'gn help refs' output
* Revert '[bundle] Use 'phony' builtin tool for create_bundle targets'
* [bundle] Use 'phony' builtin tool for create_bundle targets
* [ios] Simplify handling of assets catalog
* [swift] List all outputs as deps of 'source_set' stamp file
* [swift] Update `gn check ...` to consider the generated header
* [swift] Set `restat = 1` to swift build rules
* Fix build with gcc12
* [label_matches] Add new functions label_matches(), filter_labels_include() and filter_labels_exclude()
* [swift] Remove problematic use of 'stamp' tool
* Implement new --ninja-outputs-file option.
* Add NinjaOutputsWriter class
* Move InvokePython() function to its own source file.
* zos: build with -DZOSLIB_OVERRIDE_CLIB to override creat
* Enable C++ runtime assertions in debug mode.
* Fix regression in MakeRelativePath()
* fix: Fix Windows MakeRelativePath.
* Add long path support for windows
* Ensure read_file() files are considered by 'gn analyze'
* apply 2to3 to for some Python scripts
* Add rustflags to desc and help output
* strings: support case insensitive check only in StartsWith/EndsWith
* add .git-blame-ignore-revs
* use std::{string,string_view}::{starts_with,ends_with}
* apply clang-format to all C++ sources
* add forward declaration in rust_values.h
* Add `root_patterns` list to build configuration.
* Use c++20 in GN build
* update windows sdk to 2024-01-11
* update windows sdk
* Add linux-riscv64.
* Update OWNERS list.
* remove unused function
* Ignore build warning -Werror=redundant-move
* Fix --as=buildfile `gn desc deps` output.
* Update recipe engine to 9dea1246.
* treewide: Fix spelling mistakes
Added rust-bindgen:
- Version 0.69.1
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected chromedriver, chromium, gn and / or rust-bindgen packages.
Plugin Details
File Name: openSUSE-2024-0254-2.nasl
Agent: unix
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Continuous Assessment, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:novell:opensuse:15.5, p-cpe:/a:novell:opensuse:chromium, p-cpe:/a:novell:opensuse:rust-bindgen, cpe:/o:novell:opensuse:15.6, p-cpe:/a:novell:opensuse:chromedriver, p-cpe:/a:novell:opensuse:gn
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 8/19/2024
Vulnerability Publication Date: 7/23/2024
Reference Information
CVE: CVE-2024-6988, CVE-2024-6989, CVE-2024-6990, CVE-2024-6991, CVE-2024-6992, CVE-2024-6993, CVE-2024-6994, CVE-2024-6995, CVE-2024-6996, CVE-2024-6997, CVE-2024-6998, CVE-2024-6999, CVE-2024-7000, CVE-2024-7001, CVE-2024-7003, CVE-2024-7004, CVE-2024-7005, CVE-2024-7255, CVE-2024-7256, CVE-2024-7532, CVE-2024-7533, CVE-2024-7534, CVE-2024-7535, CVE-2024-7536, CVE-2024-7550