V8 is the JavaScript engine developed for use in Google Chrome. Tons of projects have imported the V8 JS engine for one reason or another, without necessarily importing Chromium itself. So...... yeah, what you're seeing sounds about right. Even Java support JavaScript nowadays. -Adam
-----Original Message----- From: Roundtable roundtable-bounces@muug.ca On Behalf Of Trevor Cordes Sent: Thursday, March 7, 2024 6:40 PM To: MUUG RndTbl roundtable@muug.ca Subject: [RndTbl] Chrome blows up the net?
So I hit the computer for the first time today and there's not the usual 2-5 Fedora sec update notices, but 356. That's a first.
So Google Chrome has a really bad zero-day High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8
And these 356 are all this bug. This is very interesting because these just seem like random packages... how can they all have this bug? So it looks like the Chrome stuff got into JDK stuff, and the JDK stuff got into 300+ other things (uh, what?).
Strangely, I don't see notices for Chromium or webkit libraries... unless they are coming next.
Y'all started using firejail to wrap your Chrome/Chromium in after the Feb MUUG presentation, right?? ?? Add some more height to the histogram I posted of Chrome CVEs... Google: leading the pack.
Luckily I mostly use Firefox!
The info on these CVEs is currently very limited. If someone has some juicier info on the hole, let us know.
CVE-2024-1938 Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2024-1939 Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) _______________________________________________ Roundtable mailing list Roundtable@muug.ca https://muug.ca/mailman/listinfo/roundtable