So I hit the computer for the first time today and there's not the usual 2-5 Fedora sec update notices, but 356. That's a first.
So Google Chrome has a really bad zero-day High CVE-2024-1938: Type Confusion in V8 High CVE-2024-1939: Type Confusion in V8
And these 356 are all this bug. This is very interesting because these just seem like random packages... how can they all have this bug? So it looks like the Chrome stuff got into JDK stuff, and the JDK stuff got into 300+ other things (uh, what?).
Strangely, I don't see notices for Chromium or webkit libraries... unless they are coming next.
Y'all started using firejail to wrap your Chrome/Chromium in after the Feb MUUG presentation, right?? ?? Add some more height to the histogram I posted of Chrome CVEs... Google: leading the pack.
Luckily I mostly use Firefox!
The info on these CVEs is currently very limited. If someone has some juicier info on the hole, let us know.
CVE-2024-1938 Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High)
CVE-2024-1939 Type Confusion in V8 in Google Chrome prior to 122.0.6261.94 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)