Bug 13426

This is Chromium 35, which as previously discusses, will require the Pepper Flash.

It also needs to be built with Aura (-Duse_aura=1 gyp flag) as I noted in Bug 13412.

CC: (none) => anssi.hannula
Whiteboard: (none) => MGA4TOO, MGA3TOO

Debian has issued an advisory for this on May 31:
https://www.debian.org/security/2014/dsa-2939

URL: (none) => http://lwn.net/Vulnerabilities/601056/

Upstream has released version 35.0.1916.153 on June 10:
http://googlechromereleases.blogspot.com/2014/06/stable-channel-update.html

This fixes more security issues.

Debian has issued an advisory for this on June 14:
https://www.debian.org/security/2014/dsa-2959

LWN reference for 35.0.1916.153:
http://lwn.net/Vulnerabilities/602455/

Upstream has released version 36.0.1985.125 on July 16:
http://googlechromereleases.blogspot.com/search/label/Stable%20updates

This fixes more security issues.

Summary: chromium-browser-stable new security issues fixed in 35.0.1916.153 => chromium-browser-stable new security issues fixed in 36.0.1985.125

Correct link for 36.0.1985.125:
http://googlechromereleases.blogspot.com/2014/07/stable-channel-update.html

Upstream has released version 36.0.1985.143 on August 12:
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update.html

This fixes more security issues.

Summary: chromium-browser-stable new security issues fixed in 36.0.1985.125 => chromium-browser-stable new security issues fixed in 36.0.1985.143

Upstream has released version 37.0.2062.94 on August 26:
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update_26.html

This fixes more security issues.

Summary: chromium-browser-stable new security issues fixed in 36.0.1985.143 => chromium-browser-stable new security issues fixed in 37.0.2062.94

Gentoo has issued an advisory for this on August 30:
http://www.gentoo.org/security/en/glsa/glsa-201408-16.xml

from http://lwn.net/Vulnerabilities/610416/

Upstream has released version 37.0.2062.120 today (September 9):
http://googlechromereleases.blogspot.com/2014/09/stable-channel-update_9.html

This fixes more security issues.

Summary: chromium-browser-stable new security issues fixed in 37.0.2062.94 => chromium-browser-stable new security issues fixed in 37.0.2062.120

Gentoo has issued an advisory for this on September 19:
http://www.gentoo.org/security/en/glsa/glsa-201409-06.xml

from http://lwn.net/Vulnerabilities/612811/

37.0.2062.120 is in 4/updates_testing

CC: (none) => pterjan

Just a note, it is more difficult for 3 as it seems to require a more recent harfbuzz. Looking more into it.

../../third_party/WebKit/Source/platform/fonts/harfbuzz/HarfBuzzShaper.cpp: In member function 'bool WebCore::HarfBuzzShaper::shapeHarfBuzzRuns()':
../../third_party/WebKit/Source/platform/fonts/harfbuzz/HarfBuzzShaper.cpp:830:62: error: 'hb_buffer_clear_contents' was not declared in this scope

OK.  If there's a way to build with the bundled one, that would be fine.

Note the change I checked into Mageia 4 SVN (mostly the one Anssi forgot to commit) from Cauldron after you pushed the current build.

A simple patch was enough, and I had missed the change, I'll submit again for 3 and 4.

4 is uploaded and 3 should finish soon, time to sleep.

Thanks Pascal!

CC'ing the QA team just in case anyone wants to start playing with it.  Note that plugins are not supported anymore, so things like Java and Flash won't work, although Flash should if you also have Chrome installed.

TODO: update or remove in Cauldron (planning to remove before mga5) and push tainted builds.

Since we missed so many updates, I don't know how many of the CVEs along the way affect the current version that we have, so it'll be a generic advisory when I get to it.

CC: (none) => qa-bugs

I tested chromium-browser-37.0.2062.120-1.mga4 on Mageia 4 64-bits. I do not remember precisely how it was before I install this new version but for now, I am not able anymore to run Flash application.

rpm -qa | grep flash gives me
flash-player-plugin-kde-11.2.202.406-1.mga4.nonfree
flash-player-plugin-11.2.202.406-1.mga4.nonfree

Other thinks look to work fine.

CC: (none) => olivier.delaune

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Thanks again to Pascal for helping with this update.

Note to QA: there are both core and tainted builds for this package.

Advisory:
========================

Updated chromium-browser-stable packages fix security vulnerabilities:

Several security issues and other bugs have been fixed since our previous
update.  See the upstream release announcements for details.

Note that as of version 35, the Chromium browser no longer supports browser
plugins, including Flash and Java.

If Flash functionality is needed, it is recommended to either use Firefox, or
to install the Chrome browser from Google's upstream repository.  See the
Mageia Forum topic on this for instructions on installing Chrome.

References:
http://googlechromereleases.blogspot.com/2014/05/stable-channel-update_20.html
http://googlechromereleases.blogspot.com/2014/06/stable-channel-update.html
http://googlechromereleases.blogspot.com/2014/07/stable-channel-update.html
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update.html
http://googlechromereleases.blogspot.com/2014/08/stable-channel-update_26.html
http://googlechromereleases.blogspot.com/2014/09/stable-channel-update_9.html
https://forums.mageia.org/en/viewtopic.php?t=2053
========================

Updated packages in core/updates_testing:
========================
chromium-browser-stable-37.0.2062.120-1.mga3
chromium-browser-37.0.2062.120-1.mga3
chromium-browser-stable-37.0.2062.120-1.mga4
chromium-browser-37.0.2062.120-1.mga4

Updated packages in tainted/updates_testing:
========================
chromium-browser-stable-37.0.2062.120-1.mga3
chromium-browser-37.0.2062.120-1.mga3
chromium-browser-stable-37.0.2062.120-1.mga4
chromium-browser-37.0.2062.120-1.mga4

from SRPMS:
chromium-browser-stable-37.0.2062.120-1.mga3.src.rpm
chromium-browser-stable-37.0.2062.120-1.mga4.src.rpm

CC: qa-bugs => (none)
Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Testing in mga4-32.
It seemed to work fine although I only tried a couple of things.  It succeeded in importing my Firefox bookmarks.  All links worked.  Apps -> YouTube came up OK.  Did not login or play videos.

CC: (none) => tarazed25

Tested mga4-64 core and tainted builds

Tested general browsing, acid 3 test at acidtests.org, mp3 streaming through https://archive.org/details/Test_Audio_MP3_File on Tainted build. Javatester does not work, as expected with the plugins being ended. Right clicking a youtube video shows it using the html5 player.

CC: (none) => wrw105
Whiteboard: MGA3TOO => MGA3TOO mga4-64-ok

Yes java and adobe flash won't work because chrome from 35 version obsoleted npapi plugin support.
http://thenextweb.com/google/2014/05/27/google-removes-npapi-apps-extensions-chrome-web-store-homepage-search-results-category-pages/

CC: (none) => ozkyster

Here is more info about those npapi plugins.
http://www.webupd8.org/2014/05/google-chrome-stable-35-for-linux.html

Tested mga3-64, core and tainted as in comment 20 above. All OK.

Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga3-64-ok

Testing complete mga4 32, as comment 20

Needs testing mga3 32 to validate.

Whiteboard: MGA3TOO mga4-64-ok mga3-64-ok => MGA3TOO mga3-64-ok mga4-32-ok mga4-64-ok

Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Validating. Advisory uploaded. Added the tainted srpms to the advisory.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0413.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED