| Summary: | Chromium 118.0.5993.70 update fixes vulnerabilities and bugs | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | christian barranco <chb0> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | fri, guillaume.royer, marja11, sysadmin-bugs, tarazed25 |
| Version: | 9 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA9-64-OK | ||
| Source RPM: | chromium-browser-stable-117.0.5938.132-1.mga9.tainted.src.rpm | CVE: | |
| Status comment: | |||
|
Description
christian barranco
2023-10-12 23:01:00 CEST
Ready for QA! ADVISORY NOTICE PROPOSAL ======================== New chromium-browser-stable 118.0.5993.70 fixes bugs and vulnerabilities Description The chromium-browser-stable package has been updated to the 118.0.5993.70 release, fixing bugs and 20 vulnerabilities. Critical CVE-2023-5218: Use after free in Site Isolation. Reported by @18 on 2023-09-27 Medium CVE-2023-5487: Inappropriate implementation in Fullscreen. Reported by Anonymous on 2020-03-17 Medium CVE-2023-5484: Inappropriate implementation in Navigation. Reported by Thomas Orlita on 2023-02-11 Medium CVE-2023-5475: Inappropriate implementation in DevTools. Reported by Axel Chong on 2023-08-30 Medium CVE-2023-5483: Inappropriate implementation in Intents. Reported by Axel Chong on 2023-03-17 Medium CVE-2023-5481: Inappropriate implementation in Downloads. Reported by Om Apip on 2023-06-28 Medium CVE-2023-5476: Use after free in Blink History. Reported by Yunqin Sun on 2023-08-20 Medium CVE-2023-5474: Heap buffer overflow in PDF. Reported by [pwn2car] on 2023-09-15 Medium CVE-2023-5479: Inappropriate implementation in Extensions API. Reported by Axel Chong on 2023-08-09 Low CVE-2023-5485: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2022-12-02 Low CVE-2023-5478: Inappropriate implementation in Autofill. Reported by Ahmed ElMasry on 2023-08-12 Low CVE-2023-5477: Inappropriate implementation in Installer. Reported by Bahaa Naamneh of Crosspoint Labs on 2023-08-13 Low CVE-2023-5486: Inappropriate implementation in Input. Reported by Hafiizh on 2022-08-29 Low CVE-2023-5473: Use after free in Cast. Reported by DarkNavy on 2023-09-18 References https://bugs.mageia.org/show_bug.cgi?id=32381 https://chromereleases.googleblog.com/2023/10/stable-channel-update-for-desktop_10.html SRPMS 9/tainted chromium-browser-stable-118.0.5993.70-1.mga9.tainted.src.rpm PROVIDED PACKAGES ================= x86_64 chromium-browser-118.0.5993.70-1.mga9.tainted.x86_64.rpm chromium-browser-stable-118.0.5993.70-1.mga9.tainted.x86_64.rpm i586 chromium-browser-118.0.5993.70-1.mga9.tainted.i586.rpm chromium-browser-stable-118.0.5993.70-1.mga9.tainted.i586.rpm Assignee:
chb0 =>
qa-bugs Mageia9, x86_64. Working before update. Working afterwards. Site search -> APOD, Dust videos. Video and audio work OK. Used local file path as a URL and viewed a PDF journal without any glitches. Selected and printed a single page. Logged in to my bank and checked cash balances. Logged in to my NAS drive on the LAN - Windows interface - browsed files. Looks good here. CC:
(none) =>
tarazed25 OK here mga9-64, Plasma Nvidia470 on GTX750 kernel 6.4.16-desktop-3.mga9 on i7-870 Tabs from previous session preserved Swedish localisation Used three banking sites Used four video sites Printed to Boomaga Advisory from comment 1 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete". I removed "20" from "fixing bugs and 20 vulnerabilities" in the description, because there were only 14 CVEs in comment 1. Keywords:
(none) =>
advisory Why the 22x22 icon is a dark one instead the traditional blue? (In reply to Marja Van Waes from comment #4) > Advisory from comment 1 added to SVN. Please remove the "advisory" keyword > if it needs to be changed. It also helps when obsolete advisories are tagged > as "obsolete". > > I removed "20" from "fixing bugs and 20 vulnerabilities" in the description, > because there were only 14 CVEs in comment 1. Hi. Thanks. It is usual. Not all CVE are published. The number is then usually higher. It looks like though I have deleted by mistake the following sentence some time ago, before the list of CVEs : "Some of the security fixes are:" (In reply to katnatek from comment #5) > Why the 22x22 icon is a dark one instead the traditional blue? Because for a reason I don't know, Chromium package does not include a 22x22 color icon. It does incluse a 22x22 monochrome. If I remember well, it is Wally who has found this monochrome icon and I have kept it since then. Arch does not ship any 22x22 icon. I just checked and Fedora neither. openSUSE uses only their own svg icon. I can remove it from next update (in about 2 weeks, usually), if you find this confusing. (In reply to christian barranco from comment #7) > (In reply to katnatek from comment #5) > > Why the 22x22 icon is a dark one instead the traditional blue? > > Because for a reason I don't know, Chromium package does not include a 22x22 > color icon. It does incluse a 22x22 monochrome. > If I remember well, it is Wally who has found this monochrome icon and I > have kept it since then. > > Arch does not ship any 22x22 icon. I just checked and Fedora neither. > openSUSE uses only their own svg icon. > > I can remove it from next update (in about 2 weeks, usually), if you find > this confusing. Yes please, it's invisible on dark themes, I almost open a bug report thinking that the icon is missing, until I search on icon folders MGA 9 64 GNOME Core I5, 16Go RAM Updated with QA Repo: No issue at installation: chromium-browser 118.0.5993.> 1.mga9.taint> x86_64 chromium-browser-stable 118.0.5993.> 1.mga9.taint> x86_64 Bank site OK, FaceBook OK Element Matrix web client OK Netflix OK CC:
(none) =>
guillaume.royer
Guillaume Royer
2023-10-18 17:32:06 CEST
Whiteboard:
(none) =>
MGA9-64-OK (In reply to christian barranco from comment #6) > (In reply to Marja Van Waes from comment #4) > > Advisory from comment 1 added to SVN. Please remove the "advisory" keyword > > if it needs to be changed. It also helps when obsolete advisories are tagged > > as "obsolete". > > > > I removed "20" from "fixing bugs and 20 vulnerabilities" in the description, > > because there were only 14 CVEs in comment 1. > > Hi. Thanks. It is usual. Not all CVE are published. The number is then > usually higher. > It looks like though I have deleted by mistake the following sentence some > time ago, before the list of CVEs : "Some of the security fixes are:" Complement from Chromium release notes: Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. Cauldron is finally up to date. You can validate this update.
Morgan Leijström
2023-10-18 22:11:26 CEST
Keywords:
(none) =>
validated_update (In reply to christian barranco from comment #6) > (In reply to Marja Van Waes from comment #4) > > > > I removed "20" from "fixing bugs and 20 vulnerabilities" in the description, > > because there were only 14 CVEs in comment 1. > > Hi. Thanks. It is usual. Not all CVE are published. The number is then > usually higher. > It looks like though I have deleted by mistake the following sentence some > time ago, before the list of CVEs : "Some of the security fixes are:" (In reply to Morgan Leijström from comment #11) > @Marja see Comment 10 for advisory addition Thanks Christian and Morgan. The advisory in SVN has been updated. Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0289.html Resolution:
(none) =>
FIXED |