Upstream has released version 63.0.3239.84 on December 6: https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop.html This fixes several new security issues. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates
Whiteboard: (none) => MGA5TOO
Upstream has released version 63.0.3239.108 on December 14: https://chromereleases.googleblog.com/2017/12/stable-channel-update-for-desktop_14.html This fixes one new security issue. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates RedHat has issued an advisory for this today (December 18): https://access.redhat.com/errata/RHSA-2017:3479
Summary: chromium-browser-stable new security issues fixed in 63.0.3239.84 => chromium-browser-stable new security issues fixed in 63.0.3239.108
I would love to have one last update for this for Mageia 5 if possible, but it looks unlikely to happen. I guess I'll have to use Chrome.
Whiteboard: MGA5TOO => (none)
Working on cauldron now (still building), then mga6, and I was planning to take another look at mga5 by using some more bundled libs instead of trying to patch chromium to work with the old system library.
Status: NEW => ASSIGNEDCC: (none) => cjw
It appears both gcc and clang in mga5 are basically too old to build current chromium sources, which use C++14 and C++17 features. I started applying security patches on top of M60 but that is a lot of work: I was certainly not yet finished for M62 and now all fixes from M63 should be applied as well. Also, for some of the security issues I could not find a corresponding commit. But if someone is interested I can post what I have (and maybe even build it first).
You can commit it to SVN, so if someone wants to work on it and build it locally they can. We've frozen mga5 on the build system, so we can move onto 6 now. I see that one failed to build too.
The builds only fail because the build system kills the builds after 5 hours when they're almost finished.
Upstream has released version 64.0.3282.119 on January 24: https://chromereleases.googleblog.com/2018/01/stable-channel-update-for-desktop_24.html This fixes several new security issues. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates There was also a bugfix release on January 4 since the last security update: https://chromereleases.googleblog.com/2018/01/stable-channel-update-for-desktop.html openSUSE has issued an advisory for this today (January 28): https://lists.opensuse.org/opensuse-updates/2018-01/msg00107.html
Summary: chromium-browser-stable new security issues fixed in 63.0.3239.108 => chromium-browser-stable new security issues fixed in 64.0.3282.119
Upstream has released version 64.0.3282.140 on February 1: https://chromereleases.googleblog.com/2018/02/stable-channel-update-for-desktop.html This fixes one new security issue. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates openSUSE has issued an advisory for this on February 4: https://lists.opensuse.org/opensuse-updates/2018-02/msg00009.html
Summary: chromium-browser-stable new security issues fixed in 64.0.3282.119 => chromium-browser-stable new security issues fixed in 64.0.3282.140
64.0.3282.140 is in svn for cauldron and mga6
Upstream has released version 64.0.3282.167 on February 13: https://chromereleases.googleblog.com/2018/02/stable-channel-update-for-desktop_13.html This fixes one new security issue. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates openSUSE has issued an advisory for this on February 15: https://lists.opensuse.org/opensuse-updates/2018-02/msg00049.html
Summary: chromium-browser-stable new security issues fixed in 64.0.3282.140 => chromium-browser-stable new security issues fixed in 64.0.3282.167
Upstream has released version 65.0.3325.162 on March 13: https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop_13.html This is a bugfix update, but we've missed another security update. Upstream has released version 65.0.3325.146 on March 6: https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html This fixes several new security issues. There was also another bugfix update since the last update. Upstream has released version 64.0.3282.186 on February 22: https://chromereleases.googleblog.com/2018/02/stable-channel-update-for-desktop_22.html This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates openSUSE has issued an advisory for this today (March 16): https://lists.opensuse.org/opensuse-updates/2018-03/msg00051.html
Summary: chromium-browser-stable new security issues fixed in 64.0.3282.167 => chromium-browser-stable new security issues fixed in 65.0.3325.162
Upstream has released version 65.0.3325.181 on March 20: https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop_20.html This fixes one new security issue. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates openSUSE has issued an advisory for this on March 22: https://lists.opensuse.org/opensuse-updates/2018-03/msg00077.html
Summary: chromium-browser-stable new security issues fixed in 65.0.3325.162 => chromium-browser-stable new security issues fixed in 65.0.3325.181
Upstream has released version 66.0.3359.117 on April 17: https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html This fixes several new security issues. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates
Summary: chromium-browser-stable new security issues fixed in 65.0.3325.181 => chromium-browser-stable new security issues fixed in 66.0.3359.117
openSUSE has issued an advisory for this today (April 21): https://lists.opensuse.org/opensuse-updates/2018-04/msg00054.html
Upstream has released version 66.0.3359.139 on April 26: https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop_26.html This fixes one new security issue. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates openSUSE has issued an advisory for this on April 30: https://lists.opensuse.org/opensuse-updates/2018-04/msg00081.html
Summary: chromium-browser-stable new security issues fixed in 66.0.3359.117 => chromium-browser-stable new security issues fixed in 66.0.3359.139
CC: (none) => lists.jjorge
CC: (none) => guichard.adrien
I am trying to rebuild chromium-browser 66.0.3359.170, but I am facing few problems which force me to use third party version of ffmpeg, jsoncpp and libvpx. For libvpx, they do not use version 1.7.0, but branch master on git, which is not be compatible with version 1.7.0 (see vpx_encoder.h, https://github.com/webmproject/libvpx/blob/v1.7.0/vpx/vpx_encoder.h vs https://github.com/webmproject/libvpx/blob/master/vpx/vpx_encoder.h). For FFMPEG and jsoncpp, using Mageia native version should imply fixing patches only. I will give you an update as soon as it compiles cleanly. We have to use native FFMPEG at least.
Created attachment 10145 [details] chrome 66 spec file Work In Progress This is work in progress, here is what I have done so fare on mga7: -> usage of gtk3 instead of gtk2 -> removes conflicting patch -> add "-Wno-error -fpermissive" and other "-Wno-error=" compiler options (I know this is bad) -> fix gcc7 build (see chromium-66-gcc7.patch) -> add "v8_use_external_startup_data = false" gn config option (either if I do not => runtime problems) -> use third party ffmpeg/libvpx/jsoncpp What is needed to do from here: at least know exactly the impact of "v8_use_external_startup_data = false" and avoid using third party ffmpeg (to conform tainted packages presence user choice). When compiling, ensure you have 1GB of freemem per cpu core.. Either you will suffer
bundled ffmpeg -- I have not had problems lately, maybe because I'm working on M67 and now M68 libvpx -- must be updated in cauldron jsoncpp -- ?? v8_use_external_startup_data -- my M66 build had the renderer crashing immediately, maybe this is the same problem? I thought it was related to my gcc fixes. Anyway, M67 and current M68 work fine here, without this build flag. I'll attach a patch I found for ffmpeg/jsoncpp problems in M66.
Created attachment 10146 [details] M66 ffmpeg/jsoncpp related build script fixes
(In reply to Christiaan Welvaart from comment #19) > Created attachment 10146 [details] > M66 ffmpeg/jsoncpp related build script fixes Thanks! I could rebuild chromium with native ffmpeg. $ ldd /usr/lib64/chromium-browser/chrome | grep libav libavcodec.so.58 => /lib64/libavcodec.so.58 (0x00007f814a6bb000) libavformat.so.58 => /lib64/libavformat.so.58 (0x00007f814a278000) libavutil.so.56 => /lib64/libavutil.so.56 (0x00007f8149ffa000) libavahi-common.so.3 => /lib64/libavahi-common.so.3 (0x00007f8145388000) libavahi-client.so.3 => /lib64/libavahi-client.so.3 (0x00007f8145177000) Unfortunately, the patch could not apply for jsoncpp, because jsoncpp.gn is missing from build/linux/unbundle/, see: https://chromium.googlesource.com/chromium/src/+/66.0.3359.178/build/linux/unbundle/ I will clean up the spec file to minimise diffs and attach it here
Created attachment 10149 [details] add patch from Christiaan Welvaart this is 66 version, not crashing at startup, using gtk3
Attachment 10145 is obsolete: 0 => 1
(In reply to Christiaan Welvaart from comment #18) > bundled ffmpeg -- I have not had problems lately, maybe because I'm working > on M67 and now M68 > libvpx -- must be updated in cauldron > jsoncpp -- ?? > > v8_use_external_startup_data -- my M66 build had the renderer crashing > immediately, maybe this is the same problem? I thought it was related to my > gcc fixes. Anyway, M67 and current M68 work fine here, without this build > flag. I think so, using v8_use_external_startup_data = false solve the problem for me (and chromium seems to load faster) I just attached patch to apply to our chromium build, tell me if it is OK for you. I do not delete a line, just added comments.
Created attachment 10158 [details] Fix build for revision 1229801 This patch fix build of latest chromium-browser-stable svn spec file. It relies on libvpx commit e9fff8a9dbcd03fbf3e5b7caaa9dc2631a79882a. it uses gtk2 and system libvpx.
Attachment 10149 is obsolete: 0 => 1
Created attachment 10159 [details] Fix build and runtime for revision 1229801 use v8_use_external_startup_data = false to fix runtime
Attachment 10158 is obsolete: 0 => 1
Upstream has released version 66.0.3359.170 on May 10: https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html This fixes several new security issues. Upstream has released version 66.0.3359.181 on May 15: https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_15.html This is a bugfix release. Upstream has released version 67.0.3396.62 on May 29: https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html This fixes several new security issues. This is the current version in the stable channel: http://googlechromereleases.blogspot.com/search/label/Stable%20updates
Summary: chromium-browser-stable new security issues fixed in 66.0.3359.139 => chromium-browser-stable new security issues fixed in 67.0.3396.62
Updated packages are available for testing: MGA6 SRPM: chromium-browser-stable-67.0.3396.62-1.mga6.src.rpm RPMS: chromium-browser-stable-67.0.3396.62-1.mga6.i586.rpm chromium-browser-67.0.3396.62-1.mga6.i586.rpm chromium-browser-stable-67.0.3396.62-1.mga6.x86_64.rpm chromium-browser-67.0.3396.62-1.mga6.x86_64.rpm Proposed advisory: Chromium-browser 67.0.3396.62 fixes security issues: Multiple flaws were found in the way Chromium 64.0.3282.140 processes various types of web content, where loading a web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information. (CVE-2017-11215, CVE-2017-11225, CVE-2018-6056, CVE-2018-6057, CVE-2018-6060, CVE-2018-6061, CVE-2018-6062, CVE-2018-6063, CVE-2018-6064, CVE-2018-6065, CVE-2018-6066, CVE-2018-6067, CVE-2018-6068, CVE-2018-6069, CVE-2018-6070, CVE-2018-6071, CVE-2018-6072, CVE-2018-6073, CVE-2018-6074, CVE-2018-6075, CVE-2018-6076, CVE-2018-6077, CVE-2018-6078, CVE-2018-6079, CVE-2018-6080, CVE-2018-6081, CVE-2018-6082, CVE-2018-6083, CVE-2018-6084, CVE-2018-6085, CVE-2018-6086, CVE-2018-6087, CVE-2018-6088, CVE-2018-6089, CVE-2018-6090, CVE-2018-6091, CVE-2018-6092, CVE-2018-6093, CVE-2018-6094, CVE-2018-6095, CVE-2018-6096, CVE-2018-6097, CVE-2018-6098, CVE-2018-6099, CVE-2018-6100, CVE-2018-6101, CVE-2018-6102, CVE-2018-6103, CVE-2018-6104, CVE-2018-6105, CVE-2018-6106, CVE-2018-6107, CVE-2018-6108, CVE-2018-6109, CVE-2018-6110, CVE-2018-6111, CVE-2018-6112, CVE-2018-6113, CVE-2018-6114, CVE-2018-6115, CVE-2018-6116, CVE-2018-6117, CVE-2018-6118, CVE-2018-6120, CVE-2018-6121, CVE-2018-6122, CVE-2018-6123, CVE-2018-6124, CVE-2018-6126, CVE-2018-6127, CVE-2018-6128, CVE-2018-6129, CVE-2018-6130, CVE-2018-6131, CVE-2018-6132, CVE-2018-6133, CVE-2018-6134, CVE-2018-6135, CVE-2018-6136, CVE-2018-6137, CVE-2018-6138, CVE-2018-6139, CVE-2018-6140, CVE-2018-6141, CVE-2018-6142, CVE-2018-6143, CVE-2018-6144, CVE-2018-6145, CVE-2018-6147) References: https://chromereleases.googleblog.com/2018/02/stable-channel-update-for-desktop_13.html https://chromereleases.googleblog.com/2018/02/stable-channel-update-for-desktop_22.html https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop_13.html https://chromereleases.googleblog.com/2018/03/stable-channel-update-for-desktop_20.html https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2018/04/stable-channel-update-for-desktop_26.html https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop.html https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_15.html https://chromereleases.googleblog.com/2018/05/stable-channel-update-for-desktop_58.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11215 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-11225 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6057 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6060 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6061 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6062 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6063 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6064 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6065 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6066 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6067 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6068 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6069 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6070 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6071 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6073 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6074 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6075 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6076 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6077 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6078 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6080 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6081 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6082 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6087 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6088 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6089 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6090 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6091 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6092 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6108 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6109 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6110 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6111 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6112 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6113 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6114 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6115 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6116 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6117 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6118 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6120 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6121 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6122 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6123 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6124 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6126 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6127 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6128 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6129 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6130 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6131 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6132 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6133 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6134 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6135 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6136 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6137 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6138 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6139 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6140 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6141 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6145 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6147
Assignee: cjw => qa-bugs
tested mga6-64. Jetstream OK for javascript, acid3 runs to 97%, orange and yellow boxes show as gray (I guess standards compliance has moved in a new direction?) General browsing and video playback OK.
Whiteboard: (none) => has_procedure mga6-64-okCC: (none) => wrw105
tested mga6-32 under virtualbox results as above, but video was a bit slow, probably due to running in VM. General browsing, jetstream OK, acid3 as above. validating. Ready for push when advisory uploaded to svn.
Keywords: (none) => validated_updateWhiteboard: has_procedure mga6-64-ok => has_procedure mga6-64-ok mga6-32-okCC: (none) => sysadmin-bugs
advisory uploaded
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0268.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED