Bug 26366 - chromium-browser-stable new security issues fixed in 80.0.3987.149
Summary: chromium-browser-stable new security issues fixed in 80.0.3987.149
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-21 08:58 CET by Christiaan Welvaart
Modified: 2020-04-01 03:58 CEST (History)
5 users (show)

See Also:
Source RPM: chromium-browser-stable-80.0.3987.122-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description Christiaan Welvaart 2020-03-21 08:58:51 CET
Upstream released versions 80.0.3987.132 and 80.0.3987.149 with security fixes:
https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop.html
https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html
Comment 1 Christiaan Welvaart 2020-03-21 09:03:01 CET
Updated packages are available for testing:

MGA7
SRPM:
chromium-browser-stable-80.0.3987.149-1.mga7.src.rpm
RPMS:
chromium-browser-80.0.3987.149-1.mga7.i586.rpm
chromium-browser-stable-80.0.3987.149-1.mga7.i586.rpm
chromium-browser-80.0.3987.149-1.mga7.x86_64.rpm
chromium-browser-stable-80.0.3987.149-1.mga7.x86_64.rpm



Advisory:



Chromium-browser 80.0.3987.149 fixes security issues:

Multiple flaws were found in the way Chromium 80.0.3987.122 processes various types of web content, where loading a web page containing malicious content could cause Chromium to crash, execute arbitrary code, or disclose sensitive information. (CVE-2020-6420, CVE-2020-6422, CVE-2020-6424, CVE-2020-6425, CVE-2020-6426, CVE-2020-6427, CVE-2020-6428, CVE-2020-6429, CVE-2020-6449, CVE-2019-20503)

References:
https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop.html
https://chromereleases.googleblog.com/2020/03/stable-channel-update-for-desktop_18.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6422
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6424
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6426
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6428
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6429
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6449
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20503

Assignee: cjw => qa-bugs
CC: (none) => cjw

Comment 2 Herman Viaene 2020-03-21 14:08:47 CET
MGA7-64 Plasma on Lenovo B50
No installation issues.
At CLI:
$ chromium-browser 
[17088:17088:0321/140225.338470:ERROR:sandbox_linux.cc(374)] InitializeSandbox() called with multiple threads in process gpu-process.
[17115:1:0321/140234.151551:ERROR:child_process_sandbox_support_impl_linux.cc(79)] FontService unique font name matching request did not receive a response.
This last message repeats a number of times, but this does not impair my ususal newspaper site.
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2020-03-22 19:11:37 CET
No installation issues for me, either.

I tried the browser from the command line both before and after the update, and saw similar messages both times. However, I tried several of my favorite sites, and all worked as they should, so the comments don't look like an issue.

Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm

Thomas Andrews 2020-03-23 22:19:28 CET

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2020-03-31 23:35:20 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2020-04-01 03:58:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0149.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.