Upstream has released version 100.0.4896.88 on April 11th: https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html It includes 11 security fixes. The build has been successful locally, and I am going to submit it to our BS. An advisory proposal will follow once the build will have passed. It will take between 1 day and 1 week, depending on whether I face a timeout issue with the rabbit server or whether I get a slot on the ecosse server instead.
CC: (none) => davidwhodgins
Blocks: (none) => 30259
Upstream has released version 100.0.4896.127 on April 14: https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html It includes 2 other security fixes. An exploit for CVE-2022-1364 exists in the wild.
CC: (none) => nicolas.salgueroSummary: chromium-browser-stable new security issues fixed in 100.0.4896.88 => chromium-browser-stable new security issues fixed in 100.0.4896.127
Hi. Ok, I take it. If there is an update every week, it is going to be hard to follow; especially as it takes up to a few days to complete the build.
There's usually like 2 a month, but yes it is hard to keep up with. You're doing the best we've ever done with that.
I've killed the 100.0.4896.88-1.mga8 build as you are already moving to the next one. please update mga8 svn with the new 100.0.4896.127 build, but _DONT_ submit it... Instead let me know when it's there and I'll feed it to an off-site builder that is not integrated into mga buildsystem in order to ease the load on the on-site buildsystem
(In reply to Thomas Backlund from comment #4) > I've killed the 100.0.4896.88-1.mga8 build as you are already moving to the > next one. > > please update mga8 svn with the new 100.0.4896.127 build, but _DONT_ submit > it... > > Instead let me know when it's there and I'll feed it to an off-site builder > that is not integrated into mga buildsystem in order to ease the load on the > on-site buildsystem Hi. Too late. Actually, I noticed something has happened to .88 I asked neoclust what he thought about; no able to explain, I submitted .127... However, it is still on "to do" status. Maybe you can stil do something? Sorry for that...
*** Bug 30259 has been marked as a duplicate of this bug. ***
Thanks Thomas for your support to get it through. The package is now ready for QA. ADVISORY NOTICE PROPOSAL ======================== Updated chromium-browser-stable packages fix many CVE and counter an exploit Description The chromium-browser-stable package has been updated to the 100.0.4896.127 version, fixing many CVE, along with 100.0.4896.75 and 100.0.4896.88 Google is aware that an exploit for CVE-2022-1364 exists in the wild. [1315901] High CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2022-04-13 [1311641] High CVE-2022-1232: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2022-03-30 [1285234] High CVE-2022-1305: Use after free in storage. Reported by Anonymous on 2022-01-07 [1299287] High CVE-2022-1306: Inappropriate implementation in compositing. Reported by Sven Dysthe on 2022-02-21 [1301873] High CVE-2022-1307: Inappropriate implementation in full screen. Reported by Irvan Kurniawan (sourc7) on 2022-03-01 [1283050] High CVE-2022-1308: Use after free in BFCache. Reported by Samet Bekmezci @sametbekmezci on 2021-12-28 [1106456] High CVE-2022-1309: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-07-17 [1307610] High CVE-2022-1310: Use after free in regular expressions. Reported by Brendon Tiszka on 2022-03-18 [1310717] High CVE-2022-1311: Use after free in Chrome OS shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-03-28 [1311701] High CVE-2022-1312: Use after free in storage. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-03-30 [1270539] Medium CVE-2022-1313: Use after free in tab groups. Reported by Thomas Orlita on 2021-11-16 [1304658] Medium CVE-2022-1314: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-03-09 [1315276] Various fixes from internal audits, fuzzing and other initiatives [1316420] Various fixes from internal audits, fuzzing and other initiatives References https://bugs.mageia.org/show_bug.cgi?id=30276 https://bugs.mageia.org/show_bug.cgi?id=30259 https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_14.html https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop.html SRPMS 8/core chromium-browser-stable-100.0.4896.127-1.mga8 PROVIDED PACKAGES ================= x86_64 chromium-browser-100.0.4896.127-1.mga8.x86_64.rpm chromium-browser-stable-100.0.4896.127-1.mga8.x86_64.rpm i586 chromium-browser-100.0.4896.127-1.mga8.i586.rpm chromium-browser-stable-100.0.4896.127-1.mga8.i586.rpm
Assignee: chb0 => qa-bugsCC: (none) => sysadmin-bugs
Installation and tests (youtube, browsing...) on MGA8 x64 LXQt in a VM: no issue. I have also been using an ungoogled version (same spec base) for a few days on my desktop computer, MGA8 x64 Plasma: no issue (jitsi, streaming, bank, browsing...)
OK here in my normal tests; video sites, banking... mga8-64, old intel i7, plasma, nvidia-current, swedish
CC: (none) => fri
MGA8-64, Gnome, laptop The following 2 packages are going to be installed: - chromium-browser-100.0.4896.127-1.mga8.x86_64 - chromium-browser-stable-100.0.4896.127-1.mga8.x86_64 -- testing Working as I expected.
CC: (none) => brtians1
There's a problem with the hdlist for the i586 repos. The update works if downloaded from a mirror, but urpmi will not find it. I'd like to ensure that's fixed before validating. I'd also like to see some testing by a native non-english speaker.
(In reply to Dave Hodgins from comment #11) > I'd also like to see some testing by a native non-english speaker. As you wish :) MGA8-64, Plasma; Laptop, i7, Intel HD400 - chromium-browser-100.0.4896.127-1.mga8.x86_64 - chromium-browser-stable-100.0.4896.127-1.mga8.x86_64 Browser works as expected. No regression noticed. Video and Sound works. Different logins works.... MGA8-64 Plasma OK
(In reply to Dave Hodgins from comment #11) > There's a problem with the hdlist for the i586 repos. The update works if > downloaded from a mirror, but urpmi will not find it. I'd like to ensure > that's > fixed before validating. Are you sure you have an uptodate mirror ? I see it in both synthesis and hdlist on primary mirror...
I switched from kernel.org to princeton.edu, to check. The new build is there. Switched back to princeton, and it's there. I did run urpmi.update -a and check before switching, and it wasn't showing up. I have no explanation as to why it wasn't showing up. Removing the repos and re-adding them fixed the issue, whatever was causing it. I don't like problems where I don't understand what could have caused it. Tested ok on both i586 and x86_64. Validating the update.
Whiteboard: (none) => MGA8-64-OK MGA8-32-OKKeywords: (none) => validated_update
MGA 64 XFCE French version: No issues after installation: -Bank site ok -NetFlix ok -Spotify web app ok
Keywords: validated_update => (none)Whiteboard: MGA8-64-OK MGA8-32-OK => (none)CC: (none) => guillaume.royer
Validating again. Advisory committed to svn.
Keywords: (none) => advisory, validated_updateWhiteboard: (none) => MGA8-64-OK MGA8-32-OK
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0146.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED