https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_21.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_15.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html
OK here mga9-64, Plasma, nvidia-current on GTC750, kernel 6.5.3-desktop-1.mga9 on i7-870 Updated to chromium-browser-stable-117.0.5938.92-1.mga9.tainted.x86_64 chromium-browser-1:117.0.5938.92-1.mga9.tainted.x86_64 Tabs from previous session preserved Swedish localisation Used three banking sites Used three video sites
CC: (none) => fri
Ready for QA! ADVISORY NOTICE PROPOSAL ======================== New chromium-browser-stable 117.0.5938.92 fixes bugs and vulnerabilities Description The chromium-browser-stable package has been updated to the 117.0.5938.92 release, fixing bugs and 21 vulnerabilities, together with 117.0.5938.88, 117.0.5938.62, 116.0.5845.187 and 116.0.5845.179. Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06 [$3000][1430867] Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06 Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang Ali on 2023-06-29 Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by Axel Chong on 2023-06-14 Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs. Reported by Ahmed ElMasry on 2023-05-18 Medium CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09 Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported by Hafiizh on 2023-04-29 Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2023-05-30 Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by Mohit Raj (shadow2639) on 2023-07-04 Low CVE-2023-4908: Inappropriate implementation in Picture in Picture. Reported by Axel Chong on 2023-06-06 Low CVE-2023-4909: Inappropriate implementation in Interstitials. Reported by Axel Chong on 2023-07-09 Critical CVE-2023-4863: Heap buffer overflow in WebP High CVE-2023-4761: Out of bounds memory access in FedCM. Reported by DarkNavy on 2023-08-28 High CVE-2023-4762: Type Confusion in V8. Reported by anonymous on 2023-08-16 High CVE-2023-4763: Use after free in Networks. Reported by anonymous on 2023-08-03 High CVE-2023-4764: Incorrect security UI in BFCache. Reported by Irvan Kurniawan (sourc7) on 2023-05-20 References https://bugs.mageia.org/show_bug.cgi?id=32317 https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_21.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_15.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html SRPMS 9/tainted chromium-browser-stable-117.0.5938.92-1.mga9.tainted.src.rpm PROVIDED PACKAGES ================= x86_64 chromium-browser-117.0.5938.92-1.mga9.tainted.x86_64.rpm chromium-browser-stable-117.0.5938.92-1.mga9.tainted.x86_64.rpm i586 chromium-browser-117.0.5938.92-1.mga9.tainted.i586.rpm chromium-browser-stable-117.0.5938.92-1.mga9.tainted.i586.rpm
Assignee: chb0 => qa-bugs
MGA9-64, Xfce, Intel celeron The following 3 packages are going to be installed: - chromium-browser-117.0.5938.92-1.mga9.tainted.x86_64 - chromium-browser-stable-117.0.5938.92-1.mga9.tainted.x86_64 - glibc-2.36-50.mga9.x86_64 840KB of additional disk space will be used. email video sites work
Whiteboard: (none) => MGA9-64-OKCC: (none) => brtians1
MGA9 64 GNOME Update chromium witn QA repo: chromium-browser-117.0.5938.92-1.mga9.tainted.x86_64 chromium-browser-stable-117.0.5938.92-1.mga9.tainted.x86_64 glibc-2.36-50.mga9.x86_64 No issues after installation. Bank site Ok Netflix Ok Facebook Ok Usual browsing Ok
CC: (none) => guillaume.royer
Google is aware that an exploit for CVE-2023-5217 exists in the wild. https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html Build is on-going. I do think the tests done remain valid. I recommend lighter tests for this one in order to push it quickly.
Assignee: qa-bugs => chb0Summary: Chromium-browser 117.0.5938.92 fixes bugs and vulnerabilities => Chromium-browser 117.0.5938.132 fixes bugs and vulnerabilities
Ready again for QA! I really encourage to limit the duration of the tests in order to push it as quick as possible. Updates within the same branch are usually rather stable. ADVISORY NOTICE PROPOSAL (update) ======================== New chromium-browser-stable 117.0.5938.132 fixes bugs and vulnerabilities Description The chromium-browser-stable package has been updated to the 117.0.5938.132 release, fixing bugs and 31 vulnerabilities, together with 117.0.5938.92, 117.0.5938.88, 117.0.5938.62, 116.0.5845.187 and 116.0.5845.179. Google is aware that an exploit for CVE-2023-5217 exists in the wild. High CVE-2023-5217: Heap buffer overflow in vp8 encoding in libvpx. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-09-25 High CVE-2023-5186: Use after free in Passwords. Reported by [pwn2car] on 2023-09-05 High CVE-2023-5187: Use after free in Extensions. Reported by Thomas Orlita on 2023-08-25 Critical CVE-2023-4863: Heap buffer overflow in WebP. Reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School on 2023-09-06 Medium CVE-2023-4900: Inappropriate implementation in Custom Tabs. Reported by Levit Nudi from Kenya on 2023-04-06 Medium CVE-2023-4901: Inappropriate implementation in Prompts. Reported by Kang Ali on 2023-06-29 Medium CVE-2023-4902: Inappropriate implementation in Input. Reported by Axel Chong on 2023-06-14 Medium CVE-2023-4903: Inappropriate implementation in Custom Mobile Tabs. Reported by Ahmed ElMasry on 2023-05-18 Medium CVE-2023-4904: Insufficient policy enforcement in Downloads. Reported by Tudor Enache @tudorhacks on 2023-06-09 Medium CVE-2023-4905: Inappropriate implementation in Prompts. Reported by Hafiizh on 2023-04-29 Low CVE-2023-4906: Insufficient policy enforcement in Autofill. Reported by Ahmed ElMasry on 2023-05-30 Low CVE-2023-4907: Inappropriate implementation in Intents. Reported by Mohit Raj (shadow2639) on 2023-07-04 Low CVE-2023-4908: Inappropriate implementation in Picture in Picture. Reported by Axel Chong on 2023-06-06 Low CVE-2023-4909: Inappropriate implementation in Interstitials. Reported by Axel Chong on 2023-07-09 Critical CVE-2023-4863: Heap buffer overflow in WebP High CVE-2023-4761: Out of bounds memory access in FedCM. Reported by DarkNavy on 2023-08-28 High CVE-2023-4762: Type Confusion in V8. Reported by anonymous on 2023-08-16 High CVE-2023-4763: Use after free in Networks. Reported by anonymous on 2023-08-03 High CVE-2023-4764: Incorrect security UI in BFCache. Reported by Irvan Kurniawan (sourc7) on 2023-05-20 References https://bugs.mageia.org/show_bug.cgi?id=32317 https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_21.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_15.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_12.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_11.html https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop.html SRPMS 9/tainted chromium-browser-stable-117.0.5938.132-1.mga9.tainted.src.rpm PROVIDED PACKAGES ================= x86_64 chromium-browser-117.0.5938.132-1.mga9.tainted.x86_64.rpm chromium-browser-stable-117.0.5938.132-1.mga9.tainted.x86_64.rpm i586 chromium-browser-117.0.5938.132-1.mga9.tainted.i586.rpm chromium-browser-stable-117.0.5938.132-1.mga9.tainted.i586.rpm
MGA9 64 GNOME Update chromium witn QA repo: chromium-browser-117.0.5938.92-1.mga9.tainted.x86_64 chromium-browser-stable-117.0.5938.92-1.mga9.tainted.x86_64 No issues after installation. Bank site Ok Netflix Ok Facebook Ok Element Matrix web client OK Usual browsing Ok
@Guillaume: there is a new version, comment 6 $ rpm -qa | grep chromium-b chromium-browser-stable-117.0.5938.132-1.mga9.tainted chromium-browser-117.0.5938.132-1.mga9.tainted OK here mga9-64, Plasma, Radeon RX6400, kernel 6.4.16-desktop-1.mga9 on i7-870 Updated to chromium-browser-stable-117.0.5938.92-1.mga9.tainted.x86_64 chromium-browser-1:117.0.5938.92-1.mga9.tainted.x86_64 Tabs from previous session preserved Swedish localisation Used two banking sites Used three video sites
Rising prio per comment 5
Priority: Normal => High
Increasing severity as well, as an exploit has been identified.
Severity: normal => critical
CC: (none) => marja11
(In reply to Morgan Leijström from comment #8) > @Guillaume: there is a new version, comment 6 > > $ rpm -qa | grep chromium-b > chromium-browser-stable-117.0.5938.132-1.mga9.tainted > chromium-browser-117.0.5938.132-1.mga9.tainted > > OK here > mga9-64, Plasma, Radeon RX6400, kernel 6.4.16-desktop-1.mga9 on i7-870 > > Updated to > chromium-browser-stable-117.0.5938.92-1.mga9.tainted.x86_64 > chromium-browser-1:117.0.5938.92-1.mga9.tainted.x86_64 > > Tabs from previous session preserved > Swedish localisation > Used two banking sites > Used three video sites Ok I make mistake and bad copied and pasted in my comment number 7. I've checked and installed version is chromium-browser-stable-117.0.5938.132 I apologies
OK I think it is enough tested then. We use not to require 32 bit test of this package. Marja, can you put the advisory in place, comment 6 ?
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
MGA9-64, Xfce, Celeron installed - No issues
(In reply to Morgan Leijström from comment #12) > OK I think it is enough tested then. > We use not to require 32 bit test of this package. > > Marja, can you put the advisory in place, comment 6 ? Yes, just uploaded
Keywords: (none) => advisory
Ouch, I accidentally pushed the old advisory, will try again and do better
Accidents happen, and this is one type that dont kill anyone We appreciate that you do all work you do with this :)
(In reply to Morgan Leijström from comment #16) > Accidents happen, and this is one type that dont kill anyone > > We appreciate that you do all work you do with this :) Thanks. Uploaded the corrected advisory, hope there isn't another mistake in it. You can help me by tagging advisories that are no longer valid, as "obsolete" I did that in this report, today, after I discovered my mistake and it really hides that comment, even when being logged in here. It is still possible to expand an obsoleted comment and read it. But, of course, you linked to the correct advisory! I just hadn't seen that because I got here via the link from the list of validated updates in madb and started looking for the advisory instead of reading the comments.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0283.html
Status: NEW => RESOLVEDResolution: (none) => FIXED