Google is aware that an exploit for CVE-2024-5274 exists in the wild. New upstream release: https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html I will push it as soon as robot will have pushed 125.0.6422.76
Depends on: (none) => 33231
CVE: (none) => CVE-2024-5274CC: (none) => andrewsfarm, brtians1, fri
Hardware: All => x86_64
ADVISORY NOTICE PROPOSAL ======================== New chromium-browser-stable 125.0.6422.112 security update Description The chromium-browser-stable package has been updated to the 125.0.6422.112 release. It includes 1 security fix. * High CVE-2024-5274: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group and Brendon Tiszka of Chrome Security on 2024-05-20 Google is aware that an exploit for CVE-2024-5274 exists in the wild. Please, do note, only x86_64 is supported from now on. i586 support for linux was stopped some years ago and the community is not able to provide patches anymore for the latest Chromium code. References https://bugs.mageia.org/show_bug.cgi?id=33240 https://chromereleases.googleblog.com/2024/05/stable-channel-update-for-desktop_23.html SRPMS 9/tainted chromium-browser-stable-125.0.6422.112-1.mga9.tainted.src.rpm PROVIDED PACKAGES ================= x86_64 chromium-browser-125.0.6422.112-1.mga9.tainted.x86_64.rpm chromium-browser-stable-125.0.6422.112-1.mga9.tainted.x86_64.rpm
Ready for QA!
Assignee: chb0 => qa-bugs
MGA9-64 Plasma on an HP Pavilion. No installation issues. A quick check of several sites shows no issues with any of them. I don't do banking on this laptop, so I don't know (yet) if that is OK, but I don't anticipate any problems there, either.
MGA9-64 LXQt on an Asus Zenbook. No installation issues. Opened site using connection with a smartcard. No problem. OK for me. At second launch, got a message: "Google API keys are lacking. Some features will be disabled". I didn't pay attention at first launch to remember if the message was present. Explanations are linked to https://www.chromium.org/developers/how-tos/api-keys/
CC: (none) => yvesbrungard
I got that message on my first launch, too. I simply closed it, the way I close messages from Firefox asking if I want to "renew" it.
(In reply to papoteur from comment #4) > At second launch, got a message: "Google API keys are lacking. Some features > will be disabled". I didn't pay attention at first launch to remember if the > message was present. Explanations are linked to > https://www.chromium.org/developers/how-tos/api-keys/ First time I see this. I have been using the same google_api_key we have been having before I took over the maintenance of Chromium. However, I am not setting google_default_client_id = "your_client_id" google_default_client_secret = "your_client_secret" as explained by the papoteur's link, as it has never been in the spec file and I don't know who has requested this key for MGA. Could you elaborate in which circumstance you get this message, to try to replicate it?
Created attachment 14550 [details] Message in a banner I just opened chromium, then the message appears in a banner.
I've installed this update on two machines. I get the same API message, but Chromium seems to be working fine in the Google domain of tools. video fine mail fine my typical websites all working as expected.
RH mageia Plasma Wayland Set Ozone plataform to wayland Facebook OK Youtube OK Mageia Sites OK I confirm the api warning as I not see this before perhaps we need to renew our api key?
Updated on my production install. Banner is there when it first starts up with Google as the home page, but when I use a bookmark to go to another page it goes away. No issues elsewhere - banking is OK. Using it now. Since Google says this CVE is being exploited in the wild, and the banner doesn't seem to do any harm, I'm thinking we should send this update on and let Christian investigate and address the banner issue in the next update. Any objections?
(In reply to Thomas Andrews from comment #10) > Updated on my production install. Banner is there when it first starts up > with Google as the home page, but when I use a bookmark to go to another > page it goes away. No issues elsewhere - banking is OK. Using it now. > > Since Google says this CVE is being exploited in the wild, and the banner > doesn't seem to do any harm, I'm thinking we should send this update on and > let Christian investigate and address the banner issue in the next update. > > Any objections? Not for me we can fix the api key in other release
Keywords: (none) => advisory
(In reply to katnatek from comment #11) > (In reply to Thomas Andrews from comment #10) > > Updated on my production install. Banner is there when it first starts up > > with Google as the home page, but when I use a bookmark to go to another > > page it goes away. No issues elsewhere - banking is OK. Using it now. > > > > Since Google says this CVE is being exploited in the wild, and the banner > > doesn't seem to do any harm, I'm thinking we should send this update on and > > let Christian investigate and address the banner issue in the next update. > > > > Any objections? > > Not for me we can fix the api key in other release Agree. I have an idea for the warning but I need to test it first.
Validating.
Whiteboard: (none) => MGA9-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0196.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Good here too, same tests and results as earlier versions on two systems. Getting tired of the release frequency, but what can we do...