Bug 33609 - chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01], CVE-2024-1048[78], CVE-2024-1082[67],CVE-2024-1111(0-7),CVE-2024-11395
Summary: chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE...
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: Cauldron
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: All Packagers
QA Contact: Sec team
URL:
Whiteboard: MGA9TOO
Keywords: FOR_RELEASENOTES10, IN_ERRATA9
Depends on:
Blocks:
 
Reported: 2024-10-04 16:24 CEST by Nicolas Salguero
Modified: 2024-11-24 21:09 CET (History)
1 user (show)

See Also:
Source RPM: chromium-browser-stable-126.0.6478.182-1.mga10.tainted.src.rpm, chromium-browser-stable-128.0.6613.137-1.mga9.tainted.src.rpm
CVE: CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-9602, CVE-2024-9603, CVE-2024-9954, CVE-2024-9955, CVE-2024-9956, CVE-2024-9957, CVE-2024-9958, CVE-2024-9959, CVE-2024-9960, CVE-2024-9961, CVE-2024-9962, CVE-2024-9963, CVE-2024-9964, CVE-2024-9965, CVE-2024-9966,
Status comment: Fixed upstream in 131.0.6778.85

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-10-04 16:24:58 CEST 
Upstream has issued an advisory on October 1:
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop.html
Nicolas Salguero 2024-10-04 16:26:08 CEST

CVE: (none) => CVE-2024-7025, CVE-2024-9369, CVE-2024-9370
Status comment: (none) => Fixed upstream in 129.0.6668.89
Source RPM: (none) => chromium-browser-stable-126.0.6478.182-1.mga10.tainted.src.rpm, chromium-browser-stable-128.0.6613.137-1.mga9.tainted.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2024-10-04 21:07:59 CEST 
This would have gone to squidf, but he has left; so open to all comers.
This is what matters; "Fixed upstream in 129.0.6668.89".

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-10-11 09:32:53 CEST 
Upstream has issued an advisory on October 8:
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_8.html

CVE: CVE-2024-7025, CVE-2024-9369, CVE-2024-9370 => CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-9602, CVE-2024-9603
Summary: chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369 and CVE-2024-9370 => chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-9602 and CVE-2024-9603
Status comment: Fixed upstream in 129.0.6668.89 => Fixed upstream in 129.0.6668.100

Comment 3 Nicolas Salguero 2024-10-23 10:37:53 CEST 
Upstream has issued an advisory on October 15:
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_15.html

Upstream has issued an advisory on October 22:
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_22.html

Status comment: Fixed upstream in 129.0.6668.100 => Fixed upstream in 130.0.6723.69
CVE: CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-9602, CVE-2024-9603 => CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-9602, CVE-2024-9603, CVE-2024-9954, CVE-2024-9955, CVE-2024-9956, CVE-2024-9957, CVE-2024-9958, CVE-2024-9959, CVE-2024-9960, CVE-2024-9961, CVE-2024-9962, CVE-2024-9963, CVE-2024-9964, CVE-2024-9965, CVE-2024-9966
Summary: chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-9602 and CVE-2024-9603 => chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01]

Comment 4 Nicolas Salguero 2024-11-05 10:20:15 CET 
Upstream has issued an advisory on October 29:
https://chromereleases.googleblog.com/2024/10/stable-channel-update-for-desktop_29.html

Summary: chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01] => chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01], CVE-2024-1048[78]
Status comment: Fixed upstream in 130.0.6723.69 => Fixed upstream in 130.0.6723.91
Severity: major => critical

Comment 5 Nicolas Salguero 2024-11-07 11:17:49 CET 
Upstream has issued an advisory on November 5:
https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop.html

Status comment: Fixed upstream in 130.0.6723.91 => Fixed upstream in 130.0.6723.116
Summary: chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01], CVE-2024-1048[78] => chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01], CVE-2024-1048[78], CVE-2024-1082[67]

Comment 6 sturmvogel 2024-11-24 10:53:42 CET 
Upstream has issued an advisory on November 12:
https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_12.html

CVE: CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-9602, CVE-2024-9603, CVE-2024-9954, CVE-2024-9955, CVE-2024-9956, CVE-2024-9957, CVE-2024-9958, CVE-2024-9959, CVE-2024-9960, CVE-2024-9961, CVE-2024-9962, CVE-2024-9963, CVE-2024-9964, CVE-2024-9965, CVE-2024-9966 => CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-9602, CVE-2024-9603, CVE-2024-9954, CVE-2024-9955, CVE-2024-9956, CVE-2024-9957, CVE-2024-9958, CVE-2024-9959, CVE-2024-9960, CVE-2024-9961, CVE-2024-9962, CVE-2024-9963, CVE-2024-9964, CVE-2024-9965, CVE-2024-9966,
Summary: chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01], CVE-2024-1048[78], CVE-2024-1082[67] => chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01], CVE-2024-1048[78], CVE-2024-1082[67],CVE-2024-1111(0-7)

Comment 7 sturmvogel 2024-11-24 10:55:02 CET 
Upstream has issued an advisory on November 19:
https://chromereleases.googleblog.com/2024/11/stable-channel-update-for-desktop_19.html

Summary: chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01], CVE-2024-1048[78], CVE-2024-1082[67],CVE-2024-1111(0-7) => chromium-browser-stable new security issues CVE-2024-7025, CVE-2024-9369, CVE-2024-9370, CVE-2024-960[23], CVE-2024-995[4-9], CVE-2024-996[0-6], CVE-2024-10229, CVE-2024-1023[01], CVE-2024-1048[78], CVE-2024-1082[67],CVE-2024-1111(0-7),CVE-2024-11395
Status comment: Fixed upstream in 130.0.6723.116 => Fixed upstream in 131.0.6778.85

Comment 8 sturmvogel 2024-11-24 11:00:51 CET 
Maybe it is time for Mageia to consider to drop Chromium. Inform the users that due to the lack of maintainers, Mageia is no longer able to provide a secure and up to date Chromium version. If the last few Maintainers care about the security of their users, this should be seriously considered.

Recommend alternatives like Firefox or Chrome or the Flatpak Chromium.
Comment 9 Morgan Leijström 2024-11-24 13:37:19 CET 
If we drop this, note in errata 9 and rel notes 10.

CC: (none) => fri

Comment 10 David Walser 2024-11-24 15:37:17 CET 
Agreed.
Morgan Leijström 2024-11-24 15:39:10 CET

Keywords: (none) => FOR_ERRATA9, FOR_RELEASENOTES10

Comment 11 Morgan Leijström 2024-11-24 21:09:09 CET 
https://wiki.mageia.org/en/Mageia_9_Errata#Chromium_browser

Keywords: FOR_ERRATA9 => IN_ERRATA9
Note You need to log in before you can comment on or make changes to this bug.