Ask Your Question
2

Why is a critical security patch in chromium/F29 still open after two weeks time?

asked 2019-03-15 02:51:04 -0500

inbx gravatar image

updated 2019-03-18 11:02:09 -0500

hhlp gravatar image

Maybe I am doing it wrong but I am running a daily updated F29 and still have the old, vulnerable chromium package (Version 71.0.3578.98 (Developer Build) Fedora Project (64-bit)).

Google warned (3/1/2019) to upgrade asap because this vulnerability (CVE-2019-5786) is actively exploited in the wild.

Google released a patched version of chrome on march, 1st. On checking chromium I am not sure when the supposedly fixed version was published there (72.0.3626.121) but I do know that Ubuntu says it fixed the vulnerability in all relevant version on 3/5/2019 (https://people.canonical.com/~ubuntu-...).

My trust in Fedora as a secure distro is diminished if there either are not enough resources to fix such a high-profile vuln in a timely manner (it's been 2 weeks since publishing and counting) or there is no policy in place how to handle a situation like that.

Relevant package info: https://apps.fedoraproject.org/packag... The package maintainers seems to work on 72/73 but that does not translate into a secure package on F29.

As I said, maybe I am missing something here, please enlighten me!

edit retag flag offensive close merge delete

Comments

1

Unfortunately only RHEL got an update on 11th (Monday), there's no newer build for Fedora than chromium-71.0.3578.98-5: https://koji.fedoraproject.org/koji/p...

Here's relevant bug report that you can subscribe to and get maintainer's attention: https://bugzilla.redhat.com/show_bug....

ozeszty gravatar imageozeszty ( 2019-03-15 04:25:42 -0500 )edit
1

Meta: This is interesting. After posting I got an email that my post was rejected: "Your post was rejected. Your post (copied in the end), was rejected for the following reason: Post Duplicated other post in this forum"

inbx gravatar imageinbx ( 2019-03-15 05:44:12 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2019-03-19 11:25:08 -0500

inbx gravatar image

Just to wrap this up: Comment I got on StackExchange and here point to the same problem: Due to the design of Fedora (remember: "first") there are many, only loosely managed packages in the distro. Besides this loose management there seems to be no further security oversight which might help / support in such a case and make sure a fix is out in just a few days. So beware: With Fedora you really have to stay on top of your vulns and fix/patch them yourself. We are approaching three weeks now that Google published the vuln and the fixed version is still not available in F29. Do not use Chrome/Chromium until the package is updated to at least 72.0.3626.121. The package maintainer is qorking on Chromium 73 but this may still be some time out.

edit flag offensive delete link more

Comments

villykruse gravatar imagevillykruse ( 2019-03-21 13:23:23 -0500 )edit
0

answered 2019-03-19 20:28:12 -0500

stonedrebel gravatar image

I see this problem with Chromium very often on different Linux distributions. Some do it better other worse. It is sometimes difficult to apply all relevant security patches. Chromium somehow always lags a bit behind. I won't even mention some of the webkit browsers in the repos.

I use Firefox myself but I know if you really want all the new stuff/recent fixes and trust Google you can just install Google's proprietary version and will get the newest upstream release. It is not ideal but I rather run a secure version of the browser than one with security holes.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2019-03-15 02:51:04 -0500

Seen: 101 times

Last updated: Mar 19