Why is a critical security patch in chromium/F29 still open after two weeks time?
Maybe I am doing it wrong but I am running a daily updated F29 and still have the old, vulnerable chromium package (Version 71.0.3578.98 (Developer Build) Fedora Project (64-bit)).
Google warned (3/1/2019) to upgrade asap because this vulnerability (CVE-2019-5786) is actively exploited in the wild.
Google released a patched version of chrome on march, 1st. On checking chromium I am not sure when the supposedly fixed version was published there (72.0.3626.121) but I do know that Ubuntu says it fixed the vulnerability in all relevant version on 3/5/2019 (https://people.canonical.com/~ubuntu-...).
My trust in Fedora as a secure distro is diminished if there either are not enough resources to fix such a high-profile vuln in a timely manner (it's been 2 weeks since publishing and counting) or there is no policy in place how to handle a situation like that.
Relevant package info: https://apps.fedoraproject.org/packag... The package maintainers seems to work on 72/73 but that does not translate into a secure package on F29.
As I said, maybe I am missing something here, please enlighten me!
Unfortunately only RHEL got an update on 11th (Monday), there's no newer build for Fedora than chromium-71.0.3578.98-5: https://koji.fedoraproject.org/koji/p...
Here's relevant bug report that you can subscribe to and get maintainer's attention: https://bugzilla.redhat.com/show_bug....
Meta: This is interesting. After posting I got an email that my post was rejected: "Your post was rejected. Your post (copied in the end), was rejected for the following reason: Post Duplicated other post in this forum"