Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

Why is a critical security patch in chromium/F29 still open after two weeks time?

Maybe I am doing it wrong but I am running a daily updated F29 and still have the old, vulnerable chromium package (Version 71.0.3578.98 (Developer Build) Fedora Project (64-bit)).

Google warned (3/1/2019) to upgrade asap because this vulnerability (CVE-2019-5786) is actively exploited in the wild.

Google released a patched version of chrome on march, 1st. On checking chromium I am not sure when the supposedly fixed version was published there (72.0.3626.121) but I do know that Ubuntu says it fixed the vulnerability in all relevant version on 3/5/2019 (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5786.html).

My trust in Fedora as a secure distro is diminished if there either are not enough resources to fix such a high-profile vuln in a timely manner (it's been 2 weeks since publishing and counting) or there is no policy in place how to handle a situation like that.

Relevant package info: https://apps.fedoraproject.org/packages/chromium The package maintainers seems to work on 72/73 but that does not translate into a secure package on F29.

As I said, maybe I am missing something here, please enlighten me!

click to hide/show revision 2
retagged

updated 2019-03-18 11:02:09 -0500

hhlp gravatar image

Why is a critical security patch in chromium/F29 still open after two weeks time?

Maybe I am doing it wrong but I am running a daily updated F29 and still have the old, vulnerable chromium package (Version 71.0.3578.98 (Developer Build) Fedora Project (64-bit)).

Google warned (3/1/2019) to upgrade asap because this vulnerability (CVE-2019-5786) is actively exploited in the wild.

Google released a patched version of chrome on march, 1st. On checking chromium I am not sure when the supposedly fixed version was published there (72.0.3626.121) but I do know that Ubuntu says it fixed the vulnerability in all relevant version on 3/5/2019 (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5786.html).

My trust in Fedora as a secure distro is diminished if there either are not enough resources to fix such a high-profile vuln in a timely manner (it's been 2 weeks since publishing and counting) or there is no policy in place how to handle a situation like that.

Relevant package info: https://apps.fedoraproject.org/packages/chromium The package maintainers seems to work on 72/73 but that does not translate into a secure package on F29.

As I said, maybe I am missing something here, please enlighten me!