stable
FEDORA-EPEL-2021-01679b76db created by spot a year ago for Fedora EPEL 7

Update to 88.0.4324.150. Fixes:

CVE-2021-21142 CVE-2021-21143 CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147 CVE-2021-21148

Please keep in mind that this release fixes an actively exploited 0-day vulnerability.


This is probably not the update you want.

Let me be clear, it does fix the security vulnerabilities in this list:

CVE-2020-16044 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139 CVE-2021-21140 CVE-2021-21141 CVE-2021-21117 CVE-2021-21128

But it will not behave like Google Chrome does.

Google has announced that it is cutting off access to the Sync and "other Google Exclusive" APIs from all builds except Google Chrome. This will make the EPEL Chromium build significantly less functional (along with every other distro packaged Chromium). It is noteworthy that Google gave the builders of distribution Chromium packages these access rights back in 2013 via API keys, specifically so that we could have open source builds of Chromium with (near) feature parity to Chrome. And now they're taking it away. The reasoning given for this change? Google does not want users to be able to "access their personal Chrome Sync data (such as bookmarks) ... with a non-Google, Chromium-based browser." They're not closing a security hole, they're just requiring that everyone use Chrome.

Or to put it bluntly, they do not want you to access their Google API functionality without using proprietary software (Google Chrome). There is no good reason for Google to do this, other than to force people to use Chrome.

I gave a lot of thought to whether I wanted to continue to maintain the Chromium package in EPEL, given that many (most?) users will be confused/annoyed when API functionality like sync and geolocation stops working for no good reason. Ultimately, I decided to continue for now, because there were at least some users who didn't mind, and if I stopped, someone else would start over and run blindly into this problem.

I would say that you might want to reconsider whether you want to use Chromium or not. If you want the full "Google" experience, you can run the proprietary Chrome. If you want to use a FOSS browser that isn't hobbled, there is a Firefox package in whatever EL flavor you're using.

Oh, last, but not least, Google isn't shutting off the API access until March 15, 2021, but I have gone ahead and disabled it starting with this update. I'd rather you read about it here (even though most users will never see this) than have it just happen.


Update Chromium to 87.0.4280.141.

Fixes: CVE-2021-21106 CVE-2021-21107 CVE-2021-21108 CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113 CVE-2020-16043 CVE-2021-21114 CVE-2020-15995 CVE-2021-21115 CVE-2021-21116

This update has been submitted for testing by spot.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update's test gating status has been changed to 'waiting'.

a year ago

This update has obsoleted chromium-88.0.4324.96-1.el7, and has inherited its bugs and notes.

a year ago

spot edited this update.

a year ago

This update's test gating status has been changed to 'ignored'.

a year ago

This update has been pushed to testing.

a year ago

This update can be pushed to stable now if the maintainer wishes

a year ago

This update has been submitted for stable by bodhi.

a year ago

This update has been pushed to stable.

a year ago

Please login to add feedback.

Metadata
Type
security
Severity
urgent
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
14 days
Dates
submitted
a year ago
in testing
a year ago
in stable
a year ago
modified
a year ago
BZ#1913624 CVE-2021-21106 chromium-browser: Use after free in autofill
0
0
BZ#1913625 CVE-2021-21107 chromium-browser: Use after free in drag and drop
0
0
BZ#1913626 CVE-2021-21108 chromium-browser: Use after free in media
0
0
BZ#1913627 CVE-2021-21109 chromium-browser: Use after free in payments
0
0
BZ#1913629 CVE-2021-21110 chromium-browser: Use after free in safe browsing
0
0
BZ#1913630 CVE-2021-21111 chromium-browser: Insufficient policy enforcement in WebUI
0
0
BZ#1913631 CVE-2021-21112 chromium-browser: Use after free in Blink
0
0
BZ#1913632 CVE-2021-21113 chromium-browser: Heap buffer overflow in Skia
0
0
BZ#1913633 CVE-2020-16043 chromium-browser: Insufficient data validation in networking
0
0
BZ#1913634 CVE-2021-21114 chromium-browser: Use after free in audio
0
0
BZ#1913635 CVE-2020-15995 chromium-browser: Out of bounds write in V8
0
0
BZ#1913636 CVE-2021-21115 chromium-browser: Use after free in safe browsing
0
0
BZ#1913637 CVE-2021-21116 chromium-browser: Heap buffer overflow in audio
0
0
BZ#1913640 CVE-2020-15995 CVE-2020-16043 CVE-2021-21106 CVE-2021-21107 CVE-2021-21108 CVE-2021-21109 CVE-2021-21110 CVE-2021-21111 CVE-2021-21112 CVE-2021-21113 CVE-2021-21114 CVE-2021-21115 CVE-2021-21116 chromium: various flaws [epel-all]
0
0
BZ#1918218 CVE-2021-21118 chromium-browser: Insufficient data validation in V8
0
0
BZ#1918219 CVE-2021-21119 chromium-browser: Use after free in Media
0
0
BZ#1918220 CVE-2021-21120 chromium-browser: Use after free in WebSQL
0
0
BZ#1918222 CVE-2021-21121 chromium-browser: Use after free in Omnibox
0
0
BZ#1918223 CVE-2021-21122 chromium-browser: Use after free in Blink
0
0
BZ#1918224 CVE-2021-21123 chromium-browser: Insufficient data validation in File System API
0
0
BZ#1918225 CVE-2021-21124 chromium-browser: Potential user after free in Speech Recognizer
0
0
BZ#1918226 CVE-2021-21125 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918227 CVE-2021-21126 chromium-browser: Insufficient policy enforcement in extensions
0
0
BZ#1918228 CVE-2021-21127 chromium-browser: Insufficient policy enforcement in extensions
0
0
BZ#1918229 CVE-2021-21129 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918230 CVE-2021-21130 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918231 CVE-2021-21131 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918232 CVE-2021-21132 chromium-browser: Inappropriate implementation in DevTools
0
0
BZ#1918233 CVE-2021-21133 chromium-browser: Insufficient policy enforcement in Downloads
0
0
BZ#1918235 CVE-2021-21134 chromium-browser: Incorrect security UI in Page Info
0
0
BZ#1918236 CVE-2021-21135 chromium-browser: Inappropriate implementation in Performance API
0
0
BZ#1918237 CVE-2021-21136 chromium-browser: Insufficient policy enforcement in WebView
0
0
BZ#1918238 CVE-2021-21137 chromium-browser: Inappropriate implementation in DevTools
0
0
BZ#1918239 CVE-2021-21138 chromium-browser: Use after free in DevTools
0
0
BZ#1918240 CVE-2021-21139 chromium-browser: Inappropriate implementation in iframe sandbox
0
0
BZ#1918241 CVE-2021-21140 chromium-browser: Uninitialized Use in USB
0
0
BZ#1918242 CVE-2021-21141 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918278 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 ... chromium: various flaws [epel-all]
0
0
BZ#1924892 CVE-2021-21143 chromium-browser: Heap buffer overflow in Extensions
0
0
BZ#1924893 CVE-2021-21144 chromium-browser: Heap buffer overflow in Tab Groups
0
0
BZ#1924894 CVE-2021-21145 chromium-browser: Use after free in Fonts
0
0
BZ#1924895 CVE-2021-21146 chromium-browser: Use after free in Navigation
0
0
BZ#1924896 CVE-2021-21147 chromium-browser: Inappropriate implementation in Skia
0
0
BZ#1924898 CVE-2021-21142 CVE-2021-21143 CVE-2021-21144 CVE-2021-21145 CVE-2021-21146 CVE-2021-21147 chromium: various flaws [epel-all]
0
0
BZ#1925434 CVE-2021-21148 chromium-browser: Heap buffer overflow in V8
0
0
BZ#1925436 CVE-2021-21148 chromium: chromium-browser: Heap buffer overflow in V8 [epel-all]
0
0

Automated Test Results