Why is a critical security patch in chromium/F29 still open after two weeks time? [closed]
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am running a daily updated F29 and still have the old, vulnerable chromium package (Version 71.0.3578.98 (Developer Build) Fedora Project (64-bit)).
Google warned (3/1/2019) to upgrade asap because this vulnerability (CVE-2019-5786) is actively exploited in the wild.
Google released a patched version of chrome on march, 1st. On checking chromium I am not sure when the supposedly fixed version was published there (72.0.3626.121) but I do know that Ubuntu says it fixed the vulnerability in all relevant version on 3/5/2019 (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5786.html).
My trust in Fedora as a secure distro is diminished if there either are not enough resources to fix such a high-profile vuln in a timely manner (it's been 2 weeks since publishing and counting) or there is no policy in place how to handle a situation like that.
Relevant package info: https://apps.fedoraproject.org/packages/chromium
The package maintainers seems to work on 72/73 but that does not translate into a secure package on F29.
fedora security chromium-browser
asked Mar 15 at 8:56
TomTom
142
closed as primarily opinion-based by Rui F Ribeiro, Jeff Schaller♦, GAD3R, Mr Shunz, X Tian Mar 18 at 9:44
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
add a comment |
I am running a daily updated F29 and still have the old, vulnerable chromium package (Version 71.0.3578.98 (Developer Build) Fedora Project (64-bit)).
Google warned (3/1/2019) to upgrade asap because this vulnerability (CVE-2019-5786) is actively exploited in the wild.
Google released a patched version of chrome on march, 1st. On checking chromium I am not sure when the supposedly fixed version was published there (72.0.3626.121) but I do know that Ubuntu says it fixed the vulnerability in all relevant version on 3/5/2019 (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5786.html).
My trust in Fedora as a secure distro is diminished if there either are not enough resources to fix such a high-profile vuln in a timely manner (it's been 2 weeks since publishing and counting) or there is no policy in place how to handle a situation like that.
Relevant package info: https://apps.fedoraproject.org/packages/chromium
The package maintainers seems to work on 72/73 but that does not translate into a secure package on F29.
fedora security chromium-browser
asked Mar 15 at 8:56
TomTom
142
closed as primarily opinion-based by Rui F Ribeiro, Jeff Schaller♦, GAD3R, Mr Shunz, X Tian Mar 18 at 9:44
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
1
Looks like an oversight. I see Chromium 73 is currently being built in koji, so there should be updates out soon. In any case it's better to open a bugzilla report or contact the maintainer directly.
– Michael Hampton
Mar 15 at 16:44
The question is "put on hold" - Just to finish this: It seems this is an inherent problem in Fedora. Due to it's many fresh packages these are only loosely maintained. There seems to be no extra security-process that makes shure that high-profile vulnerabilities are fixed within days. The beformentioned vuln is still open, approaching 3 weeks.
– Tom
Mar 19 at 16:16
add a comment |
I am running a daily updated F29 and still have the old, vulnerable chromium package (Version 71.0.3578.98 (Developer Build) Fedora Project (64-bit)).
Google warned (3/1/2019) to upgrade asap because this vulnerability (CVE-2019-5786) is actively exploited in the wild.
Google released a patched version of chrome on march, 1st. On checking chromium I am not sure when the supposedly fixed version was published there (72.0.3626.121) but I do know that Ubuntu says it fixed the vulnerability in all relevant version on 3/5/2019 (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5786.html).
My trust in Fedora as a secure distro is diminished if there either are not enough resources to fix such a high-profile vuln in a timely manner (it's been 2 weeks since publishing and counting) or there is no policy in place how to handle a situation like that.
Relevant package info: https://apps.fedoraproject.org/packages/chromium
The package maintainers seems to work on 72/73 but that does not translate into a secure package on F29.
fedora security chromium-browser
asked Mar 15 at 8:56
TomTom
142
I am running a daily updated F29 and still have the old, vulnerable chromium package (Version 71.0.3578.98 (Developer Build) Fedora Project (64-bit)).
Google warned (3/1/2019) to upgrade asap because this vulnerability (CVE-2019-5786) is actively exploited in the wild.
Google released a patched version of chrome on march, 1st. On checking chromium I am not sure when the supposedly fixed version was published there (72.0.3626.121) but I do know that Ubuntu says it fixed the vulnerability in all relevant version on 3/5/2019 (https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5786.html).
My trust in Fedora as a secure distro is diminished if there either are not enough resources to fix such a high-profile vuln in a timely manner (it's been 2 weeks since publishing and counting) or there is no policy in place how to handle a situation like that.
Relevant package info: https://apps.fedoraproject.org/packages/chromium
The package maintainers seems to work on 72/73 but that does not translate into a secure package on F29.
fedora security chromium-browser
fedora security chromium-browser
asked Mar 15 at 8:56
TomTom
142
asked Mar 15 at 8:56
TomTom
142
edited Mar 15 at 10:39
Tom
asked Mar 15 at 8:56
TomTom
142
asked Mar 15 at 8:56
TomTom
142
asked Mar 15 at 8:56
TomTom
142
142
closed as primarily opinion-based by Rui F Ribeiro, Jeff Schaller♦, GAD3R, Mr Shunz, X Tian Mar 18 at 9:44
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
closed as primarily opinion-based by Rui F Ribeiro, Jeff Schaller♦, GAD3R, Mr Shunz, X Tian Mar 18 at 9:44
Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise. If this question can be reworded to fit the rules in the help center, please edit the question.
1
Looks like an oversight. I see Chromium 73 is currently being built in koji, so there should be updates out soon. In any case it's better to open a bugzilla report or contact the maintainer directly.
– Michael Hampton
Mar 15 at 16:44
The question is "put on hold" - Just to finish this: It seems this is an inherent problem in Fedora. Due to it's many fresh packages these are only loosely maintained. There seems to be no extra security-process that makes shure that high-profile vulnerabilities are fixed within days. The beformentioned vuln is still open, approaching 3 weeks.
– Tom
Mar 19 at 16:16
add a comment |
1
Looks like an oversight. I see Chromium 73 is currently being built in koji, so there should be updates out soon. In any case it's better to open a bugzilla report or contact the maintainer directly.
– Michael Hampton
Mar 15 at 16:44
The question is "put on hold" - Just to finish this: It seems this is an inherent problem in Fedora. Due to it's many fresh packages these are only loosely maintained. There seems to be no extra security-process that makes shure that high-profile vulnerabilities are fixed within days. The beformentioned vuln is still open, approaching 3 weeks.
– Tom
Mar 19 at 16:16
1
1
Looks like an oversight. I see Chromium 73 is currently being built in koji, so there should be updates out soon. In any case it's better to open a bugzilla report or contact the maintainer directly.
– Michael Hampton
Mar 15 at 16:44
Looks like an oversight. I see Chromium 73 is currently being built in koji, so there should be updates out soon. In any case it's better to open a bugzilla report or contact the maintainer directly.
– Michael Hampton
Mar 15 at 16:44
The question is "put on hold" - Just to finish this: It seems this is an inherent problem in Fedora. Due to it's many fresh packages these are only loosely maintained. There seems to be no extra security-process that makes shure that high-profile vulnerabilities are fixed within days. The beformentioned vuln is still open, approaching 3 weeks.
– Tom
Mar 19 at 16:16
The question is "put on hold" - Just to finish this: It seems this is an inherent problem in Fedora. Due to it's many fresh packages these are only loosely maintained. There seems to be no extra security-process that makes shure that high-profile vulnerabilities are fixed within days. The beformentioned vuln is still open, approaching 3 weeks.
– Tom
Mar 19 at 16:16
add a comment |
0
active
oldest
votes
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
1
Looks like an oversight. I see Chromium 73 is currently being built in koji, so there should be updates out soon. In any case it's better to open a bugzilla report or contact the maintainer directly.
– Michael Hampton
Mar 15 at 16:44
The question is "put on hold" - Just to finish this: It seems this is an inherent problem in Fedora. Due to it's many fresh packages these are only loosely maintained. There seems to be no extra security-process that makes shure that high-profile vulnerabilities are fixed within days. The beformentioned vuln is still open, approaching 3 weeks.
– Tom
Mar 19 at 16:16