[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-dev
Subject: Re: [gentoo-dev] glsa-check: missing CVE-2020-6509 for current stable chromium version
From: Sam James <sam () cmpct ! info>
Date: 2020-06-23 21:04:50
Message-ID: E225438E-DA62-422D-98A7-92372EB7B4CD () cmpct ! info
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
> On 23 Jun 2020, at 21:57, Samuel Bernardo <samuelbernardo.mail@gmail.com> wrote:
>
> Hi,
>
> Sorry if I miss any detail about glsa-check context, but I think that it
> misses the CVE[1] id review I left in subject.
>
A GLSA (see https://security.gentoo.org/glsa <https://security.gentoo.org/glsa>) has \
not yet been filed for this issue. Once the fixed version (83.0.4103.116) is \
stabilised, we will release one ASAP.
> About chromium stability, what would you advice me, install latest
> keyword masked version or wait for next stable version?
The new one should be stabled shortly. It's up to you if you want to
install it ahead of time or not.
>
> The current chromium stable version have also runtime errors using
> ffmeg-4.3. [2][3]
The new version was added in [1] and you can track the progress
of the security bug (search Bugzilla for the CVE(s)) in [2].
There is also a bug [3] for the ffmpeg issue, and the commit [1]
adds a dep on an older ffmpeg for now.
[1] https://gitweb.gentoo.org/repo/gentoo.git/commit/www-client/chromium?id=a21f83685eda6f895c0a6819172172f63395a157 \
<https://gitweb.gentoo.org/repo/gentoo.git/commit/www-client/chromium?id=a21f83685eda6f895c0a6819172172f63395a157>
[2] https://bugs.gentoo.org/729310 <https://bugs.gentoo.org/729310>
[3] https://bugs.gentoo.org/728624
Hope this helps.
If you ever have any queries about security matters in Gentoo, please
feel free to ask this list (or gentoo-security, but it's less active), or
on IRC in the #gentoo-security channel.
TL;DR: We're aware of it, the bug is in progress, will be stabled on amd64
shortly, and a GLSA will follow. No need to worry. :)
>
> Thanks for your enlightenment
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html; \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" \
class=""><div class="">On 23 Jun 2020, at 21:57, Samuel Bernardo <<a \
href="mailto:samuelbernardo.mail@gmail.com" \
class="">samuelbernardo.mail@gmail.com</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><div class=""><div \
class="content-isolator__container">Hi,<br class=""><br \
class=""></div></div></div></blockquote><blockquote type="cite" class=""><div \
class=""><div class=""><div class="content-isolator__container">Sorry if I miss any \
detail about glsa-check context, but I think that it<br class="">misses the CVE[1] id \
review I left in subject.<br class=""><br \
class=""></div></div></div></blockquote><div><br class=""></div><div>A GLSA (see <a \
href="https://security.gentoo.org/glsa" \
class="">https://security.gentoo.org/glsa</a>) has not yet been filed</div><div>for \
this issue. Once the fixed version (83.0.4103.116) is stabilised,</div><div>we will \
release one ASAP.</div><br class=""><blockquote type="cite" class=""><div \
class=""><div class=""><div class="content-isolator__container">About chromium \
stability, what would you advice me, install latest<br class="">keyword masked \
version or wait for next stable version?<br \
class=""></div></div></div></blockquote><div><br class=""></div><div>The new one \
should be stabled shortly. It's up to you if you want to</div><div>install it ahead \
of time or not.</div><div><br class=""></div><blockquote type="cite" class=""><div \
class=""><div class=""><div class="content-isolator__container"><br class="">The \
current chromium stable version have also runtime errors using<br class="">ffmeg-4.3. \
[2][3]<br class=""></div></div></div></blockquote><div><br class=""></div><div>The \
new version was added in [1] and you can track the progress</div><div>of the security \
bug (search Bugzilla for the CVE(s)) in [2].</div><div><br class=""></div><div>There \
is also a bug [3] for the ffmpeg issue, and the commit [1]</div><div>adds a dep on an \
older ffmpeg for now.</div><div><br class=""></div><div>[1] <a \
href="https://gitweb.gentoo.org/repo/gentoo.git/commit/www-client/chromium?id=a21f83685eda6f895c0a6819172172f63395a157" \
class="">https://gitweb.gentoo.org/repo/gentoo.git/commit/www-client/chromium?id=a21f83685eda6f895c0a6819172172f63395a157</a></div><div>[2] <a \
href="https://bugs.gentoo.org/729310" \
class="">https://bugs.gentoo.org/729310</a></div><div>[3] <a \
href="https://bugs.gentoo.org/728624" \
class="">https://bugs.gentoo.org/728624</a></div><div><br class=""></div><div><br \
class=""></div><div>Hope this helps. </div><div><br class=""></div><div>If you \
ever have any queries about security matters in Gentoo, please</div><div>feel free to \
ask this list (or gentoo-security, but it's less active), or</div><div>on IRC in the \
#gentoo-security channel.</div><div><br class=""></div><div>TL;DR: We're aware of it, \
the bug is in progress, will be stabled on amd64</div><div>shortly, and a GLSA will \
follow. No need to worry. :)</div><div><br class=""></div><blockquote type="cite" \
class=""><div class=""><div class=""><div class="content-isolator__container"><br \
class="">Thanks for your enlightenment<br \
class=""></div></div></div></blockquote></div><br class=""></body></html>
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
iNUEARYKAH0WIQSONjK3ErBA5VvN3hCxfj6E5hA8mwUCXvJucl8UgAAAAAAuAChp
c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0OEUz
NjMyQjcxMkIwNDBFNTVCQ0RERTEwQjE3RTNFODRFNjEwM0M5QgAKCRCxfj6E5hA8
my/YAP40tAFJh89LO18n9+yRrecqEc9uLJsLEsEapfVeIofPdQD9EIDE0KWRvJZU
8pFCXmIZba8c2i1DBFgxS/sTVQEjMgw=
=zGIv
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic