Login
Newsletter
Werbung

Sicherheit: Mehrere Probleme in chromium
Aktuelle Meldungen Distributionen
Name: Mehrere Probleme in chromium
ID: FEDORA-2021-48866282e5
Distribution: Fedora
Plattformen: Fedora 33
Datum: So, 24. Januar 2021, 22:48
Referenzen: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21133
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21134
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21141
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21138
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21117
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21139
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21136
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21131
Applikationen: Chromium

Originalnachricht

-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2021-48866282e5
2021-01-24 01:24:57.579690
-------------------------------------------------------------------------------
-

Name : chromium
Product : Fedora 33
Version : 88.0.4324.96
Release : 1.fc33
URL : http://www.chromium.org/Home
Summary : A WebKit (Blink) powered web browser
Description :
Chromium is an open-source web browser, powered by WebKit (Blink).

-------------------------------------------------------------------------------
-
Update Information:

This is probably not the update you want. Let me be clear, it does fix the
security vulnerabilities in this list: CVE-2020-16044 CVE-2021-21118
CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123
CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129
CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134
CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
CVE-2021-21140 CVE-2021-21141 CVE-2021-21117 CVE-2021-21128 But it will not
behave like Google Chrome does. Google has announced that it is cutting off
access to the Sync and "other Google Exclusive" APIs from all builds
except
Google Chrome. This will make the Fedora Chromium build significantly less
functional (along with every other distro packaged Chromium). It is noteworthy
that Google _gave_ the builders of distribution Chromium packages these access
rights back in 2013 via API keys, specifically so that we could have open
source
builds of Chromium with (near) feature parity to Chrome. And now they're
taking
it away. The reasoning given for this change? Google does not want users to be
able to "access their personal Chrome Sync data (such as bookmarks) ...
with a
non-Google, Chromium-based browser." They're not closing a security
hole,
they're just requiring that everyone use Chrome. Or to put it bluntly,
they do
not want you to access their Google API functionality without using proprietary
software (Google Chrome). There is no good reason for Google to do this, other
than to force people to use Chrome. I gave a lot of thought to whether I
wanted
to continue to maintain the Chromium package in Fedora, given that many (most?)
users will be confused/annoyed when API functionality like sync and geolocation
stops working for no good reason. Ultimately, I decided to continue for now,
because there were at least some users who didn't mind, and if I stopped,
someone else would start over and run blindly into this problem. I would say
that you might want to reconsider whether you want to use Chromium or not. If
you want the full "Google" experience, you can run the proprietary
Chrome. If
you want to use a FOSS browser that isn't hobbled, there is a Firefox
package in
Fedora. Oh, last, but not least, Google isn't shutting off the API access
until
March 15, 2021, but I have gone ahead and disabled it starting with this
update.
I'd rather you read about it here (even though most users will never see
this)
than have it just happen.
-------------------------------------------------------------------------------
-
ChangeLog:

* Wed Jan 20 2021 Tom Callaway <spot@fedoraproject.org> - 88.0.4324.96-1
- 88 goes from beta to stable
- disable use of api keys (Google shut off API access)
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1918218 - CVE-2021-21118 chromium-browser: Insufficient data
validation in V8
https://bugzilla.redhat.com/show_bug.cgi?id=1918218
[ 2 ] Bug #1918219 - CVE-2021-21119 chromium-browser: Use after free in Media
https://bugzilla.redhat.com/show_bug.cgi?id=1918219
[ 3 ] Bug #1918220 - CVE-2021-21120 chromium-browser: Use after free in
WebSQL
https://bugzilla.redhat.com/show_bug.cgi?id=1918220
[ 4 ] Bug #1918222 - CVE-2021-21121 chromium-browser: Use after free in
Omnibox
https://bugzilla.redhat.com/show_bug.cgi?id=1918222
[ 5 ] Bug #1918223 - CVE-2021-21122 chromium-browser: Use after free in Blink
https://bugzilla.redhat.com/show_bug.cgi?id=1918223
[ 6 ] Bug #1918224 - CVE-2021-21123 chromium-browser: Insufficient data
validation in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918224
[ 7 ] Bug #1918225 - CVE-2021-21124 chromium-browser: Potential user after
free in Speech Recognizer
https://bugzilla.redhat.com/show_bug.cgi?id=1918225
[ 8 ] Bug #1918226 - CVE-2021-21125 chromium-browser: Insufficient policy
enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918226
[ 9 ] Bug #1918227 - CVE-2021-21126 chromium-browser: Insufficient policy
enforcement in extensions
https://bugzilla.redhat.com/show_bug.cgi?id=1918227
[ 10 ] Bug #1918228 - CVE-2021-21127 chromium-browser: Insufficient policy
enforcement in extensions
https://bugzilla.redhat.com/show_bug.cgi?id=1918228
[ 11 ] Bug #1918229 - CVE-2021-21129 chromium-browser: Insufficient policy
enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918229
[ 12 ] Bug #1918230 - CVE-2021-21130 chromium-browser: Insufficient policy
enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918230
[ 13 ] Bug #1918231 - CVE-2021-21131 chromium-browser: Insufficient policy
enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918231
[ 14 ] Bug #1918232 - CVE-2021-21132 chromium-browser: Inappropriate
implementation in DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918232
[ 15 ] Bug #1918233 - CVE-2021-21133 chromium-browser: Insufficient policy
enforcement in Downloads
https://bugzilla.redhat.com/show_bug.cgi?id=1918233
[ 16 ] Bug #1918235 - CVE-2021-21134 chromium-browser: Incorrect security UI
in Page Info
https://bugzilla.redhat.com/show_bug.cgi?id=1918235
[ 17 ] Bug #1918236 - CVE-2021-21135 chromium-browser: Inappropriate
implementation in Performance API
https://bugzilla.redhat.com/show_bug.cgi?id=1918236
[ 18 ] Bug #1918237 - CVE-2021-21136 chromium-browser: Insufficient policy
enforcement in WebView
https://bugzilla.redhat.com/show_bug.cgi?id=1918237
[ 19 ] Bug #1918238 - CVE-2021-21137 chromium-browser: Inappropriate
implementation in DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918238
[ 20 ] Bug #1918239 - CVE-2021-21138 chromium-browser: Use after free in
DevTools
https://bugzilla.redhat.com/show_bug.cgi?id=1918239
[ 21 ] Bug #1918240 - CVE-2021-21139 chromium-browser: Inappropriate
implementation in iframe sandbox
https://bugzilla.redhat.com/show_bug.cgi?id=1918240
[ 22 ] Bug #1918241 - CVE-2021-21140 chromium-browser: Uninitialized Use in
USB
https://bugzilla.redhat.com/show_bug.cgi?id=1918241
[ 23 ] Bug #1918242 - CVE-2021-21141 chromium-browser: Insufficient policy
enforcement in File System API
https://bugzilla.redhat.com/show_bug.cgi?id=1918242
-------------------------------------------------------------------------------
-

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2021-48866282e5' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org
Pro-Linux
Pro-Linux @Facebook
Neue Nachrichten
Werbung