Debian version of Chromium reported to be exploited in the wild.
Patch Google Chrome with the latest updates – if you don’t, you’re vulnerable to a zero-day that is actively being exploited, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.
Criminals are targeting users of Chrome with outdated installations, CISA said in an advisory note urging folk to update their browsers immediately.
“Google has released Chrome version 86.0.4240.183 for Windows, Mac, and Linux addressing multiple vulnerabilities, including vulnerability CVE-2020-16009. Exploit code for this vulnerability exists in the wild,” said the agency in a statement.
Debian affected by CVE-2020-16009 at time of writing, see:
Might be an option. Last resort. Not nice to have two updating systems. Already confusing in Whonix to have upgrades from Debian and separately for Tor Browser.
I guess not sustainable due to dependency hell (FrankenDebian).
Their infrastructure was hacked and had a link to backdoored versions - while that won’t affect end to end signed packages it doesn’t inspire confidence. Also they do not have a security team nor do they assign CVEs to affected software like Debian does also they don’t have the resources to implement reproducibly built packages like Debian does so any Mint specific packages will be a risk in the future.
They used to have a frankenDebian thing going on, but it changed in recent versions. However they are way behind on releasing versions that track Debian stable. For example LMDE 4 was only just released a few months ago this year, Depending on anything from LMDE means running something compatible with old-stable for a very long time which might introduce dependency hell.
They do little oversight of package safety/maintenance. A hidden cryptocurrency miner was slipped thru in uploads. Major apps lacked updates for a long time. Server components of the snap packaging system remain closed which gives Canonical control over the tech. Avoiding the support and proliferation of their lock-in format is a good move IMO.
Also Ubuntu anything has the tendency to be half baked abandonware once Canonical grows bored with it after they fail to monetize it.
Previous version: 83.0.4103.116-3.1
Current version: (not in testing)
Hint: https://release.debian.org/britney/hints/elbrus
# 20201212
Bug #973848: chromium: Unsupported version, many security bugs unfixed
Bug #960454: chromium: Make Chromium ask before downloading and enabling DRM
Bug #972134: chromium: please, consider moving the package to team-maintainance to properly maintain it
Bug #977103: chromium: FTBFS on armhf: error: write to reserved register ‘R7’
Bug #976292: design-desktop-web: drop chromium as Depends
Migration status for chromium (- to 83.0.4103.116-3.1): BLOCKED: Rejected/violates migration policy/introduces a regression
Its good that they pushed the sid version to buster, but this doesnt
mean this issue wont happen in the future and this isnt a permanent
guaranteed solution that we can rely on. (The package though still being
removed in the next debian version bullseye)
The question remain how long will debian take to upgrade chromium 87 to
8x , or will it ever move or upgrade from this version to another one.