Linux Security
    Linux Security
    Linux Security

    Fedora 33: chromium 2021-48866282e5

    Date 23 Jan 2021
    294
    Posted By LinuxSecurity Advisories
    This is probably not the update you want. Let me be clear, it does fix the security vulnerabilities in this list: CVE-2020-16044 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134
    --------------------------------------------------------------------------------
    Fedora Update Notification
    FEDORA-2021-48866282e5
    2021-01-24 01:24:57.579690
    --------------------------------------------------------------------------------
    
    Name        : chromium
    Product     : Fedora 33
    Version     : 88.0.4324.96
    Release     : 1.fc33
    URL         : https://www.chromium.org/Home
    Summary     : A WebKit (Blink) powered web browser
    Description :
    Chromium is an open-source web browser, powered by WebKit (Blink).
    
    --------------------------------------------------------------------------------
    Update Information:
    
    This is probably not the update you want.  Let me be clear, it does fix the
    security vulnerabilities in this list:  CVE-2020-16044 CVE-2021-21118
    CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123
    CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129
    CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134
    CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139
    CVE-2021-21140 CVE-2021-21141 CVE-2021-21117 CVE-2021-21128  But it will not
    behave like Google Chrome does.  Google has announced that it is cutting off
    access to the Sync and "other Google Exclusive" APIs from all builds except
    Google Chrome. This will make the Fedora Chromium build significantly less
    functional (along with every other distro packaged Chromium). It is noteworthy
    that Google _gave_ the builders of distribution Chromium packages these access
    rights back in 2013 via API keys, specifically so that we could have open source
    builds of Chromium with (near) feature parity to Chrome. And now they're taking
    it away. The reasoning given for this change? Google does not want users to be
    able to "access their personal Chrome Sync data (such as bookmarks) ... with a
    non-Google, Chromium-based browser." They're not closing a security hole,
    they're just requiring that everyone use Chrome.  Or to put it bluntly, they do
    not want you to access their Google API functionality without using proprietary
    software (Google Chrome). There is no good reason for Google to do this, other
    than to force people to use Chrome.  I gave a lot of thought to whether I wanted
    to continue to maintain the Chromium package in Fedora, given that many (most?)
    users will be confused/annoyed when API functionality like sync and geolocation
    stops working for no good reason. Ultimately, I decided to continue for now,
    because there were at least some users who didn't mind, and if I stopped,
    someone else would start over and run blindly into this problem.  I would say
    that you might want to reconsider whether you want to use Chromium or not. If
    you want the full "Google" experience, you can run the proprietary Chrome. If
    you want to use a FOSS browser that isn't hobbled, there is a Firefox package in
    Fedora.  Oh, last, but not least, Google isn't shutting off the API access until
    March 15, 2021, but I have gone ahead and disabled it starting with this update.
    I'd rather you read about it here (even though most users will never see this)
    than have it just happen.
    --------------------------------------------------------------------------------
    ChangeLog:
    
    * Wed Jan 20 2021 Tom Callaway  - 88.0.4324.96-1
    - 88 goes from beta to stable
    - disable use of api keys (Google shut off API access)
    --------------------------------------------------------------------------------
    References:
    
      [ 1 ] Bug #1918218 - CVE-2021-21118 chromium-browser: Insufficient data validation in V8
            https://bugzilla.redhat.com/show_bug.cgi?id=1918218
      [ 2 ] Bug #1918219 - CVE-2021-21119 chromium-browser: Use after free in Media
            https://bugzilla.redhat.com/show_bug.cgi?id=1918219
      [ 3 ] Bug #1918220 - CVE-2021-21120 chromium-browser: Use after free in WebSQL
            https://bugzilla.redhat.com/show_bug.cgi?id=1918220
      [ 4 ] Bug #1918222 - CVE-2021-21121 chromium-browser: Use after free in Omnibox
            https://bugzilla.redhat.com/show_bug.cgi?id=1918222
      [ 5 ] Bug #1918223 - CVE-2021-21122 chromium-browser: Use after free in Blink
            https://bugzilla.redhat.com/show_bug.cgi?id=1918223
      [ 6 ] Bug #1918224 - CVE-2021-21123 chromium-browser: Insufficient data validation in File System API
            https://bugzilla.redhat.com/show_bug.cgi?id=1918224
      [ 7 ] Bug #1918225 - CVE-2021-21124 chromium-browser: Potential user after free in Speech Recognizer
            https://bugzilla.redhat.com/show_bug.cgi?id=1918225
      [ 8 ] Bug #1918226 - CVE-2021-21125 chromium-browser: Insufficient policy enforcement in File System API
            https://bugzilla.redhat.com/show_bug.cgi?id=1918226
      [ 9 ] Bug #1918227 - CVE-2021-21126 chromium-browser: Insufficient policy enforcement in extensions
            https://bugzilla.redhat.com/show_bug.cgi?id=1918227
      [ 10 ] Bug #1918228 - CVE-2021-21127 chromium-browser: Insufficient policy enforcement in extensions
            https://bugzilla.redhat.com/show_bug.cgi?id=1918228
      [ 11 ] Bug #1918229 - CVE-2021-21129 chromium-browser: Insufficient policy enforcement in File System API
            https://bugzilla.redhat.com/show_bug.cgi?id=1918229
      [ 12 ] Bug #1918230 - CVE-2021-21130 chromium-browser: Insufficient policy enforcement in File System API
            https://bugzilla.redhat.com/show_bug.cgi?id=1918230
      [ 13 ] Bug #1918231 - CVE-2021-21131 chromium-browser: Insufficient policy enforcement in File System API
            https://bugzilla.redhat.com/show_bug.cgi?id=1918231
      [ 14 ] Bug #1918232 - CVE-2021-21132 chromium-browser: Inappropriate implementation in DevTools
            https://bugzilla.redhat.com/show_bug.cgi?id=1918232
      [ 15 ] Bug #1918233 - CVE-2021-21133 chromium-browser: Insufficient policy enforcement in Downloads
            https://bugzilla.redhat.com/show_bug.cgi?id=1918233
      [ 16 ] Bug #1918235 - CVE-2021-21134 chromium-browser: Incorrect security UI in Page Info
            https://bugzilla.redhat.com/show_bug.cgi?id=1918235
      [ 17 ] Bug #1918236 - CVE-2021-21135 chromium-browser: Inappropriate implementation in Performance API
            https://bugzilla.redhat.com/show_bug.cgi?id=1918236
      [ 18 ] Bug #1918237 - CVE-2021-21136 chromium-browser: Insufficient policy enforcement in WebView
            https://bugzilla.redhat.com/show_bug.cgi?id=1918237
      [ 19 ] Bug #1918238 - CVE-2021-21137 chromium-browser: Inappropriate implementation in DevTools
            https://bugzilla.redhat.com/show_bug.cgi?id=1918238
      [ 20 ] Bug #1918239 - CVE-2021-21138 chromium-browser: Use after free in DevTools
            https://bugzilla.redhat.com/show_bug.cgi?id=1918239
      [ 21 ] Bug #1918240 - CVE-2021-21139 chromium-browser: Inappropriate implementation in iframe sandbox
            https://bugzilla.redhat.com/show_bug.cgi?id=1918240
      [ 22 ] Bug #1918241 - CVE-2021-21140 chromium-browser: Uninitialized Use in USB
            https://bugzilla.redhat.com/show_bug.cgi?id=1918241
      [ 23 ] Bug #1918242 - CVE-2021-21141 chromium-browser: Insufficient policy enforcement in File System API
            https://bugzilla.redhat.com/show_bug.cgi?id=1918242
    --------------------------------------------------------------------------------
    
    This update can be installed with the "dnf" update program. Use
    su -c 'dnf upgrade --advisory FEDORA-2021-48866282e5' at the command
    line. For more information, refer to the dnf documentation available at
    https://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
    
    All packages are signed with the Fedora Project GPG key. More details on the
    GPG keys used by the Fedora Project can be found at
    https://fedoraproject.org/keys
    --------------------------------------------------------------------------------
    _______________________________________________
    package-announce mailing list -- This email address is being protected from spambots. You need JavaScript enabled to view it.
    To unsubscribe send an email to This email address is being protected from spambots. You need JavaScript enabled to view it.
    Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
    List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
    List Archives: https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it.
    

    LinuxSecurity Poll

    Which is the best secure Linux distro for pentesting?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/50-which-is-the-best-secure-linux-distro-for-pentesting?task=poll.vote&format=json
    50
    radio
    [{"id":"174","title":"Kali Linux","votes":"9","type":"x","order":"1","pct":56.25,"resources":[]},{"id":"175","title":"Parrot OS","votes":"7","type":"x","order":"2","pct":43.75,"resources":[]},{"id":"176","title":"BlackArch Linux","votes":"0","type":"x","order":"3","pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350

    Please vote first in order to view vote results.


    VIEW MORE POLLS

    bottom 200

    Please enable / Bitte aktiviere JavaScript!
    Veuillez activer / Por favor activa el Javascript![ ? ]

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.