Earlier this week I already provided a Chromium update in my Slackware repository. That update addressed a critical security issue in the media playback plugin whereby an attacker was able to take over your computer remotely, simply by letting you load an infected page.
But then another critical vulnerability was discovered and two days ago a new Chromium source was released to take care of this security hole in the User Interface code. The new version of Chromium is 77.0.3865.90 and of the four mentioned vulnerabilities on the website, one is a remote-takeover issue.
There was a new Chromium source release last week, but there were other software releases that had priority to get packages out the door. Therefore I could only chromium packages this weekend.
Chromium 76.0.3809.132 fixes 3 security holes. Note that the version before that (76.0.3809.100) also fixed 4 critical holes but I never packaged that as I went on holiday. So, upgrading now would be a good idea.
New Chromium browser for you!
The release earlier this week of Chromium 76 came with a total of 43 security fixes but this new major version of course also sports some real usability changes.
Most notably: Flash is now disabled by default. It’s no longer sufficient to click an “allow Flash on this page” popup but you need to go into the Chromium settings and override the default. And click in on the Flash element to make it start playing. Even then, the changes you make will not survive the restart of the browser. Google is apparently stepping up its efforts in convincing website developers to switch to HTML5 instead. In 2020 Adobe will stop with Flash anyway, so remaining Flash-powered sites will not survive long.
Another big behavioral change is that it is no longer possible for web sites to detect that you are browsing in ‘anonymous mode‘. This will make it a lot harder for sites with a ‘pay-wall‘ to block you from accessing their paid content though trial subscriptions.
And another positive change is that hitting the ‘Esc‘ key to stop a page from loading, is no longer treated as user activation. Meaning that malicious web sites will have more trouble messing with your browser because your ‘Esc‘ keypress is no longer passed to the remote web site.
I uploaded packages for the new Chromium 76.0.3809.87 today. That should have happened days earlier, but unfortunately I had to spend several nights to track down the cause of an inability to compile a 32bit package for the new version.
You may (or may not) know that my chromium.SlackBuild downloads and compiles a custom version of the clang compiler which is then used to compile Chromium. Compiling Chromium with gcc is not fully supported by Google, and Slackware’s own version of clang is too old to be used for Chromium.
So what happened…. some developer determined that no one should run 32bit Linux software anymore and hard-coded a 64bit architecture in the clang build script that is part of the Chromium source. Attempts at compiling a 64bit clang on 32bit Slackware results in weird errors, and of course compiling the Chromium sources was out of the question then. That fuck-up took me a while to find dammit!
After I wrote a patch to fix this for my Slackware package, I inspected the Chromium source repository and was happy to find that this ‘improvement’ had been applied nine weeks ago and that other people had already felt the resulting pain – and that the offending commit has already been reverted.
The next release of Chromium should again compile without issues… fingers crossed.
Wait no more and grab that package (for Slackware 14.2 and -current) from my site or any mirror.
The Chromium 74 sources were released a few days ago by Google, and it comes with a long list of fixes for security issues.
I spent almost two months to investigate why the 32bit package could no longer be built (which is one of the reasons why there were so few updates in march and april – I only have a few hours every day that I can spend on Slackware these days) and had finally managed to compile a 32bit package for Chromium 73 in a 32bit chroot environment on a 64bit Slackware OS, and that package was online for one day…. and now I tried compiling the new release on a regular 32bit Slackware OS and that worked! No idea whether this is because of my modifications of the SlackBuild.
The packages for chromium-74.0.3729.108 are now ready for download from slackware.com or slackware.nl, or any other mirror.
I verified that the Widevine CDM (for Netflix movie streaming) is still working.