My thoughts on Slackware, life and everything

Tag: cve (Page 1 of 21)

July update for Chromium 126

The latest release of the Chromium source code (version 126.0.6478.182 was made available on July 16th) addresses several vulnerabilities as usual, some of which are rated as ‘High’ but none ‘Critical’ and also no new 0-days are reported.

You can fetch my Slackware 15.0 and -current packages both for chromium and (hopefully soon, because its source has not been released yet) also chromium-ungoogled . You may prefer one of the mirror servers (like my own US server and in a short while, the UK mirror) in case my primary slackware.nl server is not responding or too slow.

I am slowly transitioning back from being a caregiver for my mother (which absorbed me completely for 10 months) to a life where I have time and energy in the evenings to hack on Slackware again. You will soon find the next installment in the Slackware Cloud Server series here on the blog – an article dedicated to building a Docker stack as cloud storage backend for the open source Ente Auth 2-factor authentication app.

Cheers, Eric

Chromium update fixes 5th zero-day exploit for 2024

In Google’s release notes for the latest Chromium 124.0.6367.201 source code it is  mentioned that this release fixes a zero-day vulnerability. Beware: this is already the 5th zero-day which was reported and fixed in Chromium in 2024.

This vulnerability is already actively exploited in the wild, and is labeled CVE-2024-4671, so please upgrade your chromium and also ungoogled-chromium packages as soon as you can.

You can fetch my Slackware 15.0 and -current packages both for chromium and chromium-ungoogled . You can also visit mirror servers (like my own US server and in a short while, the UK mirror) in case my own server is not responding or too slow.

Note that I still do not provide 32bit package updates for Chromium and Chromium-ungoogled. It is a lot of work to find out how to compile rust and llvm on 32bit Slackware ‘the Google way’ and so far the solution has eluded me.
I need these custom rust and clang compilers to compile Chromium sources on 32bit.
And please don’t tell me ‘to look at how Debian does it’ – it does not help.

Cheers, Eric

Google fixes the 8th zero-day in Chromium in 2023

Chromium 120.0.6099.129 for which the source code was released two days ago repairs a zero-day vulnerability.

Zero-day means that the vulnerability is already actively exploited in the wild. Hopefully the last time this year, but it is already the 8th zero-day which was reported and fixed in Chromium. The new zero-day is labeled CVE-2023-7024.
It’s therefore highly recommended to upgrade your chromium and also ungoogled-chromium packages.

Find the updated Slackware 15.0 and -current packages both for chromium and chromium-ungoogled in my repository and its mirrors (like my own US server and in a short while, the UK mirror).

Cheers, Eric

Chromium 118 (also ungoogled) is a security update

I uploaded new 64bit packages for Chromium 118.0.5993.70 (also the un-googled variant) for which the sources were released a few days ago. This first release in the 118 series addresses a critical vulnerability (CVE-2023-5218) so it’s wise to upgrade.
As mentioned in a previous blog post, future 32bit package updates will have a lower frequency: one update per month. Google has increased the frequency of its Chromium releases dramatically (one per week) and I just cannot keep up. If you need that 32bit package badly now, you can of course grab the sources and my SlackBuild and build it yourself.

Looking at this 118 major release, one thing you need to be aware of is the changed behavior of “Enhanced Safe Browsing” which you can enable in the browser’s security settings (chrome://settings/security). Probably most of you already have this enabled. This is what changed:

Google will be able to disable an installed browser extension remotely if it determines the extension is labeled as ‘malicious’ and the extension was not installed via the Chrome Web Store.
The browser’s security checks of downloaded online content have been enhanced with so-called ‘deep scanning’ meaning the browser may now ask you for a password to open a protected archive you just downloaded. Note that the scanning occurs in Google’s datacenter – when you enable ‘enhanced safe browsing’ you consent to uploading some of your data to Google for the specific purpose of scanning and analyzing it for malicious content.
Also with ‘enhanced safe browsing’ enabled, the browser will send telemetry data about installed browser extensions using the chrome.tabs API to Google’s servers for analysis. This is meant to improve the “detection of malicious and policy violating extensions”.

It is up to you to decide which way the tradeoff between enhanced security and sharing data with Google works for you. If you don’t feel comfortable with this and you value your privacy, then you need to disable (or not enable) ‘Enhanced Safe Browsing’ in the settings.

Find the updated Slackware 15.0 and -current packages both for chromium and chromium-ungoogled in my repository and its mirrors (like my own US server and in a short while, the UK mirror).

Cheers, Eric

Chromium package and release update

You have surely noticed an increase in the frequency with which I am releasing new chromium and chromium-ungoogled packages. This is caused by a new release policy from Google, with an update every week and a bump in the major version (currently 117) every month.
I have tried keeping up with that schedule, but I am giving up.
My reasons? One chromium or chromium-ungoogled package takes 11+ hours to compile (part of the Chromium compilation involves compiling Google’s customized clang compiler). Every update, I need to compile 4 packages. It takes away the fun in updating them to be honest. I don’t know for whom I actually create the 32bit packages still.

So, from this moment onwards, my own package release policy changes as follows. I will keep up with the Google source release cycle, but only for the 64bit packages. My 32bit packages for chromium and chromium-ungoogled will be updated no more than once per month, unless there’s a big security hole to be patched.

By the way, I uploaded new chromium packages for 117.0.5938.149 yesterday and today I added its chromium-ungoogled sibling (64bit only).

Find the updated Slackware 15.0 and -current packages both for chromium and chromium-ungoogled in my repository and its mirrors (like my own US server and in a short while, the UK mirror).

Cheers, Eric

« Older posts

© 2024 Alien Pastures

Theme by Anders NorenUp ↑