On Wed, Nov 11, 2020 at 9:46 PM <l0f...@tuta.io> wrote: > > Regarding CVE-2020-16009 <https://security.archlinux.org/CVE-2020-16009>, it > seems that some distros like Arch [1] have already updated their chromium > packages but no Debian yet. Right? >
Right. > Is it just a matter of extracting the security fix from 86.0.4240.183, > packaging it accordingly and pushing in a new version in Debian repositories? > There are more than one vulnerabilities to fix. I have about 10 years experience consulting Mozilla for their browsers and I recommend Debian to update to the closest to Chromium stable. Definitely not all security bugs get CVE and some CVEs are "multiple vulnerabilities in X".
