Re: Is chromium updated?

2020-11-13 Thread l0f4r0 
Hi,

13 nov. 2020 à 11:06 de ggunin...@gmail.com:

> Definitely won't say "thank you" to some entity which gives
> me long unpatched important component like a web browser.
>
I confess that having an unpatched browser is really not recommended because of 
all exploits that could happen on the fly (the browser is a really exposed 
component by nature).

However, everyone is free to contribute, provide help or simply choose another 
package, maybe more maintained...

9 nov. 2020 à 17:30 de go...@oles.biz:

> what is your opinion, what should Linux users use for their daily work?
> Firefox becomes more and more buggier, Chromium project doesn't provide
> binaries for any OS.
>
Why not using Vivaldi browser then?
It comes with its own repo and updates are released regularly.
This is not 100% open source, true, but it's really functional & customisable.
I've been using it for 1 year on Linux/macOS/Windows and heard/read almost only 
good feedbacks.

Best regards,
l0f4r0

Re: fun with mailinglists (was Re: Is chromium updated?)

2020-11-13 Thread Georgi Guninski 
On Fri, Nov 13, 2020 at 12:27 PM John Runyon  wrote:
>
> Imagine calling yourself a “Debian contributor” because you... reported a few 
> bugs? Guess I’m a Debian contributor too.
>
I was wrong about being _contributor_, sorry (misunderstood
the definition).

Re: fun with mailinglists (was Re: Is chromium updated?)

2020-11-13 Thread Gian Piero Carrubba 

* [Fri, Nov 13, 2020 at 05:26:56AM -0500] John Runyon:
Why do we have such messages on the security mailing list? Is there a 
way to get actual security team announcements without all this spam?


That's a job for debian-security-announce@l.d.o (please note the 
'-announce' suffix)


Ciao,
Gian Piero.

Re: fun with mailinglists (was Re: Is chromium updated?)

2020-11-13 Thread Emmanuel Halbwachs 
John Runyon (Fri 2020-11-13 05:26:56 -0500) :
> Why do we have such messages on the security mailing list? Is there a way to
> get actual security team announcements without all this spam?

Yes, there is such a list [1]. This list [2] is for (quote):

Discussion about security issues, including cryptographic issues,
that are of interest to all parts of the Debian community.

Please note that this is NOT an announcement mailing list. If
you're looking for security advisories from Debian, subscribe to
debian-security-announce instead.

This list is not moderated; posting is allowed by anyone.

[1] https://lists.debian.org/debian-security-announce/
[2] https://lists.debian.org/debian-security/

-- 
Emmanuel

Re: fun with mailinglists (was Re: Is chromium updated?)

2020-11-13 Thread Zhengbo Xiang 
Come on man, if someone contributes, they contribute. Big or small.

And sure, let's quiet down a bit~

Best,
Alana X

On Fri, Nov 13, 2020 at 7:27 PM John Runyon  wrote:

> Imagine calling yourself a “Debian contributor” because you... reported a
> few bugs? Guess I’m a Debian contributor too.
>
> Why do we have such messages on the security mailing list? Is there a way
> to get actual security team announcements without all this spam? There is,
> after all, no shortage of Debian or Linux users mailing lists on which such
> messages could be posted.
>
> On Fri, Nov 13, 2020 at 5:19 AM Holger Levsen 
> wrote:
>
>> On Fri, Nov 13, 2020 at 12:06:50PM +0200, Georgi Guninski wrote:
>> > On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos 
>> wrote:
>> > > BUT we should not forget to say a THANK YOU to these guys which give
>> their best in order all of us to use this OS for free ;-)
>> > I believe I am debian contributor too, search in google for:
>> > "georgi guninski" site:debian.org
>>
>> you seem to be a very funny person, less than 3h ago you said in
>> Message-ID: > u6uwf+qe8tumw4tk...@mail.gmail.com>
>> Debian was not responding to this thread and now you are saying you
>> are Debian too! :)))
>>
>>
>> --
>> cheers,
>> Holger
>>
>>  ⢀⣴⠾⠻⢶⣦⠀
>>  ⣾⠁⢠⠒⠀⣿⡁   holger@(debian|reproducible-builds|layer-acht).org
>>  ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A
>> AA1C
>>  ⠈⠳⣄
>>
>> Moral, truth, long term- and holistic thinking seem to mean nothing to
>> us. The
>> emperors are naked. Every single one. It turns out our whole society is
>> just
>> one big nudist party. (Greta Thunberg about the world reacting to the
>> corona
>> crisis but not reacting appropriatly to the climate crisis.)
>>
> --
> Thanks,
> John Runyon
>

Re: fun with mailinglists (was Re: Is chromium updated?)

2020-11-13 Thread John Runyon 
Imagine calling yourself a “Debian contributor” because you... reported a
few bugs? Guess I’m a Debian contributor too.

Why do we have such messages on the security mailing list? Is there a way
to get actual security team announcements without all this spam? There is,
after all, no shortage of Debian or Linux users mailing lists on which such
messages could be posted.

On Fri, Nov 13, 2020 at 5:19 AM Holger Levsen  wrote:

> On Fri, Nov 13, 2020 at 12:06:50PM +0200, Georgi Guninski wrote:
> > On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos 
> wrote:
> > > BUT we should not forget to say a THANK YOU to these guys which give
> their best in order all of us to use this OS for free ;-)
> > I believe I am debian contributor too, search in google for:
> > "georgi guninski" site:debian.org
>
> you seem to be a very funny person, less than 3h ago you said in
> Message-ID:  u6uwf+qe8tumw4tk...@mail.gmail.com>
> Debian was not responding to this thread and now you are saying you
> are Debian too! :)))
>
>
> --
> cheers,
> Holger
>
>  ⢀⣴⠾⠻⢶⣦⠀
>  ⣾⠁⢠⠒⠀⣿⡁   holger@(debian|reproducible-builds|layer-acht).org
>  ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
>  ⠈⠳⣄
>
> Moral, truth, long term- and holistic thinking seem to mean nothing to us.
> The
> emperors are naked. Every single one. It turns out our whole society is
> just
> one big nudist party. (Greta Thunberg about the world reacting to the
> corona
> crisis but not reacting appropriatly to the climate crisis.)
>
-- 
Thanks,
John Runyon

fun with mailinglists (was Re: Is chromium updated?)

2020-11-13 Thread Holger Levsen 
On Fri, Nov 13, 2020 at 12:06:50PM +0200, Georgi Guninski wrote:
> On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos  wrote:
> > BUT we should not forget to say a THANK YOU to these guys which give their 
> > best in order all of us to use this OS for free ;-)
> I believe I am debian contributor too, search in google for:
> "georgi guninski" site:debian.org
 
you seem to be a very funny person, less than 3h ago you said in 
Message-ID: 
Debian was not responding to this thread and now you are saying you
are Debian too! :)))


-- 
cheers,
Holger

 ⢀⣴⠾⠻⢶⣦⠀
 ⣾⠁⢠⠒⠀⣿⡁   holger@(debian|reproducible-builds|layer-acht).org
 ⢿⡄⠘⠷⠚⠋⠀ PGP fingerprint: B8BF 5413 7B09 D35C F026 FE9D 091A B856 069A AA1C
 ⠈⠳⣄

Moral, truth, long term- and holistic thinking seem to mean nothing to us. The
emperors are naked. Every single one. It turns out our whole society is just
one big nudist party. (Greta Thunberg about the world reacting to the corona
crisis but not reacting appropriatly to the climate crisis.)


signature.asc
Description: PGP signature

Re: Is chromium updated?

2020-11-13 Thread Georgi Guninski 
On Fri, Nov 13, 2020 at 10:21 AM Pavlos Ponos  wrote:
> BUT we should not forget to say a THANK YOU to these guys which give their 
> best in order all of us to use this OS for free ;-)

I believe I am debian contributor too, search in google for:
"georgi guninski" site:debian.org

Definitely won't say "thank you" to some entity which gives
me long unpatched important component like a web browser.

It is like saying "thank you" to someone who gives
you free licensed Windows XP, lol.

Re: Is chromium updated?

2020-11-13 Thread Jörg Morbitzer 


Hi,

some brain storming: what about working together with the LinuxMint
people, they just got a dedicated compiling machine, just for getting
updated Chromium for LMDE in time:

http://packages.linuxmint.com/list.php?release=Debbie

Consolidating resources might do the trick here,

Kind regards, Joerg.

On 11/13/20 9:31 AM, Emmanuel Halbwachs wrote:
> Hello,
> 
> Pavlos Ponos (Fri 2020-11-13 10:20:36 +0200) :
>> BUT we should not forget to say a THANK YOU to these guys
> 
> and gals
> 
>> which give their best in order all of us to use this OS for free ;-)
> 
> I was about to write the same thing: a big thank you to all
> volunteers.
>

Re: Is chromium updated?

2020-11-13 Thread Emmanuel Halbwachs 
Hello,

Pavlos Ponos (Fri 2020-11-13 10:20:36 +0200) :
> BUT we should not forget to say a THANK YOU to these guys

and gals

> which give their best in order all of us to use this OS for free ;-)

I was about to write the same thing: a big thank you to all
volunteers.

-- 
Emmanuel

Re: Is chromium updated?

2020-11-13 Thread Sven Hartge 

On 17.10.20 14:28, Georgi Guninski wrote:


Is Debian's chromium vulnerable now?


Yes. The Team maintaining Chromium in Debian is clearly overloaded and 
understaffed and I am sure the Corona Crisis isn't helping here.

Re: Is chromium updated?

2020-11-12 Thread Georgi Guninski 
So debian are distributing vulnerable Chromium since nearly
a month? There is exploit (not sure about which OSes) in the
wild.

Debian are not commenting on this on this mailing list.

Right?

Re: Is chromium updated?

2020-11-11 Thread Georgi Guninski 
On Wed, Nov 11, 2020 at 9:46 PM  wrote:
>

> Regarding CVE-2020-16009 , it 
> seems that some distros like Arch [1] have already updated their chromium 
> packages but no Debian yet. Right?
>

Right.

> Is it just a matter of extracting the security fix from 86.0.4240.183, 
> packaging it accordingly and pushing in a new version in Debian repositories?
>

There are more than one vulnerabilities to fix.

I have about 10 years experience consulting Mozilla for
their browsers and I recommend Debian to update to
the closest to Chromium stable. Definitely not all security
bugs get CVE and some CVEs are "multiple vulnerabilities in X".

Re: Is chromium updated?

2020-11-11 Thread Georgi Guninski 
On Thu, Nov 12, 2020 at 2:15 AM Lou Poppler  wrote:
>
> You can follow debian's progress on this here:
>
> https://security-tracker.debian.org/tracker/CVE-2020-16009
>

Hi, thanks for the link.
I think your advice is incomplete and we should monitor
the union of all vulnerabilities and CVEs, not just one. There was similar
link in this thread, check it.

Re: Is chromium updated?

2020-11-11 Thread Lou Poppler 
You can follow debian's progress on this here:

https://security-tracker.debian.org/tracker/CVE-2020-16009

On Wed, 2020-11-11 at 20:46 +0100, l0f...@tuta.io wrote:
> 
> Regarding CVE-2020-16009 , it 
> seems that some distros like Arch [1] have already updated their chromium 
> packages but no Debian yet. Right?
> 
> Is it just a matter of extracting the security fix from 86.0.4240.183, 
> packaging it accordingly and pushing in a new version in Debian repositories?
> 
> For Buster, will it lead eventually to a 83.0.4103.116-1~deb10uX or a 
> 86.0.4240.183~deb10uX version instead?
> 
> Thanks in advance & Best regards,
> l0f4r0
> 
> [1] : https://security.archlinux.org/CVE-2020-16009
>

Re: Is chromium updated?

2020-11-11 Thread l0f4r0 
Hi,

8 nov. 2020 à 18:50 de ggunin...@gmail.com:

> https://www.theregister.com/2020/11/04/google_chrome_critical_updates/
>
> Wed 4 Nov 2020
> If you're an update laggard, buck up: Chrome zero-days are being
> exploited in the wild
>
> Desktop and Android versions both at risk
>
Thanks Georgi for the link.

Regarding CVE-2020-16009 , it 
seems that some distros like Arch [1] have already updated their chromium 
packages but no Debian yet. Right?

Is it just a matter of extracting the security fix from 86.0.4240.183, 
packaging it accordingly and pushing in a new version in Debian repositories?

For Buster, will it lead eventually to a 83.0.4103.116-1~deb10uX or a 
86.0.4240.183~deb10uX version instead?

Thanks in advance & Best regards,
l0f4r0

[1] : https://security.archlinux.org/CVE-2020-16009

Re: Is chromium updated?

2020-11-11 Thread Georgi Guninski 
On Mon, Nov 9, 2020 at 6:31 PM Georgi Naplatanov  wrote:
> Chromium project doesn't provide
> binaries for any OS.
>

Aren't these trustworthy daily builds?:

https://download-chromium.appspot.com/

Re: Is chromium updated?

2020-11-09 Thread Georgi Naplatanov 
Hi Georgi Guninski,

what is your opinion, what should Linux users use for their daily work?
Firefox becomes more and more buggier, Chromium project doesn't provide
binaries for any OS.

Kind regards
Georgi

On 11/8/20 7:50 PM, Georgi Guninski wrote:
> https://www.theregister.com/2020/11/04/google_chrome_critical_updates/
> 
> Wed 4 Nov 2020
> If you're an update laggard, buck up: Chrome zero-days are being
> exploited in the wild
> 
> Desktop and Android versions both at risk
> 
> On Sat, Oct 17, 2020 at 9:31 PM  wrote:
>>
>> Hi,
>>
>> 17 oct. 2020 à 14:28 de ggunin...@gmail.com:
>>
>>> On Debian stable, I have chromium Version: 83.0.4103.116-1~deb10u3
>>>
>>> >From Arch advisory on 2020-10-10:
>>> The package chromium before version 86.0.4240.75-1 is vulnerable to
>>> multiple issues including arbitrary code execution, access restriction
>>> bypass, information disclosure and insufficient validation.
>>> https://lists.archlinux.org/pipermail/arch-security/2020-October/001608.html
>>>
>>> Is Debian's chromium vulnerable now?
>>>
>> I would say yes for the time being indeed: 
>> https://security-tracker.debian.org/tracker/source-package/chromium
>> See "vulnerable" in 2nd column for CVE-2020-15967 to CVE-2020-15992 + 
>> CVE-2020-6557
>>
>> Best regards,
>> l0f4r0
>>
>

Re: Is chromium updated?

2020-11-08 Thread Georgi Guninski 
https://www.theregister.com/2020/11/04/google_chrome_critical_updates/

Wed 4 Nov 2020
If you're an update laggard, buck up: Chrome zero-days are being
exploited in the wild

Desktop and Android versions both at risk

On Sat, Oct 17, 2020 at 9:31 PM  wrote:
>
> Hi,
>
> 17 oct. 2020 à 14:28 de ggunin...@gmail.com:
>
> > On Debian stable, I have chromium Version: 83.0.4103.116-1~deb10u3
> >
> > >From Arch advisory on 2020-10-10:
> > The package chromium before version 86.0.4240.75-1 is vulnerable to
> > multiple issues including arbitrary code execution, access restriction
> > bypass, information disclosure and insufficient validation.
> > https://lists.archlinux.org/pipermail/arch-security/2020-October/001608.html
> >
> > Is Debian's chromium vulnerable now?
> >
> I would say yes for the time being indeed: 
> https://security-tracker.debian.org/tracker/source-package/chromium
> See "vulnerable" in 2nd column for CVE-2020-15967 to CVE-2020-15992 + 
> CVE-2020-6557
>
> Best regards,
> l0f4r0
>

Re: Is chromium updated?

2020-10-17 Thread l0f4r0 
Hi,

17 oct. 2020 à 14:28 de ggunin...@gmail.com:

> On Debian stable, I have chromium Version: 83.0.4103.116-1~deb10u3
>
> >From Arch advisory on 2020-10-10:
> The package chromium before version 86.0.4240.75-1 is vulnerable to
> multiple issues including arbitrary code execution, access restriction
> bypass, information disclosure and insufficient validation.
> https://lists.archlinux.org/pipermail/arch-security/2020-October/001608.html
>
> Is Debian's chromium vulnerable now?
>
I would say yes for the time being indeed: 
https://security-tracker.debian.org/tracker/source-package/chromium
See "vulnerable" in 2nd column for CVE-2020-15967 to CVE-2020-15992 + 
CVE-2020-6557

Best regards,
l0f4r0