FEDORA-2021-48866282e5 created by spot 7 months ago for Fedora 33
stable

This is probably not the update you want.

Let me be clear, it does fix the security vulnerabilities in this list:

CVE-2020-16044 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 CVE-2021-21133 CVE-2021-21134 CVE-2021-21135 CVE-2021-21136 CVE-2021-21137 CVE-2021-21138 CVE-2021-21139 CVE-2021-21140 CVE-2021-21141 CVE-2021-21117 CVE-2021-21128

But it will not behave like Google Chrome does.

Google has announced that it is cutting off access to the Sync and "other Google Exclusive" APIs from all builds except Google Chrome. This will make the Fedora Chromium build significantly less functional (along with every other distro packaged Chromium). It is noteworthy that Google gave the builders of distribution Chromium packages these access rights back in 2013 via API keys, specifically so that we could have open source builds of Chromium with (near) feature parity to Chrome. And now they're taking it away. The reasoning given for this change? Google does not want users to be able to "access their personal Chrome Sync data (such as bookmarks) ... with a non-Google, Chromium-based browser." They're not closing a security hole, they're just requiring that everyone use Chrome.

Or to put it bluntly, they do not want you to access their Google API functionality without using proprietary software (Google Chrome). There is no good reason for Google to do this, other than to force people to use Chrome.

I gave a lot of thought to whether I wanted to continue to maintain the Chromium package in Fedora, given that many (most?) users will be confused/annoyed when API functionality like sync and geolocation stops working for no good reason. Ultimately, I decided to continue for now, because there were at least some users who didn't mind, and if I stopped, someone else would start over and run blindly into this problem.

I would say that you might want to reconsider whether you want to use Chromium or not. If you want the full "Google" experience, you can run the proprietary Chrome. If you want to use a FOSS browser that isn't hobbled, there is a Firefox package in Fedora.

Oh, last, but not least, Google isn't shutting off the API access until March 15, 2021, but I have gone ahead and disabled it starting with this update. I'd rather you read about it here (even though most users will never see this) than have it just happen.

How to install

sudo dnf upgrade --advisory=FEDORA-2021-48866282e5

This update has been submitted for testing by spot.

7 months ago

This update's test gating status has been changed to 'ignored'.

7 months ago

This update's test gating status has been changed to 'waiting'.

7 months ago
User Icon imabug provided feedback 7 months ago
karma

This update's test gating status has been changed to 'ignored'.

7 months ago
User Icon ozeszty commented & provided feedback 7 months ago

I'm not sure that 'disabling' sync that early before EOL is the best option. Message and link popping up under toolbar does not explain what's going on and what the user can do about it: https://www.chromium.org/developers/how-tos/api-keys

It would be great to replace it with a link to some quick-doc explaining what and why will happen in March and what to do about it (that Firefox can import most data and sync it between multiple devices and platforms). Maybe in the meantime some alternative will arise, e.g. Firefox Sync adapted in Chromium or other synchronization engine, after all many distros will have this problem and probably some devs rely on that feature.

I'm using Chromium just to test website compatibility, but I installed or recommended it for many non-technical users as a Chrome replacement. I'm pretty sure most users don't check bodhi and won't know what hit them.

This update has been pushed to testing.

7 months ago
User Icon atim commented & provided feedback 7 months ago
karma

Firefox FTW!

This update can be pushed to stable now if the maintainer wishes

7 months ago
karma

This update has been submitted for stable by bodhi.

7 months ago
User Icon wolnei commented & provided feedback 7 months ago
karma

Works for me.

User Icon x3dsf commented & provided feedback 7 months ago
karma

Thank you for maintaining the rpm !

This update has been pushed to stable.

7 months ago
User Icon ckristi commented & provided feedback 7 months ago
karma

Thank you for maintaining this package and for 'ripping the patch' up front, without adding a long pain to it. Also, for whoever is here asking themselves if there is a fully functional browser with sync-ing capabilities, the answer is yes: Firefox. ;-)

User Icon abologna commented & provided feedback 7 months ago

Please consider keeping the package updated going forward.

While sync is certainly a useful feature, it's entirely possible to use Chromium without ever enabling it; some people might even consider the removal of this Google-specific functionality an improvement.

Firefox is a very valid alternative, and what I personally use, but the fact that the two browsers use different engines makes it quite valuable to have both in the distribution.

User Icon refi64 commented & provided feedback 7 months ago

Is removal actually correct? The email thread says that APIs like safe browsing are still available, but they won't be any longer if the API keys get removed.

User Icon mahmoudajawad commented & provided feedback 7 months ago

I would say replace the package with Ungoogled Chromium. This is effectively the same to end-users once the APIs are blocked, with one major gain which is complete google APIs block and removal at user-end to prevent any tracking act by google.

User Icon vedora commented & provided feedback 7 months ago

Personally I don't care one bit for Sync of Geolocation services. Those are one of the first things I try disable when using a browser. The warning at the startup however made me think it was a far more serious change that could hurt browsing security. I would keep the package, if I wanted the full Google experience I'd stick with Google Chrome.

User Icon djremo commented & provided feedback 6 months ago

Thank you for continuing to maintain the package! Your builds so far have been top notch and this persuaded me to switch to Chromium partly (earlier a full fledged Firefox user, from way back when I was using Windows). It is indeed a real shame that Google has <sha> let us all down so much! Considering how much they use Linux: Linux apps are the closest to an actual ecosystem on ChromiumOS, they regularly let their open source projects AOSP and Chromium (OS)) wither away..

As I have also posted on arnoldthebat's update (https://arnoldthebat.co.uk/wordpress/2021/02/10/important-update/comment-page-1/?unapproved=114658&moderation-hash=1f39af0354eeb66a2907c367d1c07e47#comment-114658), and as echoed in this (https://www.techrepublic.com/article/google-stripping-chromium-of-certain-api-access-is-an-opportunity-for-the-browser-to-shine/), is it potentially possible for us to use our own form of syncing for Chromium browsers alone? There are a lot of open source devs who maintain the browser, and in arnold's case, the OS, and easily 3x as many users who need it to get away from the bad tech giant. Maybe such an API should help us get away for good.. (I personally can help test this on a phone and my laptop, on atleast 3 distributions and Android, and if I could, would love to help with the code as well (I went into the medical field #( ), and I do think all of us can band together for a while to get Chromium back to where it was)

User Icon whstoermer commented & provided feedback 5 months ago
karma

WoW! I started to use Chromium a while back, and it was glorious. Thank you for making Chromium for the masses; everyone owes you a great debt of gratitude. What you did was awesome, and it is sad. I am not much of a coder, but I am a philosopher, and I offer a eulogy (yeah, it's a program, I know; I have not lost it, work with me here).

Today, I eulogize something beautiful under the most tragic of circumstances. It is like the death of a child, something created and has part of that creator in it. We are left with the questions of what if and why. It was not due to a faceless disease or defect inherited from the parents; it was murder. We know who did it. The killer is someone that we once gladly welcomed into our home. We trusted them with our personal communications, our many questions, and the records of our lives, all with the singular promise not to be evil. That was the first lie, but not the last.

The friend that we once trusted turned on us, and in secret, they practiced the dark arts and were possessed with the spirit of Google (for they are too many). Today, they have killed their brother Chromium, and his code still cries out from the ground, but are we listening? Power corrupts, and absolute power corrupts absolutely, and now they have become death: the destroyer of worlds.

Prince Chromium is dead, and now we are left with his useless brother sitting on the throne and breaking nuts with the royal seal. The King is dead; long live the king; now, what about us?


Please login to add feedback.

Metadata
Type
security
Severity
high
Karma
7
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
7 months ago
in testing
7 months ago
in stable
7 months ago
BZ#1918218 CVE-2021-21118 chromium-browser: Insufficient data validation in V8
0
0
BZ#1918219 CVE-2021-21119 chromium-browser: Use after free in Media
0
0
BZ#1918220 CVE-2021-21120 chromium-browser: Use after free in WebSQL
0
0
BZ#1918222 CVE-2021-21121 chromium-browser: Use after free in Omnibox
0
0
BZ#1918223 CVE-2021-21122 chromium-browser: Use after free in Blink
0
0
BZ#1918224 CVE-2021-21123 chromium-browser: Insufficient data validation in File System API
0
0
BZ#1918225 CVE-2021-21124 chromium-browser: Potential user after free in Speech Recognizer
0
0
BZ#1918226 CVE-2021-21125 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918227 CVE-2021-21126 chromium-browser: Insufficient policy enforcement in extensions
0
0
BZ#1918228 CVE-2021-21127 chromium-browser: Insufficient policy enforcement in extensions
0
0
BZ#1918229 CVE-2021-21129 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918230 CVE-2021-21130 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918231 CVE-2021-21131 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918232 CVE-2021-21132 chromium-browser: Inappropriate implementation in DevTools
0
0
BZ#1918233 CVE-2021-21133 chromium-browser: Insufficient policy enforcement in Downloads
0
0
BZ#1918235 CVE-2021-21134 chromium-browser: Incorrect security UI in Page Info
0
0
BZ#1918236 CVE-2021-21135 chromium-browser: Inappropriate implementation in Performance API
0
0
BZ#1918237 CVE-2021-21136 chromium-browser: Insufficient policy enforcement in WebView
0
0
BZ#1918238 CVE-2021-21137 chromium-browser: Inappropriate implementation in DevTools
0
0
BZ#1918239 CVE-2021-21138 chromium-browser: Use after free in DevTools
0
0
BZ#1918240 CVE-2021-21139 chromium-browser: Inappropriate implementation in iframe sandbox
0
0
BZ#1918241 CVE-2021-21140 chromium-browser: Uninitialized Use in USB
0
0
BZ#1918242 CVE-2021-21141 chromium-browser: Insufficient policy enforcement in File System API
0
0
BZ#1918277 CVE-2021-21118 CVE-2021-21119 CVE-2021-21120 CVE-2021-21121 CVE-2021-21122 CVE-2021-21123 CVE-2021-21124 CVE-2021-21125 CVE-2021-21126 CVE-2021-21127 CVE-2021-21129 CVE-2021-21130 CVE-2021-21131 CVE-2021-21132 ... chromium: various flaws [fedora-all]
0
0

Automated Test Results