Debian User Forums

[debiandonder]

Is the Chromium version in Debian save to use as it is not kept up to date like Chrome?

Google issued an alert about it's browser having some critical vulnerability this week and advised users to update to the latest version. The latest version of Chrome was released last Monday and Chromium on Debian has not yet been updates this Saturday.

Should I just use Firefox ESR, instead?

[shep]

The devil is in the details. Unfortunately CVE-2019-5786 was reserved by Google who has yet to provide details in the database

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5786

That said, Debian has been providing Chromium security updates, the last was February 18, 2019

https://www.debian.org/security/
https://www.debian.org/security/2019/dsa-4395

Typically after firefox-esr or chromium cve's, the Debian security team will provide an update within a few days. In the interim, I would avoid sending critical passwords with chromium, particularly via a javascript interface.

[Head_on_a_Stick]

Should I just use Firefox ESR, instead?

^ Probably this.

I seem to remember the chromium version falling behind a little for the last release but firefox-esr always tracked the current version very closely and was updated within a day or two of upstream.

Having said that, chrom{e,ium} has a better privsep model and so better security generally (at the expense of privacy).

[debiandonder]

Thanks for the feedback everyone, I think I'll just wait till Chromium gets updated to the version that fixes the security problem and use Firefox ESR in the meantime. Firefox works with most websites I use anyway. It just messes up the memrise website as far as the language courses are concerned when they pronounce stuff, but works most of the time with everything else.

I switched to Chromium because Chrome was updating weekly and was bothering me. I keep going back to Chrome most of the time, but lately I'm too lazy too go through the whole setup thing and adding the adblocker and changing settings to block third party cookies and all of that.

I will just wait until Chrome 73 gets released and switch then or use Firefox ESR till I have to do something important like financial website stuff.

[milomak]

let's see

Code: Select all

$ apt-cache policy chromium             
chromium:
  Installed: (none)
  Candidate: 72.0.3626.122-1
  Version table:
     73.0.3683.56-1 1
          1 http://debian.mirror.ac.za/debian experimental/main amd64 Packages
          1 http://ftp.is.co.za/debian experimental/main amd64 Packages
          1 http://ftp.uk.debian.org/debian experimental/main amd64 Packages
          1 http://deb-mir1.naitways.net/debian experimental/main amd64 Packages
     72.0.3626.122-1 500
        500 http://debian.mirror.ac.za/debian sid/main amd64 Packages
        500 http://ftp.is.co.za/debian sid/main amd64 Packages
        500 http://debian.saix.net sid/main amd64 Packages
        500 http://ftp.uk.debian.org/debian sid/main amd64 Packages
        500 http://deb-mir1.naitways.net/debian sid/main amd64 Packages
     72.0.3626.109-1 500
        500 http://debian.mirror.ac.za/debian testing/main amd64 Packages
        500 http://ftp.is.co.za/debian testing/main amd64 Packages
        500 http://debian.saix.net testing/main amd64 Packages
        500 http://deb-mir1.naitways.net/debian testing/main amd64 Packages
     70.0.3538.110-1~deb9u1 500
        500 http://debian.mirror.ac.za/debian stable/main amd64 Packages
        500 http://ftp.is.co.za/debian stable/main amd64 Packages
        500 http://debian.saix.net stable/main amd64 Packages
        500 http://deb-mir1.naitways.net/debian stable/main amd64 Packages

Code: Select all

apt-cache policy google-chrome-stable
google-chrome-stable:
  Installed: 72.0.3626.121-1
  Candidate: 72.0.3626.121-1
  Version table:
 *** 72.0.3626.121-1 500
        500 http://dl.google.com/linux/chrome/deb stable/main amd64 Packages
        100 /var/lib/dpkg/status

[gusnan]

You all have probably seen it, but:

https://www.debian.org/security/2019/dsa-4404

[debiandonder]

Thanks! The update came up today.

I think it was some vulnerability in Chrome that could be used to gain control of Windows 7 36-bit.

Keep calm and use Linux.

[debiandonder]

Just a update. If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message. I must not like Daily Mail.

Firefox ESR works with that site, so no worries.

[Head_on_a_Stick]

If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message.

That's not a bug, it's a feature!

I must not like Daily Mail.

No, best not.

Not only did that scummy site start off the whole anti-vaccination bullshit that has claimed the lives of hundreds of children worldwide, they also ran front-page headlines in the 1930s in support of Hitler & Mosley's Blackshirts:

https://www.globaljustice.org.uk/blog/2 ... daily-mail

[MagicPoulp]

Why do you prefer to use chromium and not chrome?

Chrome can be downloaded as a .deb from Google's website and it will registers apt repositories for updates.

[dilberts_left_nut]

and it will registers apt repositories for updates.

Yay, root access to your PC for google ...

[MagicPoulp]

Installing a .deb from Google does not give sudo access to google on my computer. Only the installation uses sudo not the execution of the program. And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.

dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list

If really you don't want to run sudo, you can use a chroot, that is a fake root folder.

Besides, AppArmor will be by default in Buster. So applications will be even more protected.

[Head_on_a_Stick]

Why do you prefer to use chromium and not chrome?

Because Google will not release the full source code for Chrome.

What are they hiding, exactly?

[debiandonder]

If I want to go to the site Daily Mail, the latest chromium version just gives me a "Oh snap!" message.

That's not a bug, it's a feature!

I must not like Daily Mail.

No, best not.

Not only did that scummy site start off the whole anti-vaccination bullshit that has claimed the lives of hundreds of children worldwide, they also ran front-page headlines in the 1930s in support of Hitler & Mosley's Blackshirts:

https://www.globaljustice.org.uk/blog/2 ... daily-mail

Sorry, I meant it must not like Daily Mail, meaning Chromium. It turned out it was Adguard adblocker that was causing the problem. Wish it had inbuilt privacy protection like Firefox. Just use Chromium because it works with all sites, not because I particularly like it.

Daily Mail has lots of pretty pictures, BBC is too boring.

[dilberts_left_nut]

Installing a .deb from Google does not give sudo access to google on my computer.

No, but adding the repo lets them put whatever they want on your box.

Only the installation uses sudo not the execution of the program.

There is nothing (technical) stopping them including a data mining service that starts at boot and runs as root.

And the package manager is very smart.
It only copies files to the /usr/bin and put config files and libraries in other folders. It cannot do more than copy files.

Really?
... and the pre & post-inst script mechanisms?

dpkg only allowed to create a source file which refers to the package name.
sudo less /etc/apt/sources.list.d/google-chrome.list

That can be called anything and contain anything.

If really you don't want to run sudo, you can use a chroot, that is a fake root folder.

Which has nothing to do with the subject.

Besides, AppArmor will be by default in Buster. So applications will be even more protected.

Snake Oil salesmen are alive and doing well.