Google Chrome relase from 27/10-2022 reports a type confusion vulnerability in V8. Vulnerability assigned CVE-2022-3723. "Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild." I assume vulnerabilty affects chromium-bin & Chromium-derivates google-chrome, google-chrome-bin, opera, Vivaldi & microsoft-edge as well. Reproducible: Didn't try
Thanks.
The affected versions of these packages, which are still being distributed by Gentoo, includes a remote code execution vulnerability which has been seen in the wild. The vulnerable packages have not been updated for nearly a month, and don't appear to be being worked on. Should they be masked until they do get the security fix?
*** Bug 879579 has been marked as a duplicate of this bug. ***
(In reply to Ooblick from comment #2) > The affected versions of these packages, which are still being distributed > by Gentoo, includes a remote code execution vulnerability which has been > seen in the wild. > > The vulnerable packages have not been updated for nearly a month, and don't > appear to be being worked on. Should they be masked until they do get the > security fix? They were being worked on and were pushed a few days ago: commit 74692ef14eb7c74deaf262d09acf4d05b491b249 Author: Marek Behún <kabel@kernel.org> Date: Wed Nov 2 12:54:41 2022 +0100 www-client/chromium: promote M107 to stable Signed-off-by: Marek Behún <kabel@kernel.org> Closes: https://github.com/gentoo/gentoo/pull/28100 Signed-off-by: Mike Gilbert <floppym@gentoo.org> commit d14c195edacaa061b80a60b6c786be89dc48e8aa Author: Marek Behún <kabel@kernel.org> Date: Wed Nov 2 12:53:56 2022 +0100 www-client/chromium: beta channel bump to 107.0.5304.87 Signed-off-by: Marek Behún <kabel@kernel.org> Signed-off-by: Mike Gilbert <floppym@gentoo.org>
The Stable channel has been updated to 107.0.5304.110 for Mac and Linux
Are we going to address https://amp-thehackernews-com.cdn.ampproject.org/c/s/amp.thehackernews.com/thn/2022/11/update-chrome-browser-now-to-patch-new.html chromium-bin ebuilds need to be updated.
GLSA request filed, see https://bugs.gentoo.org/876855#c10 wrt edge.