Is current chromium version from PureOS repo affected by CVE-2019-5786?


Does anyone know if the chromium package from the PureOS repo is affected by CVE-2019-5786?

Recently, a zero day was reported in Chrome which was patched in version 72.0.3626.121. [1]

I believe this also affected Chromium because someone tracked down the commit [2] which addresses the vulnerability in another forum’s thread. At the moment I can’t find the source that mentioned this is the relevant commit, sorry.

The current version of chromium from the PureOS repo is 72.0.3626.109. When I checked to make sure I was somehow not seeing the latest version via Debian’s package tracker for chromium, the versions matched, but on April 1st, it changed to 73.0.3683.75-1. [3]

At one point the versions available in unstable and stable were fine, but testing still had the affected version.

Several websites were reporting this as a severe security vulnerability and I would just like to know if I am affected and if it’s only a matter of time before an unaffected version will be released soon for PureOS users.

I asked in a #debian-security IRC channel but only got a response with the Debian tracker link.



It appears that we have both versions in our repos:

I’ll discuss with our team how to get the newer, fixed version out to everyone.

So we should have the newest chromium with the fixes to the CVE you specified in our repos now. May I ask that you try and update to see if you’re able to pull in the new chromium?

Hi jeremiah,

Yes, thank you for looking into this.

1 Like