Understanding Chrome Security Update Approach

35 views
Skip to first unread message

win...@gmail.com

unread,
Jul 13, 2016, 8:10:02 AM7/13/16
to Security-dev
Based on the information below, can anyone explain how to interpret Google Chrome security updates. Lets say that I currently have version 50.0.2661.87 installed, the current version is 51.0.2704.63. How do I calculate the number of vulnerabilities? Do I:
A: Add them all (12+24+8= 44)
B: Add only the current version and my installed version (12+8= 20)
C: Any other suggestion would be helpful.

BTW, the information below is as represented on the CVE website.

Version # of Vulnerabilities
51.0.2704.63 8
50.0.2661.102 24
50.0.2661.87 12

I am trying to see if the updates are cumulative or not.

Thanks in advance for any assistance
Winston

PhistucK

unread,
Jul 13, 2016, 9:40:13 AM7/13/16
to win...@gmail.com, Security-dev
I believe A is the closest (there might be a situation where a patch release introduced a new vulnerability that did not exist in the previous patch release and fixed in the next one, but this probably almost never happens).​


PhistucK


--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev...@chromium.org.

Chris Palmer

unread,
Jul 13, 2016, 1:49:00 PM7/13/16
to win...@gmail.com, security-dev

I suggest forgetting about CVEs in general; there is not a 1:1 mapping between vulnerabilities and CVEs. Additionally, their scoring can often be rather different from what we judge.

Instead, just consider that each stable patch release contains all the fixes we have for bugs we know about. You can search the bug tracker for bugs of type Bug-Security and status Fixed.

There is no good reason to purposefully stay on a version older than latest stable.

Reply all
Reply to author
Forward
0 new messages