Hello,
We are being asked to update Chrome on our Rocky Linux 8 application hosts due to CVE-2025-24201 being flagged by Qualys scanning, because we are running google-chrome-stable-134.0.6998.35-1. We do not have any Webkit packages installed separately. We know that Chromium uses the Webkit fork Blink for rendering. There is no documentation, as far as we can find, that CVE-2025-24201 has been exploited on non-AppleOS platforms.
There is only this Chrome release note which implicates Mac.
We recognize that best practice would be to update Chrome. What we would like to know is whether there is actually any documentation of this vulnerability exploited in Chrome on EL8?
Thanks in advance!
Do that. Then the issue becomes moot.
Chrome seems to get bug fixes on an almost weekly basis; it’s the single most frequently updated rpm that I have on this computer. Obviously chrome is a piece of software with a lot problems (which is why I don’t use it as my primary web browser) but it would be foolish to not keep it updated if you must have it.
1 Like
Thanks. However, Chrome updates cause downtime for application users, so we must minimize Chrome updates that are not absolutely critical.
The Chrome is a third-party package. Therefore, all information about it – and fixes – should come from the provider (Google).
In what way? If I’m running Chrome on my computer and then in a console windows do:
dnf update
I’m still running Chrome when the new version is being installed. I don’t start using the new one until I close my browser window and reopen it. So there was no downtime for me whatsoever.
Either way, any CVE"s in Chrome and Chrome/Google’s problem - not the Rocky or EL community since we don’t manage or maintain it.
It’s a server application that manages its chrome version via RPM dependency. The app shuts down while it is upgrading, so upgrading dependencies, especially larger ones, extends the downtime.
Ah OK, yeah so had it been chrome updated on it’s own it wouldn’t have caused that. But because you have it as a dependency for another app most likely your app during the rpm install/upgrade asks for chrome to be shut down. Now whether you can change that behaviour or not, you’d prob have to ask whoever packaged it. That way at least, your app would update, but leave it open until at least someone restarts it manually. Although I do realise, they may actually need to do the restart and force it to close.
Not much we here can help with TBH, it’s the way your server app is. And CVE updates to Chrome are Google’s responsiblity too as already mentioned. About all you can do is when a CVE is published, you’ll have to manually check whether it’s vulnerable or not. Or possibly use a vulnerability scanner to scan your servers/machines to see if that particular version is flagged or not.