[Bug 1424577] [NEW] Upgrade breaks Chrome update mechanism leaving users without any security updates

[Niklas Schnelle]

*** This bug is a security vulnerability ***

Public security bug reported:

Users installing Chrome from the official Google download site (https://www.google.com/chrome/browser/desktop/index.htm)
get an additional repository added that works as the only mechanism for security and version updates for Chrome on Ubuntu. Upgrading Ubuntu to a new version silently (or at least with a hard to associate message) disables this repository without uninstalling Chrome, leaving users with a working but permanently frozen version of Chrome.

This leaves users open to all Chrome security problems found after the
upgrade and poses a severe security issue. Disabling a repository
without uninstalling applications relying on it for security updates is
just not a sane default and a lot worse than breaking applications
because the repository doesn't have versions for the new release. In the
case of Chrome leaving the repository activated would have resulted in
the right behavior.

I've been using Linux for over 10 years and noticed this happening on my
mums computer only because Gmail pointed out that the Chrome version was
no longer supported.

** Affects: update-manager (Ubuntu)
     Importance: Undecided
         Status: New

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to update-manager in Ubuntu.
https://bugs.launchpad.net/bugs/1424577

Title:
  Upgrade breaks Chrome update mechanism leaving users without any
  security updates

Status in update-manager package in Ubuntu:
  New

Bug description:
  Users installing Chrome from the official Google download site (https://www.google.com/chrome/browser/desktop/index.htm)
  get an additional repository added that works as the only mechanism for security and version updates for Chrome on Ubuntu. Upgrading Ubuntu to a new version silently (or at least with a hard to associate message) disables this repository without uninstalling Chrome, leaving users with a working but permanently frozen version of Chrome.

  This leaves users open to all Chrome security problems found after the
  upgrade and poses a severe security issue. Disabling a repository
  without uninstalling applications relying on it for security updates
  is just not a sane default and a lot worse than breaking applications
  because the repository doesn't have versions for the new release. In
  the case of Chrome leaving the repository activated would have
  resulted in the right behavior.

  I've been using Linux for over 10 years and noticed this happening on
  my mums computer only because Gmail pointed out that the Chrome
  version was no longer supported.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/update-manager/+bug/1424577/+subscriptions