Hi everybody. Full disclosure, I'm currently on Debian. One reason is my one remaining concern about Ubuntu and security. (I've generally resolved my other concerns.)
I'm kind of looking for opinions, educated evaluations, and experiences rather than hard answers (which are also welcome of course). I just think that this topic is more suited for the chat subforum rather than support as I think that the hard answer is just that medium cve's just take some time to fix.
Now generally I use Firefox to access my bank but sometimes the login doesn't work so I have to use Chromium. Just through observation it seems that it sometimes takes more than a week to update the stable channel. One time it took three weeks.
Generally most cves for Chromium seem to be medium cve's (just by informal observation checking the Ubuntu CVE Tracker). I get that no one is in a hurry to fix medium cve's. And not just Ubuntu but through Googling it seems that medium cve's are fixed in time measured in months so I get that.
In the Ubuntu CVE Priorities they say that cross site scripting is a medium cve. My understanding of cross site scripting is that someone could steal information entered on a form on a web page. So what I'm concerned about is that since seemingly Chromium is sometimes updated in a week to three weeks that someone could steal my banking credentials through cross site scripting.
Am I right in this assessment? What am I missing? For example, perhaps Ubuntu is carefully watching the cve's and only delaying updates when it is safe.
I get that I could just use the candidate channel but I would prefer not to if I can help it.