Is chromium-browser from Trusty repos up-to-date security-wise?

Question

Ubuntu Trusty reaches EOL only in April 2019. But chromium-browser package is several releases out-of-date, at least if we judge by version number. Namely, current version in Bionic is 69.0.3497.81-0ubuntu0.18.04.1, while in Trusty it's 65.0.3325.181-0ubuntu0.14.04.1.

This makes me wonder whether it can be considered secure.

I don't know of any security bugs fixed between these versions, but if there are any, does the version in Ubuntu Trusty have the patches backported? Or is it effectively abandoned for the remaining half a year of LTS life?

NOTE: unlike the other question proposed as duplicate target for this one, this question doesn't ask why, it asks whether outdated-version Chromium is still up-to-date security-wise.

Answer 1

Version numbers can be misleading.

The Ubuntu Security Team patches vulnerabilities in 65.0 (usually using an upstream-provided patch), then pushes the update to you via Ubuntu's -security repository. The patched version is still 65.0, since it's not a new upstream release. Since it's no longer stock 65.0, a supplemental version number is added at the end (that's the '0Ubuntu1' at the end of the version string).

The Security Team won't push a new (untested) upstream version 69.0 to merely address a patchable vulnerability. Pushing a new upstream version outside the normal release cycle is precisely the opposite of the software stability that an LTS release is intended to provide.

The Ubuntu Security Team maintains a searchable database of all known vulnerabilities in all Ubuntu packages, so you can see the status for yourself without guessing.