Bug 14999

Summary: webkit new security issues CVE-2014-1344, CVE-2014-138[4-9], and CVE-2014-1390
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/629239/
Whiteboard:
Source RPM: webkit-2.2.2-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-01-09 20:03:48 CET 
Upstream has released version 2.4.8 on January 7:
http://www.webkitgtk.org/2015/01/07/webkitgtk2.4.8-released.html

It fixes several security issues.  Freeze push requested for Cauldron.

Mageia 4 is likely affected, but it's unclear what we can do about it, since it has 2.2.x, which is no longer supported upstream.

Reproducible: 

Steps to Reproduce:
David Walser 2015-01-09 20:03:55 CET

Whiteboard: (none) => MGA4TOO

David Walser 2015-01-12 19:18:32 CET

URL: (none) => http://lwn.net/Vulnerabilities/629239/

Comment 3 David Walser 2015-01-12 21:52:10 CET 
Fixed in Cauldron thanks to an upstream patch to fix the build.

Whiteboard: MGA4TOO => (none)
Version: Cauldron => 4

Comment 4 David Walser 2015-01-25 19:54:46 CET 
There is a webkit 2.2.8 from October that's the newest currently in the 2.2 branch.  It doesn't look like 2.2 is supported anymore upstream, but I'm not 100% sure of that.  I don't know if 2.2.x is affected or if it will be addressed if it is.

Source RPM: webkit-2.4.7-1.mga5.src.rpm => webkit-2.2.2-1.mga4.src.rpm

Comment 5 David Walser 2015-01-26 20:29:29 CET 
Upstream has issued an advisory today (January 26):
http://webkitgtk.org/security/WSA-2015-0001.html

It lists all of these issues and says that they are fixed in 2.4.8, but only 2.4.x is affected.

Resolution: (none) => FIXED
Version: 4 => Cauldron
Status: NEW => RESOLVED