Bug 15512

Summary: webkit, webkit2 new TLS certificate verification security issue (CVE-2015-2330)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/638447/
Whiteboard:
Source RPM: webkit-2.4.8-1.mga5.src.rpm, webkit2-2.6.5-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-03-17 22:05:59 CET 
A CVE has been requested for a security issue in webkit/webkit2:
http://openwall.com/lists/oss-security/2015/03/17/11

It's not clear if the version of webkit in Mageia 4 is affected.

If a CVE is assigned soon, I'll add the patch in Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-03-18 14:28:56 CET 
CVE-2015-2330 has been assigned:
http://openwall.com/lists/oss-security/2015/03/18/4

Patch checked into webkit and webkit2 SVN in Cauldron.  Freeze push requested.

Summary: webkit, webkit2 new TLS certificate verification security issue => webkit, webkit2 new TLS certificate verification security issue (CVE-2015-2330)

Comment 2 David Walser 2015-03-18 14:36:42 CET 
Looking at the code, the patch doesn't exactly apply to webkit in Mageia 4, and the patch appears to be making the code more similar to what it already is in the older version, but not exactly, so it might apply.  For now, I'll close this if it's pushed in Cauldron, but if another distro makes an update for this CVE for older webkitgtk, I'll reopen it.
Comment 3 David Walser 2015-03-19 12:02:58 CET 
Fixed with webkit-2.4.8-2.mga5 and webkit2-2.6.5-2.mga5.

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 David Walser 2015-03-30 15:33:19 CEST 
Fedora has issued an advisory for this on March 19:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/153553.html

URL: (none) => http://lwn.net/Vulnerabilities/638447/