| Summary: | port packages using webkit to webkit2 for security reasons | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | All Packagers <pkg-bugs> |
| Status: | RESOLVED OLD | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | fundawang, jani.valimaa, lists.jjorge, mageia, marja11, mhrambo3501, p.opter, pkg-bugs, tmb |
| Version: | 6 | ||
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/674266/ | ||
| Whiteboard: | |||
| Source RPM: | CVE: | ||
| Status comment: | |||
| Bug Depends on: | 18053 | ||
| Bug Blocks: | |||
|
Description
David Walser
2016-03-15 21:24:50 CET
bijiben, nemo-extensions, seed, zenity, midori, gnome-online-accounts, libpeas, libproxy, sugar-browse-activity, and yelp in Cauldron are no longer linked to webkit1. It would be nice to have those in Mageia 5. As for the rest, porting to webkit2 appears to be non-trivial. I e-mailed Michael Catanzaro about this. He responded with some helpful information about some of the affected packages. Here is what he said: Regarding the GNOME apps: we have good progress on porting Empathy and Evolution. Hopefully those will be ready in time for GNOME 3.22. Geary is quite unlikely to ever be ported, but Pantheon Mail (Elementary's fork of Geary) is actively working on porting. You might consider replacing Geary with Pantheon Mail in Mageia. Rhythmbox is already ready with a patch that we've applied downstream in both Ubuntu and Fedora, but the package maintainer is kinda unresponsive so it hasn't gone upstream yet. You can get that patch here if you want: http://pkgs.fedoraproject.org/cgit/rpms/rhythmbox.git/tree/ I know Liferea upstream is also actively working on a WebKit2 port that's mostly complete. Michael also pointed out that bijiben didn't actually link against webkit2 as I'd hoped. evolution-devel pulled in webkit1 and it still linked to that. He also said that the seed package can be dropped. I confirmed this. It was only used by libpeas in Mageia 5. In Cauldron, libpeas no longer uses it. CC'ing all packagers collectively CC:
(none) =>
marja11, pkg-bugs @ David Do you mind resuming what still needs to be done? (Assigning to all packagers collectively, since this is about multiple packages) Assignee:
bugsquad =>
pkg-bugs We need to continue to monitor packages being ported to webkit2 (Fedora is a good place to look as they're trying to stay on top of this issue as well) and backport as many of those to Mageia 5 as we can.
Thierry Vignaud
2016-05-27 10:56:46 CEST
Depends on:
(none) =>
18053 can you list the remaining affected packages ? CC:
(none) =>
mageia Source RPM : banshee-2.6.2-8.mga5.src.rpm Source RPM : bijiben-3.14.2-2.mga5.src.rpm Source RPM : birdfont-2.0.2-1.mga5.src.rpm Source RPM : birdie-1.1-3.mga5.src.rpm Source RPM : cairo-dock-plugins-3.4.0-1.mga5.src.rpm Source RPM : claws-mail-3.11.1-3.1.mga5.src.rpm Source RPM : empathy-3.12.7-2.mga5.src.rpm Source RPM : evolution-3.13.90-1.1.mga5.src.rpm Source RPM : geany-plugins-1.24-4.mga5.src.rpm Source RPM : geary-0.8.1-2.mga5.src.rpm Source RPM : gimp-2.8.14-4.2.mga5.src.rpm Source RPM : gmpc-wikipedia-11.8.16-6.mga5.src.rpm Source RPM : gnome-online-accounts-3.14.3-1.mga5.src.rpm Source RPM : gnome-web-photo-0.10.6-5.mga5.src.rpm Source RPM : gnucash-2.6.5-3.mga5.src.rpm Source RPM : gtkpod-2.1.4-7.mga5.src.rpm Source RPM : gyachi-1.2.11-7.mga5.src.rpm Source RPM : libpeas-1.12.1-3.mga5.src.rpm Source RPM : libproxy-0.4.11-10.mga5.src.rpm Source RPM : liferea-1.10.11-3.1.mga5.src.rpm Source RPM : midori-0.5.9-1.mga5.src.rpm Source RPM : miro-6.0-9.mga5.src.rpm Source RPM : nemo-extensions-2.4.x-2.mga5.src.rpm Source RPM : nuvolaplayer-2.4.3-3.mga5.src.rpm Source RPM : perl-Gtk2-WebKit-0.90.0-11.mga5.src.rpm Source RPM : python-webkitgtk-1.1.8-9.mga5.src.rpm Source RPM : rhythmbox-3.1-2.mga5.src.rpm Source RPM : seed-3.8.1-5.mga5.src.rpm Source RPM : sugar-browse-activity-156-3.mga5.src.rpm Source RPM : surf-0.6-5.mga5.src.rpm Source RPM : webkit-sharp-0.3-9.mga5.src.rpm Source RPM : wxgtk-3.0.2-1.1.mga5.src.rpm Source RPM : xombrero-1.6.3-3.mga5.src.rpm Source RPM : yelp-3.14.1-3.mga5.src.rpm Source RPM : zenity-3.14.0-2.mga5.src.rpm Hi every one Following the last article of linuxfr on Gnome, I am "fallen" on this article: https://blogs.gnome.org/mcatanzaro/2017/08/06/endgame-for-webkit-woes/ Obviously the stable version of webkitgtk is now version 2.18, version 2.4 seems to pose security problems and / or would no longer be maintained. Did I understand well ? And if so, can we expect a surge of version of webkitgtk for Gnome in mageia 6 because, if I believe the MCC, we are still in 2.4 ? CC:
(none) =>
p.opter Still relevant for Mageia 6 as some package have not been ported, but if any more are we could update them. Mageia 5 is out of luck with all webkits. Version:
5 =>
6 Gnucash 3.x using gtk-3 and webkit2 was released in April 2018. I will only push it in a few weeks, as it is a big change it is better to wait some point releases. CC:
(none) =>
lists.jjorge Mageia 6 is EOL. CC:
(none) =>
mrambo |