Bug 18018

Summary: webkit several security issues fixed upstream in 2.4.10
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/680797/
Whiteboard: has_procedure MGA5-32-OK advisory
Source RPM: webkit-2.4.9-1.mga5 CVE:
Status comment:

Description David Walser 2016-03-15 23:36:00 CET 
+++ This bug was initially created as a clone of Bug #17662 +++

Upstream has issued an advisory on December 28:
http://webkitgtk.org/security/WSA-2015-0002.html

Some of the issues have been fixed in the old webkit 2.4.x branch in 2.4.10:
http://www.webkitgtk.org/2016/03/14/webkitgtk2.4.10-released.html

I talked about this in more detail here:
https://ml.mageia.org/l/arc/dev/2016-01/msg00078.html

Updated package uploaded for Mageia 5.

Advisory:
========================

Updated webkit packages fix security vulnerabilities:

The webkit package has been updated to version 2.4.10, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1076
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5801
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5928
http://webkitgtk.org/security/WSA-2015-0002.html
http://www.webkitgtk.org/2016/03/14/webkitgtk2.4.10-released.html
========================

Updated packages in core/updates_testing:
========================
webkit-2.4.10-1.mga5
webkit1.0-2.4.10-1.mga5
libwebkitgtk1.0_0-2.4.10-1.mga5
libjavascriptcoregtk1.0_0-2.4.10-1.mga5
libwebkitgtk1.0-devel-2.4.10-1.mga5
webkit-gtklauncher-2.4.10-1.mga5
webkit-jsc-2.4.10-1.mga5
webkit3-2.4.10-1.mga5
webkit3.0-2.4.10-1.mga5
libwebkitgtk3.0_0-2.4.10-1.mga5
libjavascriptcoregtk3.0_0-2.4.10-1.mga5
libwebkitgtk3.0-devel-2.4.10-1.mga5
webkit3-gtklauncher-2.4.10-1.mga5
webkit3-jsc-2.4.10-1.mga5
libjavascriptcore-gir1.0-2.4.10-1.mga5
libwebkit-gir1.0-2.4.10-1.mga5
libjavascriptcore-gir3.0-2.4.10-1.mga5
libwebkit-gir3.0-2.4.10-1.mga5

from webkit-2.4.10-1.mga5.src.rpm
Comment 1 David Walser 2016-03-21 17:06:27 CET 
Fedora has issued an advisory for this on March 20:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179133.html
Comment 2 David Walser 2016-03-21 18:52:09 CET 
Some of the CVEs in the URL, some here:
http://lwn.net/Vulnerabilities/674266/

URL: http://lwn.net/Vulnerabilities/674266/ => http://lwn.net/Vulnerabilities/680797/

Comment 3 Herman Viaene 2016-03-22 17:25:59 CET 
MGA5-32 on Acer D620 Xfce
No installation issues.
Applied same test as per bug16914 Comment3 and got the same result. OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 4 claire robinson 2016-03-24 22:38:45 CET 
Validating. Advisory todo.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK => has_procedure MGA5-32-OK
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-03-25 06:20:53 CET

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK advisory

Comment 5 Mageia Robot 2016-03-25 07:39:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0120.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED