Bug 21358

Summary: webkit2 security issues fixed upstream (WSA-2017-0006)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK advisory
Source RPM: webkit2-2.16.5-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-07-26 12:57:20 CEST 
Upstream has issued an advisory on July 25:
https://webkitgtk.org/security/WSA-2017-0006.html

Several of the issues are fixed in 2.16.6:
https://webkitgtk.org/2017/07/24/webkitgtk2.16.6-released.html
Comment 1 David Walser 2017-07-26 17:14:38 CEST 
Updated package uploaded for Mageia 6.

Advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.16.6, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7030
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7034
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7037
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7039
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7046
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7055
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7056
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7064
https://webkitgtk.org/security/WSA-2017-0006.html
https://webkitgtk.org/2017/07/24/webkitgtk2.16.6-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.16.6-1.mga6
webkit2-jsc-2.16.6-1.mga6
libwebkit2gtk4.0_37-2.16.6-1.mga6
libjavascriptcoregtk4.0_18-2.16.6-1.mga6
libwebkit2-devel-2.16.6-1.mga6
libjavascriptcore-gir4.0-2.16.6-1.mga6
libwebkit2gtk-gir4.0-2.16.6-1.mga6

from webkit2-2.16.6-1.mga6.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2017-07-28 10:01:24 CEST 
MGA6-32 on Asus A6000VM MATE
No installation issues.
Ref to bug 20642 Comment , installed epiphany and checked dependency of this one on libwebkit with
# urpmq --whatrequires libwebkit2gtk4.0_37
anjuta
birdfont
epiphany    and some more
Then
$ strace -o libwebkit.txt epiphany 
and in the trace file I find
open("/lib/libwebkit2gtk-4.0.so.37", O_RDONLY|O_CLOEXEC) = 3
So OK and validating

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene, sysadmin-bugs

Dave Hodgins 2017-07-30 05:07:58 CEST

Whiteboard: MGA6-32-OK => MGA6-32-OK advisory
CC: (none) => davidwhodgins

Comment 3 Mageia Robot 2017-07-30 10:18:11 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0228.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED