Bug 22368

Summary: webkit2 2.18.5 contains Spectre mitigations (WSA-2018-0001)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, marja11, nicolas.salguero, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: webkit2-2.18.4-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-01-10 14:58:58 CET 
Upstream has released 2.18.5 today (January 10), containing Spectre mitigations:
https://www.webkitgtk.org/2018/01/10/webkitgtk2.18.5-released.html

Updated packages submitted for Mageia 6 and Cauldron.
Comment 1 Marja Van Waes 2018-01-11 07:13:35 CET 
webkit2-2.18.5-1.mga6 did build, thanks David

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Component: RPM Packages => Security
Assignee: bugsquad => pkg-bugs
QA Contact: (none) => security
CC: (none) => marja11

Comment 2 Nicolas Salguero 2018-01-11 09:40:40 CET 
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.18.5, containing Spectre mitigations.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5715
https://www.webkitgtk.org/2018/01/10/webkitgtk2.18.5-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.18.5-1.mga6
webkit2-jsc-2.18.5-1.mga6
lib(64)webkit2gtk4.0_37-2.18.5-1.mga6
lib(64)javascriptcoregtk4.0_18-2.18.5-1.mga6
lib(64)webkit2-devel-2.18.5-1.mga6
lib(64)javascriptcore-gir4.0-2.18.5-1.mga6
lib(64)webkit2gtk-gir4.0-2.18.5-1.mga6

from SRPMS:
webkit2-2.18.5-1.mga6.src.rpm

Status: NEW => ASSIGNED
Assignee: pkg-bugs => qa-bugs
CC: (none) => nicolas.salguero

Comment 3 David Walser 2018-01-11 12:24:08 CET 
They eventually issued an advisory yesterday:
https://webkitgtk.org/security/WSA-2018-0001.html

Please include it in the References.

Summary: webkit2 2.18.5 contains Spectre mitigations => webkit2 2.18.5 contains Spectre mitigations (WSA-2018-0001)

Comment 4 Herman Viaene 2018-01-13 12:55:55 CET 
MGA6-64 on Lenovo B50 Plasma
No installation issues
Used  atril to trace use of webkit2: OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-64-OK

Comment 5 Lewis Smith 2018-01-14 17:26:01 CET 
(In reply to David Walser from comment #3)
> They eventually issued an advisory yesterday:
> https://webkitgtk.org/security/WSA-2018-0001.html
> Please include it in the References.
Done. Also validating - thanks Herman.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2018-01-14 17:55:05 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0082.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED