Bug 23615

Summary: webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008, WSA-2018-0009, WSA-2019-0001, WSA-2019-0002, WSA-2019-0003)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: All Packagers <pkg-bugs>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, mhrambo3501, nicolas.salguero
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: webkit2-2.20.5-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2018-09-29 16:07:37 CEST 
Upstream has issued an advisory on September 26:
https://webkitgtk.org/security/WSA-2018-0007.html
Comment 1 Marja Van Waes 2018-09-29 18:15:05 CEST 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

CC'ing two committers.

CC: (none) => marja11, mrambo, nicolas.salguero
Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2018-10-05 15:52:22 CEST 
Hi,

I tried to build webkit2-2.22.2 for Mga6 and here is a summary:

- Building with GCC is impossible because version 2.22.x requires at least GCC 6.0.0 and Mga6 has GXX 5.5.0, so I switched to CLANG.

- For x86_64, I was able to use CLANG for compiling and GCC for linking (the default behaviour of CLANG when it sees that the default compiler is GCC) and I used the resulting packages with epiphany without noticing any issue.

- For armv5tl, all my attempts failed.

- For armv7hl, I had to use CLANG for compiling and linking but I could not test if the resulting packages work.

- For i586, I had to use CLANG for compiling and linking and add, at the same time, libatomic-devel, a library provided by GCC and here is the biggest problem: in my tests in a virtualbox VM running Mga6 i586, webkit2-2.22.2 causes frequent crashes (with epiphany at least) where the same epiphany with webkit2-2.20.5 has no problem.

I tested the same sites with x86_64 and i586.

Best regards,

Nico.
Comment 3 David Walser 2018-10-10 00:40:08 CEST 
Ubuntu has issued an advisory for this on October 3:
https://usn.ubuntu.com/3781-1/
Comment 4 David Walser 2018-11-21 22:28:53 CET 
Try 2.22.4:
https://www.webkitgtk.org/2018/11/21/webkitgtk2.22.4-released.html
Comment 5 Nicolas Salguero 2018-11-22 09:30:17 CET 
Upstream has issued an advisory on November 21:
https://webkitgtk.org/security/WSA-2018-0008.html

Summary: webkit2 security issues fixed upstream (WSA-2018-0007) => webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008)

Comment 6 Nicolas Salguero 2018-11-22 09:35:49 CET 
(In reply to David Walser from comment #4)
> Try 2.22.4:
> https://www.webkitgtk.org/2018/11/21/webkitgtk2.22.4-released.html

Sadly, since version 2.22.3, webkit2 requires gstreamer 1.14.
Comment 7 David Walser 2018-12-15 18:58:42 CET 
Upstream has issued an advisory on December 13:
https://webkitgtk.org/security/WSA-2018-0009.html

One new issue is fixed in 2.22.5:
https://webkitgtk.org/2018/12/13/webkitgtk2.22.5-released.html

Summary: webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008) => webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008, WSA-2018-0009)

Comment 8 David Walser 2018-12-26 02:00:23 CET 
Ubuntu has issued an advisory for (part of) this on November 27:
https://usn.ubuntu.com/3828-1/
Comment 9 David Walser 2019-01-14 15:44:46 CET 
Ubuntu has issued an advisory for the last part of this on January 10:
https://usn.ubuntu.com/3854-1/
Comment 10 David Walser 2019-02-10 19:03:04 CET 
Upstream has issued an advisory on February 8:
https://webkitgtk.org/security/WSA-2019-0001.html

Two new issues are fixed in 2.22.6:
https://webkitgtk.org/2019/02/09/webkitgtk2.22.6-released.html

Summary: webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008, WSA-2018-0009) => webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008, WSA-2018-0009, WSA-2019-0001)

Comment 11 David Walser 2019-02-15 00:45:47 CET 
Ubuntu has issued an advisory for the last part of this on February 13:
https://usn.ubuntu.com/3889-1/
Comment 12 David Walser 2019-04-12 22:16:16 CEST 
Upstream has issued an advisory on April 10:
https://webkitgtk.org/security/WSA-2019-0002.html

Version 2.24.1 contains all of the fixes.

Summary: webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008, WSA-2018-0009, WSA-2019-0001) => webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008, WSA-2018-0009, WSA-2019-0001, WSA-2019-0002)

Comment 13 David Walser 2019-04-22 23:24:38 CEST 
Latest Ubuntu advisory from April 16:
https://usn.ubuntu.com/3948-1/
Comment 14 David Walser 2019-05-21 03:09:07 CEST 
Upstream has issued an advisory today (May 20):
https://webkitgtk.org/security/WSA-2019-0003.html

Version 2.24.2 contains all of the fixes.

Summary: webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008, WSA-2018-0009, WSA-2019-0001, WSA-2019-0002) => webkit2 security issues fixed upstream (WSA-2018-0007, WSA-2018-0008, WSA-2018-0009, WSA-2019-0001, WSA-2019-0002, WSA-2019-0003)

Comment 15 David Walser 2019-08-11 21:37:28 CEST 
Ubuntu advisory for the last part of this, from May 22:
https://usn.ubuntu.com/3992-1/
Comment 16 Nicolas Salguero 2019-11-06 09:07:03 CET 
Mageia 6 EOL

Status: NEW => RESOLVED
Resolution: (none) => OLD