Bug 26928

Summary: webkit2 security issues fixed upstream (WSA-2020-0006 and WSA-2020-0007)
Product: Mageia Reporter: Nicolas Salguero <nicolas.salguero>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, mageia, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: webkit2-2.28.2-1.mga7.src.rpm CVE:
Status comment:

Description Nicolas Salguero 2020-07-10 13:18:34 CEST 
Hi,

Upstream has released 2.28.3: https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html, which seems to only fix bugs but not security issues.

Best regards,

Nico.
Comment 1 Nicolas Salguero 2020-07-10 13:28:51 CEST 
Suggested advisory:
========================

The webkit2 package has been updated to version 2.28.3, fixing several bugs.

References:
https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.28.3-1.mga7
webkit2-jsc-2.28.3-1.mga7
lib(64)webkit2gtk4.0_37-2.28.3-1.mga7
lib(64)javascriptcoregtk4.0_18-2.28.3-1.mga7
lib(64)webkit2-devel-2.28.3-1.mga7
lib(64)javascriptcore-gir4.0-2.28.3-1.mga7
lib(64)webkit2gtk-gir4.0-2.28.3-1.mga7

from webkit2-2.28.3-1.mga7.src.rpm

Source RPM: (none) => webkit2-2.28.2-1.mga7.src.rpm
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 2 David Walser 2020-07-10 19:42:27 CEST 
Upstream has issued an advisory today (July 10):
https://webkitgtk.org/security/WSA-2020-0006.html

Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.28.3, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13753
https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html
https://webkitgtk.org/security/WSA-2020-0006.html

Component: RPM Packages => Security
Summary: webkit2 2.28.3 => webkit2 security issues fixed upstream (WSA-2020-0006)
QA Contact: (none) => security

Comment 3 David Walser 2020-07-14 22:29:06 CEST 
Ubuntu has issued an advisory for this today (July 14):
https://ubuntu.com/security/notices/USN-4422-1

Severity: normal => major

Comment 4 Herman Viaene 2020-07-24 14:50:34 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
Testing with
$ zenity  --calendar
21/07/20
and getting ssame behavior asin bug 26550, so OK on this.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-07-25 15:04:53 CEST 
Validating. Dueling advisories, but it looks like the best one is in Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Nicolas Salguero 2020-07-29 13:08:57 CEST 
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.28.4, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13753
https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html
https://webkitgtk.org/2020/07/28/webkitgtk2.28.4-released.html
https://webkitgtk.org/security/WSA-2020-0006.html
https://ubuntu.com/security/notices/USN-4422-1
========================

Updated packages in core/updates_testing:
========================
webkit2-2.28.4-1.mga7
webkit2-jsc-2.28.4-1.mga7
lib(64)webkit2gtk4.0_37-2.28.4-1.mga7
lib(64)javascriptcoregtk4.0_18-2.28.4-1.mga7
lib(64)webkit2-devel-2.28.4-1.mga7
lib(64)javascriptcore-gir4.0-2.28.4-1.mga7
lib(64)webkit2gtk-gir4.0-2.28.4-1.mga7

from webkit2-2.28.4-1.mga7.src.rpm

Whiteboard: MGA7-64-OK => (none)
Keywords: validated_update => (none)

Comment 7 David Walser 2020-07-29 16:34:14 CEST 
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.28.4, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9893
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9894
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9915
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9925
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13753
https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html
https://webkitgtk.org/2020/07/28/webkitgtk2.28.4-released.html
https://webkitgtk.org/security/WSA-2020-0006.html
https://webkitgtk.org/security/WSA-2020-0007.html
https://ubuntu.com/security/notices/USN-4422-1

Summary: webkit2 security issues fixed upstream (WSA-2020-0006) => webkit2 security issues fixed upstream (WSA-2020-0006 and WSA-2020-0007)

Comment 8 Herman Viaene 2020-08-03 13:51:00 CEST 
Testing newer version
$ zenity  --calendar
20/09/20
OK again.

Whiteboard: (none) => MGA7-64-OK

Comment 9 Thomas Andrews 2020-08-03 14:30:22 CEST 
We'll try again. Validating. New advisory in Comment 7.

Keywords: (none) => validated_update

Comment 10 David Walser 2020-08-05 00:10:47 CEST 
Ubuntu has issued an advisory for the 2.28.4 fixes on August 3:
https://ubuntu.com/security/notices/USN-4444-1

Please append that to the references in the advisory.
Nicolas Lécureuil 2020-08-16 15:03:34 CEST

CC: (none) => mageia
Keywords: (none) => advisory

Comment 11 Mageia Robot 2020-08-16 15:55:08 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0317.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED