Bug 27656

Summary: webkit2 security issues fixed upstream (WSA-2020-0008 and WSA-2020-0009)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, herman.viaene, nicolas.salguero, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: webkit2-2.28.4-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2020-11-23 20:45:05 CET 
Upstream has issued an advisory today (November 23):
https://webkitgtk.org/security/WSA-2020-0008.html

The issues are fixed upstream in 2.30.3:
https://webkitgtk.org/2020/11/20/webkitgtk2.30.3-released.html
Comment 1 Nicolas Salguero 2020-11-24 13:01:22 CET 
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.30.3, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13584
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9948
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9951
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9952
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9983
https://webkitgtk.org/2020/11/20/webkitgtk2.30.3-released.html
https://webkitgtk.org/security/WSA-2020-0008.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.30.3-1.mga7
webkit2-jsc-2.30.3-1.mga7
lib(64)webkit2gtk4.0_37-2.30.3-1.mga7
lib(64)javascriptcoregtk4.0_18-2.30.3-1.mga7
lib(64)webkit2-devel-2.30.3-1.mga7
lib(64)javascriptcore-gir4.0-2.30.3-1.mga7
lib(64)webkit2gtk-gir4.0-2.30.3-1.mga7

from webkit2-2.30.3-1.mga7.src.rpm

CC: (none) => nicolas.salguero
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 2 David Walser 2020-11-24 14:16:28 CET 
CVE-2020-9952 shouldn't be listed in the advisory, as it was fixed in our previous update.
Comment 3 Herman Viaene 2020-11-25 16:06:10 CET 
MGA7-64 MATE on Peaq C1011
No installation issues
Ref to bug 26928 e.a. for testing
$ zenity  --calendar
22/12/20
Is what I expected, OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-11-27 01:35:02 CET 
Validating. Advisory in Comment 1, but should be revised according to Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Aurelien Oudelet 2020-11-27 09:48:38 CET 
Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 6 Mageia Robot 2020-11-27 21:16:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0441.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2020-11-29 17:15:18 CET 
Ubuntu has issued an advisory for this on November 26:
https://ubuntu.com/security/notices/USN-4648-1

Apparently our update introduced a lot of new dependencies, see Bug 27683.
Nicolas Salguero 2020-12-01 10:47:53 CET

Summary: webkit2 security issues fixed upstream (WSA-2020-0008) => webkit2 security issues fixed upstream (WSA-2020-0008 and WSA-2020-0009)

Comment 8 David Walser 2020-12-01 11:15:06 CET 
Please add CVE-2020-13543 and the following reference to the SVN advisory:
https://webkitgtk.org/security/WSA-2020-0009.html
Comment 9 Aurelien Oudelet 2020-12-01 11:21:23 CET 
(In reply to David Walser from comment #8)
> Please add CVE-2020-13543 and the following reference to the SVN advisory:
> https://webkitgtk.org/security/WSA-2020-0009.html

Added.