Bug 29886

Summary: epiphany new security issues CVE-2021-4508[5-8]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, davidwhodgins, hdetavernier, mhrambo3501, sysadmin-bugs, thomasfrank1803
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: epiphany-3.38.2-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-01-13 17:15:10 CET 
Debian has issued an advisory on January 12:
https://www.debian.org/security/2022/dsa-5042

The issues are fixed upstream in 40.4 and 41.1; Debian patched 3.38.2.
David Walser 2022-01-13 17:15:20 CET

Status comment: (none) => Patches available from Debian

Comment 1 Mike Rambo 2022-01-29 14:53:03 CET 
Updated package uploaded for Mageia 8.

Advisory:
========================

Updated epiphany package fixes security vulnerabilities:

XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list (CVE-2021-45085).

XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js (CVE-2021-45086).

XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used, as demonstrated by a a page title (CVE-2021-45087).

XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page (CVE-2021-45088).


References:
https://www.debian.org/security/2022/dsa-5042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45088
========================

Updated packages in core/updates_testing:
========================
epiphany-3.38.2-1.1.mga8

from epiphany-3.38.2-1.1.mga8.src.rpm

Assignee: gnome => qa-bugs
CC: (none) => mhrambo3501

David Walser 2022-01-29 17:25:31 CET

Status comment: Patches available from Debian => (none)

Comment 2 Hugues Detavernier 2022-02-01 15:21:59 CET 
Mageia8 X64 Gnome VmWare
No installation issue.

Gnome Web (Epiphany) is working fine.
Tested with streaming web sites and others differents websites without issue.

CC: (none) => hdetavernier

Comment 3 Thomas Andrews 2022-02-07 03:09:02 CET 
Giving this an OK based on Comment 2. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-02-09 20:23:09 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-02-09 21:47:00 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0053.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 Thomas Frank 2022-07-07 08:47:33 CEST Comment hidden (spam)

CC: (none) => thomasfrank1803