Bug 30777

Summary:	webkit2 security issues fixed upstream (WSA-2022-0008)
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	andrewsfarm, davidwhodgins, fri, nicolas.salguero, sysadmin-bugs
Version:	8	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA8-32-OK MGA8-64-OK
Source RPM:	webkit2-2.36.6-1.mga8.src.rpm	CVE:
Status comment:

Description David Walser 2022-08-26 17:12:56 CEST

Upstream has issued an advisory today (July 28):
https://webkitgtk.org/security/WSA-2022-0008.html

The issues are fixed upstream in 2.36.7:
https://webkitgtk.org/2022/08/24/webkitgtk2.36.7-released.html

Comment 1 Nicolas Salguero 2022-08-29 13:18:51 CEST

Suggested advisory:
========================

The updated packages fix a security vulnerability and other issues.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32893
https://webkitgtk.org/security/WSA-2022-0008.html
https://webkitgtk.org/2022/08/24/webkitgtk2.36.7-released.html
========================

Updated packages in core/updates_testing:
========================
lib(64)javascriptcoregtk4.0_18-2.36.7-1.mga8
lib(64)javascriptcore-gir4.0-2.36.7-1.mga8
lib(64)webkit2gtk4.0_37-2.36.7-1.mga8
lib(64)webkit2gtk-gir4.0-2.36.7-1.mga8
lib(64)webkit2-devel-2.36.7-1.mga8
webkit2-2.36.7-1.mga8
webkit2-jsc-2.36.7-1.mga8.x86_64.rpm

from SRPM:
webkit2-2.36.7-1.mga8.src.rpm

Status: NEW => ASSIGNED
Assignee: nicolas.salguero => qa-bugs
CC: (none) => nicolas.salguero

Comment 2 Morgan Leijström 2022-08-29 17:43:22 CEST

_Clean update of the three packages this system had, to
webkit2-2.36.7-1.mga8
lib(64)webkit2gtk4.0_37-2.36.7-1.mga8
lib(64)webkit2gtk-gir4.0-2.36.7-1.mga8

reboot, just in case...

Tested OK a few applications: drakconf, midori, gcad3d, ristretto, scratch

CC: (none) => fri

Comment 3 Thomas Andrews 2022-09-02 02:46:28 CEST

Tested on a Probook 6550b MGA8-64 Plasma system, and a MGA8-32 Xfce system on the same hardware. No installation issues on either system.

Used Herman's standard test first: "zenity --calendar". This produced a small calendar from which I could select a date. 

drakconf displays correctly on both systems. This is not to say that Bug 30332 has been resolved, only that this hardware is not affected, and nothing new went wrong.

Decided to try something new this time. "urpmq --whatrequires-recursive webkit2" produced a lengthy list, including a couple of simple Gnome puzzle games, four-in-a-row and five-or-more. I tried both games on both systems, with no issues.

OKing this, and validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-32-OK MGA8-64-OK

Dave Hodgins 2022-09-02 19:19:49 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-09-02 22:00:49 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0317.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED