Bug 7908

Summary: webkit new security issues fixed in 1.8.3
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/521549/
Whiteboard: has_procedure, MGA2-32-OK, MGA2-64-OK
Source RPM: webkit-1.8.1-1.mga2.src.rpm CVE:
Status comment:
Bug Depends on:    
Bug Blocks: 7413    

Description David Walser 2012-10-26 17:52:04 CEST 
Ubuntu has issued an advisory on October 25:
http://www.ubuntu.com/usn/usn-1617-1/

webkit 1.8.3 is building in Mageia 2 updates_testing now.
Comment 1 David Walser 2012-10-26 20:58:19 CEST 
Updated package for Mageia 2 uploaded.

Advisory:
========================

Updated webkit packages fix security vulnerabilities:

A large number of security issues were discovered in the WebKit browser and
JavaScript engines. If a user were tricked into viewing a malicious
website, a remote attacker could exploit a variety of issues related to web
browser security, including cross-site scripting attacks, denial of
service attacks, and arbitrary code execution (CVE-2011-3031, CVE-2011-3038,
CVE-2011-3042, CVE-2011-3043, CVE-2011-3044, CVE-2011-3051, CVE-2011-3053,
CVE-2011-3059, CVE-2011-3060, CVE-2011-3064, CVE-2011-3067, CVE-2011-3076,
CVE-2011-3081, CVE-2011-3086, CVE-2011-3090, CVE-2012-1521, CVE-2012-3598,
CVE-2012-3601, CVE-2012-3604, CVE-2012-3611, CVE-2012-3612, CVE-2012-3617,
CVE-2012-3625, CVE-2012-3626, CVE-2012-3627, CVE-2012-3628, CVE-2012-3645,
CVE-2012-3652, CVE-2012-3657, CVE-2012-3669, CVE-2012-3670, CVE-2012-3671,
CVE-2012-3672, CVE-2012-3674).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3031
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3038
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3043
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3044
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3051
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3059
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3064
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3081
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3090
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1521
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3598
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3604
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3611
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3612
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3617
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3626
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3628
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3645
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3652
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3657
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3670
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3671
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3672
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3674
http://www.ubuntu.com/usn/usn-1617-1/
========================

Updated packages in core/updates_testing:
========================
webkit-1.8.3-1.mga2
webkit1.0-1.8.3-1.mga2
libwebkitgtk1.0_0-1.8.3-1.mga2
libjavascriptcoregtk1.0_0-1.8.3-1.mga2
libwebkitgtk1.0-devel-1.8.3-1.mga2
webkit-gtklauncher-1.8.3-1.mga2
webkit-jsc-1.8.3-1.mga2
webkit1.0-webinspector-1.8.3-1.mga2
webkit3-1.8.3-1.mga2
webkit3.0-1.8.3-1.mga2
libwebkitgtk3.0_0-1.8.3-1.mga2
libjavascriptcoregtk3.0_0-1.8.3-1.mga2
libwebkitgtk3.0-devel-1.8.3-1.mga2
webkit3-gtklauncher-1.8.3-1.mga2
webkit3-jsc-1.8.3-1.mga2
webkit3.0-webinspector-1.8.3-1.mga2
libjscore-gir1.0-1.8.3-1.mga2
libwebkit-gir1.0-1.8.3-1.mga2
libjscore-gir3.0-1.8.3-1.mga2
libwebkit-gir3.0-1.8.3-1.mga2

from webkit-1.8.3-1.mga2.src.rpm

Assignee: bugsquad => qa-bugs

David Walser 2012-10-29 20:35:38 CET

Blocks: (none) => 7413

Comment 2 claire robinson 2012-11-01 18:06:43 CET 
Testing using midori browser which requires most of these rpms and sunspider javascript benchmark.

http://www.webkit.org/perf/sunspider-0.9.1/sunspider-0.9.1/driver.html
Comment 3 claire robinson 2012-11-01 18:31:17 CET 
Tested OK i586.

Also checked acid3 http://acid3.acidtests.org/

Whiteboard: (none) => has_procedure mga2-32-OK

Comment 4 Marc Lattemann 2012-11-01 22:56:48 CET 
Tested successfully with midori (and chromium-browser) on mga2 x86_64. Nothing to report.

validate updates.

Please use Comment 1 for Advisory and src-rpm.

Could someone from sysadmin team push to Updates? Thanks.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: has_procedure mga2-32-OK => has_procedure, MGA2-32-OK, MGA2-64-OK

Comment 5 Thomas Backlund 2012-11-06 20:33:58 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0324

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED