Upstream has released version 2.4.8 on January 7: http://www.webkitgtk.org/2015/01/07/webkitgtk2.4.8-released.html It fixes several security issues. Freeze push requested for Cauldron. Mageia 4 is likely affected, but it's unclear what we can do about it, since it has 2.2.x, which is no longer supported upstream. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
There was a build error: http://pkgsubmit.mageia.org/uploads/failure/cauldron/core/release/20150109200821.ennael.valstar.30990/log/webkit-2.4.8-1.mga5/build.0.20150109200901.log
URL: (none) => http://lwn.net/Vulnerabilities/629239/
Fedora has issued advisories for this on January 10: https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147862.html https://lists.fedoraproject.org/pipermail/package-announce/2015-January/147863.html
Fixed in Cauldron thanks to an upstream patch to fix the build.
Whiteboard: MGA4TOO => (none)Version: Cauldron => 4
There is a webkit 2.2.8 from October that's the newest currently in the 2.2 branch. It doesn't look like 2.2 is supported anymore upstream, but I'm not 100% sure of that. I don't know if 2.2.x is affected or if it will be addressed if it is.
Source RPM: webkit-2.4.7-1.mga5.src.rpm => webkit-2.2.2-1.mga4.src.rpm
Upstream has issued an advisory today (January 26): http://webkitgtk.org/security/WSA-2015-0001.html It lists all of these issues and says that they are fixed in 2.4.8, but only 2.4.x is affected.
Resolution: (none) => FIXEDVersion: 4 => CauldronStatus: NEW => RESOLVED