17662 – webkit2 several security issues fixed upstream (WSA-2015-0002 and WSA-2016-000[12])

Bug 17662 - webkit2 several security issues fixed upstream (WSA-2015-0002 and WSA-2016-000[12])

Summary: webkit2 several security issues fixed upstream (WSA-2015-0002 and WSA-2016-00...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/674266/
Whiteboard:	advisory MGA5-32-OK
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-02-01 17:19 CET by David Walser
Modified:	2016-03-28 16:55 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	webkit2-2.6.6-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-02-01 17:19:09 CET

Upstream has issued an advisory on December 28:
http://webkitgtk.org/security/WSA-2015-0002.html

Some of the issues are old and were already fixed in 2.6.6, but some were fixed later.  The newest stable version with all the fixes is 2.10.4.

We may be able to update it, as the library majors have not changed.  Thomas (tmb) thought we may be able to backport patches somehow.

I talked about this in more detail here:
https://ml.mageia.org/l/arc/dev/2016-01/msg00078.html

The webkit SRPM is also affected (and by more issues since it's older).  Packages that link against that need to be ported to webkit2 to fix these issues.  A bug for shotwell has already been filed:
https://bugs.mageia.org/show_bug.cgi?id=17491

The libproxy package was recently updated in Cauldron, with a patch porting it to webkit2.

Fedora has issued an advisory for webkit2 today (February 1):
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176536.html

Reproducible: 

Steps to Reproduce:

David Walser 2016-02-01 17:19:32 CET

CC: (none) => tmb

Comment 1 David Walser 2016-02-01 18:27:41 CET

Upstream has issued an advisory today (February 1):
http://webkitgtk.org/security/WSA-2016-0001.html

Two more CVEs are fixed in 2.10.5.

Summary: webkit2 several security issues fixed upstream (WSA-2015-0002) => webkit2 several security issues fixed upstream (WSA-2015-0002 and WSA-2016-0001)

Comment 2 David Walser 2016-02-01 18:29:07 CET

The newest stable release is currently 2.10.7.

David Walser 2016-02-02 13:55:21 CET

URL: (none) => http://lwn.net/Vulnerabilities/674266/

Comment 3 David Walser 2016-02-05 16:59:48 CET

LWN reference for WSA-2016-0001:
http://lwn.net/Vulnerabilities/674707/

Fedora has issued an advisory for this on February 4:
https://lists.fedoraproject.org/pipermail/package-announce/2016-February/176818.html

Comment 4 David Walser 2016-02-16 01:01:33 CET

A good summary of the situation:
https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/

Bascially, we need to update webkit2 to the newest version and update applications that are using webkit1 as they are ported to webkit2.

Comment 5 Samuel Verschelde 2016-02-23 13:03:06 CET

Assigning to packagers collectively (there's a registered maintainer but he hasn't touched this package in a long time).

CC: (none) => fundawang, jani.valimaa

Comment 6 Samuel Verschelde 2016-02-23 13:03:35 CET

(In reply to Samuel Verschelde from comment #5)
> Assigning to packagers collectively (there's a registered maintainer but he
> hasn't touched this package in a long time).

Actually assigning now :o)

Assignee: bugsquad => pkg-bugs

Comment 7 David Walser 2016-03-11 16:39:24 CET

Upstream has issued another advisory today (March 11) with 6 more CVEs:
http://webkitgtk.org/security/WSA-2016-0002.html

Summary: webkit2 several security issues fixed upstream (WSA-2015-0002 and WSA-2016-0001) => webkit2 several security issues fixed upstream (WSA-2015-0002 and WSA-2016-000[12])

Comment 8 David Walser 2016-03-15 15:53:08 CET

(In reply to David Walser from comment #3)
> LWN reference for WSA-2016-0001:
> http://lwn.net/Vulnerabilities/674707/
> 
> Fedora has issued an advisory for this on February 4:
> https://lists.fedoraproject.org/pipermail/package-announce/2016-February/
> 176818.html

OpenSuSE has issued an advisory for this today (March 15):
https://lists.opensuse.org/opensuse-updates/2016-03/msg00054.html

Comment 9 David Walser 2016-03-15 21:26:52 CET

Advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.10.8, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1068
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1070
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1076
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3660
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3754
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3755
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5793
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5800
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5801
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5815
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5819
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5930
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5931
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7102
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1726
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1728
http://webkitgtk.org/security/WSA-2015-0002.html
http://webkitgtk.org/security/WSA-2016-0001.html
http://webkitgtk.org/security/WSA-2016-0002.html
http://www.webkitgtk.org/2015/04/14/webkitgtk2.8.1-released.html
http://www.webkitgtk.org/2015/05/12/webkitgtk2.8.2-released.html
http://www.webkitgtk.org/2015/07/08/webkitgtk2.8.4-released.html
http://www.webkitgtk.org/2015/08/06/webkitgtk2.8.5-released.html
http://www.webkitgtk.org/2015/09/21/webkitgtk2.10.0-released.html
http://www.webkitgtk.org/2015/10/14/webkitgtk2.10.1-released.html
http://www.webkitgtk.org/2015/10/15/webkitgtk2.10.2-released.html
http://www.webkitgtk.org/2015/10/26/webkitgtk2.10.3-released.html
http://www.webkitgtk.org/2015/11/11/webkitgtk2.10.4-released.html
http://www.webkitgtk.org/2016/01/20/webkitgtk2.10.5-released.html
http://www.webkitgtk.org/2016/01/27/webkitgtk2.10.6-released.html
http://www.webkitgtk.org/2016/01/29/webkitgtk2.10.7-released.html
http://www.webkitgtk.org/2016/03/11/webkitgtk2.10.8-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.10.8-1.mga5
webkit2-jsc-2.10.8-1.mga5
libwebkit2gtk4.0_37-2.10.8-1.mga5
libjavascriptcoregtk4.0_18-2.10.8-1.mga5
libwebkit2-devel-2.10.8-1.mga5
libjavascriptcore-gir4.0-2.10.8-1.mga5
libwebkit2gtk-gir4.0-2.10.8-1.mga5

from webkit2-2.10.8-1.mga5.src.rpm

Assignee: pkg-bugs => qa-bugs

Comment 10 claire robinson 2016-03-15 21:31:59 CET

Several :D

Dave Hodgins 2016-03-15 22:16:06 CET

CC: (none) => davidwhodgins
Whiteboard: (none) => advisory

Comment 11 David Walser 2016-03-17 20:13:01 CET

WebKit2 2.10.9 was released today (March 17), fixing a rendering regression in 2.10.8:
http://www.webkitgtk.org/2016/03/17/webkitgtk2.10.9-released.html

It's building now.

Advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.10.9, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1068
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1069
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1070
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1071
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1072
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1073
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1076
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1077
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1124
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1155
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3658
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3659
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3660
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3731
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3732
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3734
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3736
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3737
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3738
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3741
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3742
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3744
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3745
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3747
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3748
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3749
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3750
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3751
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3752
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3754
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3755
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5788
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5793
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5797
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5799
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5800
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5801
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5804
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5809
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5810
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5815
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5817
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5818
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5819
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5822
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5823
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5825
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5827
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5828
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5928
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5929
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5930
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5931
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7002
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7012
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7048
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7095
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7096
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7097
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7098
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7099
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7100
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7102
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7103
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7104
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1723
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1724
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1725
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1726
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1727
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1728
http://webkitgtk.org/security/WSA-2015-0002.html
http://webkitgtk.org/security/WSA-2016-0001.html
http://webkitgtk.org/security/WSA-2016-0002.html
http://www.webkitgtk.org/2015/04/14/webkitgtk2.8.1-released.html
http://www.webkitgtk.org/2015/05/12/webkitgtk2.8.2-released.html
http://www.webkitgtk.org/2015/07/08/webkitgtk2.8.4-released.html
http://www.webkitgtk.org/2015/08/06/webkitgtk2.8.5-released.html
http://www.webkitgtk.org/2015/09/21/webkitgtk2.10.0-released.html
http://www.webkitgtk.org/2015/10/14/webkitgtk2.10.1-released.html
http://www.webkitgtk.org/2015/10/15/webkitgtk2.10.2-released.html
http://www.webkitgtk.org/2015/10/26/webkitgtk2.10.3-released.html
http://www.webkitgtk.org/2015/11/11/webkitgtk2.10.4-released.html
http://www.webkitgtk.org/2016/01/20/webkitgtk2.10.5-released.html
http://www.webkitgtk.org/2016/01/27/webkitgtk2.10.6-released.html
http://www.webkitgtk.org/2016/01/29/webkitgtk2.10.7-released.html
http://www.webkitgtk.org/2016/03/11/webkitgtk2.10.8-released.html
http://www.webkitgtk.org/2016/03/17/webkitgtk2.10.9-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.10.9-1.mga5
webkit2-jsc-2.10.9-1.mga5
libwebkit2gtk4.0_37-2.10.9-1.mga5
libjavascriptcoregtk4.0_18-2.10.9-1.mga5
libwebkit2-devel-2.10.9-1.mga5
libjavascriptcore-gir4.0-2.10.9-1.mga5
libwebkit2gtk-gir4.0-2.10.9-1.mga5

from webkit2-2.10.9-1.mga5.src.rpm

Comment 12 David Walser 2016-03-17 20:17:53 CET

Advisory updated in SVN.

Comment 13 Herman Viaene 2016-03-22 17:01:33 CET

Is this bug not superfluous as bug 18018 goes to version 2.4.10????

CC: (none) => herman.viaene

Comment 14 David Walser 2016-03-23 02:30:57 CET

(In reply to Herman Viaene from comment #13)
> Is this bug not superfluous as bug 18018 goes to version 2.4.10????

Of course not.  That was for webkit (aka webkit1) and this is webkit2.  Different packages are linked to different webkits.

Comment 15 David Walser 2016-03-23 19:09:05 CET

LWN reference for CVE-2016-1726:
http://lwn.net/Vulnerabilities/681103/

Comment 16 David Walser 2016-03-23 22:26:10 CET

Packages that are linked to webkit2:
Source RPM  : anjuta-3.14.1-1.mga5.src.rpm
Source RPM  : devhelp-3.14.0-3.mga5.src.rpm
Source RPM  : eclipse-4.4.1-4.1.mga5.src.rpm
Source RPM  : epiphany-3.14.2-1.mga5.src.rpm
Source RPM  : gitg-3.14.1-1.1.mga5.src.rpm
Source RPM  : gnome-shell-3.14.3-8.1.mga5.src.rpm
Source RPM  : gthumb-3.3.2-5.mga5.src.rpm
Source RPM  : shotwell-0.22.1-0.20160310.1.mga5.src.rpm
Source RPM  : sugar-toolkit-gtk3-0.102.0-4.mga5.src.rpm

Comment 17 Herman Viaene 2016-03-24 11:36:58 CET

MGA5-32 on Acer D620 Xfce
No installation issues
Installed and ran shotwell, imported some pictures, improved one and checked with strace that webkit2 (libwebkit2gtk) had been called upon. OK

Whiteboard: advisory => advisory MGA5-32-OK

Comment 18 claire robinson 2016-03-24 22:36:18 CET

Validating. Advisory todo.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 19 Mageia Robot 2016-03-25 07:39:30 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0116.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 20 David Walser 2016-03-28 16:55:16 CEST

LWN reference for more CVEs:
http://lwn.net/Vulnerabilities/681395/

Note You need to log in before you can comment on or make changes to this bug.