Upstream has issued an advisory on May 30: http://webkitgtk.org/security/WSA-2016-0004.html The issues are fixed in 2.12.3.
CC: (none) => marja11Assignee: bugsquad => fundawang
Updated package uploaded for Mageia 5. Packages that are linked to webkit2: Source RPM : anjuta-3.14.1-1.mga5.src.rpm Source RPM : devhelp-3.14.0-3.mga5.src.rpm Source RPM : eclipse-4.4.1-4.1.mga5.src.rpm Source RPM : epiphany-3.14.2-1.mga5.src.rpm Source RPM : gitg-3.14.1-1.1.mga5.src.rpm Source RPM : gnome-shell-3.14.3-8.1.mga5.src.rpm Source RPM : gthumb-3.3.2-5.mga5.src.rpm Source RPM : shotwell-0.22.1-0.20160310.1.mga5.src.rpm Source RPM : sugar-toolkit-gtk3-0.102.0-4.mga5.src.rpm Advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.12.3, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1856 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1859 http://webkitgtk.org/security/WSA-2016-0004.html https://webkitgtk.org/2016/03/22/webkitgtk2.12.0-released.html https://webkitgtk.org/2016/04/14/webkitgtk2.12.1-released.html https://webkitgtk.org/2016/04/28/webkitgtk2.12.2-released.html https://webkitgtk.org/2016/05/24/webkitgtk2.12.3-released.html ======================== Updated packages in core/updates_testing: ======================== webkit2-2.12.3-1.mga5 webkit2-jsc-2.12.3-1.mga5 libwebkit2gtk4.0_37-2.12.3-1.mga5 libjavascriptcoregtk4.0_18-2.12.3-1.mga5 libwebkit2-devel-2.12.3-1.mga5 libjavascriptcore-gir4.0-2.12.3-1.mga5 libwebkit2gtk-gir4.0-2.12.3-1.mga5 from webkit2-2.12.3-1.mga5.src.rpm
Assignee: fundawang => qa-bugs
Nevermind, it didn't build. I have no idea how to fix it: http://pkgsubmit.mageia.org/uploads/failure/5/core/updates_testing/20160720133504.luigiwalser.duvel.30282/log/webkit2-2.12.3-1.mga5/build.0.20160720143422.log
CC: (none) => qa-bugsAssignee: qa-bugs => pkg-bugs
Now it's built thanks to Jani. Comment 1 for packages and advisory.
CC: qa-bugs => (none)Assignee: pkg-bugs => qa-bugs
I searched for items that use webkit2. What I could fine was lightdm. However, my question is does lightdm pull in the libraries or did they link them in at compile. Any other suggestions for testing. Also, I installed the libraries in a VM instance, but lightdm isn't an option?
CC: (none) => brtians1
ok - got these dependencies: urpmq --whatrequires libwebkit2gtk4.0_37 anjuta eclipse-swt eclipse-swt epiphany gthumb libdevhelp3_2 libgitg1.0_0 libgitg1.0_0 libwebkit2-devel libwebkit2gtk-gir4.0 libwebkit2gtk-gir4.0 libwebkit2gtk-gir4.0 libwebkit2gtk4.0_37 shotwell webkit2 webkit2 webkit2 I've set up mga5-gnome-i586 in a VM and will try some photos, etc.
Linux localhost 4.4.16-desktop-1.mga5 #1 SMP Tue Jul 26 10:34:04 UTC 2016 i686 i686 i686 GNU/Linux The following 7 packages are going to be installed: - libjavascriptcore-gir4.0-2.12.3-1.mga5.i586 - libjavascriptcoregtk4.0_18-2.12.3-1.mga5.i586 - libwebkit2gtk-gir4.0-2.12.3-1.mga5.i586 - libwebkit2gtk4.0_37-2.12.3-1.mga5.i586 - meta-task-5-28.1.mga5.noarch - webkit2-2.12.3-1.mga5.i586 - webkit2-jsc-2.12.3-1.mga5.i586 6.1MB of additional disk space will be used. 22MB of packages will be retrieved. Pulled up images using Shotwell. Viewed thumb nails. These all seems to be working as designed. Also using the generic Gnome Web and is working as well.
Whiteboard: (none) => mga5-32-OK
$ uname -a Linux localhost 4.4.16-desktop-1.mga5 #1 SMP Tue Jul 26 09:23:40 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux This time I also chose the dev modules The following 80 packages are going to be installed: - fontconfig-2.11.1-4.1.mga5.x86_64 - graphite2-1.3.6-1.mga5.x86_64 - hyphen-devel-2.8.8-2.mga5.x86_64 - lib64atk-bridge-devel-2.14.1-2.mga5.x86_64 - lib64atk1.0-devel-2.14.0-3.mga5.x86_64 - lib64atspi-devel-2.14.1-1.mga5.x86_64 - lib64bzip2-devel-1.0.6-7.mga5.x86_64 - lib64cairo-devel-1.14.0-1.mga5.x86_64 - lib64directfb-devel-1.7.5-4.mga5.x86_64 - lib64drm-devel-2.4.59-1.mga5.x86_64 - lib64enchant-devel-1.6.0-11.mga5.x86_64 - lib64expat-devel-2.1.0-9.3.mga5.x86_64 - lib64fontconfig-devel-2.11.1-4.1.mga5.x86_64 - lib64fontconfig1-2.11.1-4.1.mga5.x86_64 - lib64freetype6-devel-2.5.4-2.mga5.x86_64 - lib64gbm1-devel-10.5.9-3.mga5.x86_64 - lib64gdk_pixbuf2.0-devel-2.32.1-1.1.mga5.x86_64 - lib64glapi0-devel-10.5.9-3.mga5.x86_64 - lib64graphite2-devel-1.3.6-1.mga5.x86_64 - lib64gstreamer-plugins-base1.0-devel-1.4.3-2.mga5.x86_64 - lib64gstreamer1.0-devel-1.4.3-2.mga5.x86_64 - lib64gtk+3.0-devel-3.14.8-5.1.mga5.x86_64 - lib64harfbuzz-devel-0.9.36-1.1.mga5.x86_64 - lib64icu-devel-53.1-12.3.mga5.x86_64 - lib64javascriptcore-gir4.0-2.12.3-1.mga5.x86_64 - lib64javascriptcoregtk4.0_18-2.12.3-1.mga5.x86_64 - lib64jpeg-devel-1.3.1-4.1.mga5.x86_64 - lib64mesaegl1-devel-10.5.9-3.mga5.x86_64 - lib64mesagl1-devel-10.5.9-3.mga5.x86_64 - lib64notify-devel-0.7.6-6.mga5.x86_64 - lib64orc-devel-0.4.22-3.mga5.x86_64 - lib64pango1.0-devel-1.36.8-3.mga5.x86_64 - lib64pciaccess-devel-0.13.2-4.mga5.x86_64 - lib64pixman-devel-0.32.8-1.mga5.x86_64 - lib64png-devel-1.6.22-1.mga5.x86_64 - lib64secret-devel-0.18-4.mga5.x86_64 - lib64soup-devel-2.48.1-1.mga5.x86_64 - lib64sqlite3-devel-3.8.10.2-1.2.mga5.x86_64 - lib64turbojpeg0-1.3.1-4.1.mga5.x86_64 - lib64wayland-devel-1.6.0-2.mga5.x86_64 - lib64wayland-egl1-devel-10.5.9-3.mga5.x86_64 - lib64webkit2-devel-2.12.3-1.mga5.x86_64 - lib64webkit2gtk-gir4.0-2.12.3-1.mga5.x86_64 - lib64webkit2gtk4.0_37-2.12.3-1.mga5.x86_64 - lib64webp-devel-0.4.3-1.mga5.x86_64 - lib64webpdemux1-0.4.3-1.mga5.x86_64 - lib64x11-devel-1.6.3-1.mga5.x86_64 - lib64xau-devel-1.0.8-5.mga5.x86_64 - lib64xcb-damage0-1.11.1-1.mga5.x86_64 - lib64xcb-devel-1.11.1-1.mga5.x86_64 - lib64xcb-dpms0-1.11.1-1.mga5.x86_64 - lib64xcb-record0-1.11.1-1.mga5.x86_64 - lib64xcb-res0-1.11.1-1.mga5.x86_64 - lib64xcb-screensaver0-1.11.1-1.mga5.x86_64 - lib64xcb-xevie0-1.11.1-1.mga5.x86_64 - lib64xcb-xf86dri0-1.11.1-1.mga5.x86_64 - lib64xcb-xinerama0-1.11.1-1.mga5.x86_64 - lib64xcb-xprint0-1.11.1-1.mga5.x86_64 - lib64xcb-xtest0-1.11.1-1.mga5.x86_64 - lib64xcb-xvmc0-1.11.1-1.mga5.x86_64 - lib64xcomposite-devel-0.4.4-7.mga5.x86_64 - lib64xcursor-devel-1.1.14-5.mga5.x86_64 - lib64xdamage-devel-1.1.4-7.mga5.x86_64 - lib64xdmcp-devel-1.1.1-7.mga5.x86_64 - lib64xext-devel-1.3.3-3.mga5.x86_64 - lib64xfixes-devel-5.0.1-5.mga5.x86_64 - lib64xft-devel-2.3.2-3.mga5.x86_64 - lib64xi-devel-1.7.4-3.mga5.x86_64 - lib64xinerama-devel-1.1.3-5.mga5.x86_64 - lib64xkbcommon-devel-0.4.3-1.mga5.x86_64 - lib64xrandr-devel-1.4.2-4.mga5.x86_64 - lib64xrender-devel-0.9.8-5.mga5.x86_64 - lib64xshmfence-devel-1.1-3.mga5.x86_64 - lib64xxf86vm-devel-1.1.3-5.mga5.x86_64 - libpthread-stubs-0.3-5.mga5.x86_64 - orc-0.4.22-3.mga5.x86_64 - pango-doc-1.36.8-3.mga5.noarch - wayland-tools-1.6.0-2.mga5.x86_64 - webkit2-2.12.3-1.mga5.x86_64 - x11-proto-devel-7.7-14.mga5.x86_64 112MB of additional disk space will be used. Ran shotwell as well as viewed thumbnails. All seems to work. 35MB of packages will be retrieved.
Keywords: (none) => validated_updateWhiteboard: mga5-32-OK => mga5-32-OK mga5-64-okCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => lewyssmithWhiteboard: mga5-32-OK mga5-64-ok => mga5-32-OK mga5-64-ok advisory
Upstream has issued an advisory today (August 25): https://webkitgtk.org/security/WSA-2016-0005.html Now this needs to be updated again to 2.12.4: https://webkitgtk.org/2016/08/24/webkitgtk2.12.4-released.html
Keywords: validated_update => (none)CC: (none) => jani.valimaaSummary: webkit2 security issues fixed upstream (WSA-2016-0004) => webkit2 security issues fixed upstream (WSA-2016-0004 and WSA-2016-0005)Whiteboard: mga5-32-OK mga5-64-ok advisory => feedback
Advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.12.4, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1856 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1859 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4590 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4591 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4622 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4624 https://webkitgtk.org/security/WSA-2016-0004.html https://webkitgtk.org/security/WSA-2016-0005.html https://webkitgtk.org/2016/03/22/webkitgtk2.12.0-released.html https://webkitgtk.org/2016/04/14/webkitgtk2.12.1-released.html https://webkitgtk.org/2016/04/28/webkitgtk2.12.2-released.html https://webkitgtk.org/2016/05/24/webkitgtk2.12.3-released.html https://webkitgtk.org/2016/08/24/webkitgtk2.12.4-released.html ======================== Updated packages in core/updates_testing: ======================== webkit2-2.12.4-1.mga5 webkit2-jsc-2.12.4-1.mga5 libwebkit2gtk4.0_37-2.12.4-1.mga5 libjavascriptcoregtk4.0_18-2.12.4-1.mga5 libwebkit2-devel-2.12.4-1.mga5 libjavascriptcore-gir4.0-2.12.4-1.mga5 libwebkit2gtk-gir4.0-2.12.4-1.mga5 from webkit2-2.12.4-1.mga5.src.rpm
Whiteboard: feedback => (none)
LWN reference for WSA-2016-0005: http://lwn.net/Vulnerabilities/698490/
ok - repeated basic tests again with Shotwell. Linux localhost 4.4.16-desktop-1.mga5 #1 SMP Tue Jul 26 10:34:04 UTC 2016 i686 i686 i686 GNU/Linux Installed the regular and devel stuff. Rpmdrake or one of its priority dependencies needs to be updated first. Rpmdrake will then restart. The following 106 packages are going to be installed: - fontconfig-2.11.1-4.1.mga5.i586 - gcc3.3-3.3.6-11.mga5.i586 - gcc3.3-cpp-3.3.6-11.mga5.i586 - glib-gettextize-2.42.1-2.1.mga5.i586 - glibc-devel-2.20-23.mga5.i586 - graphite2-1.3.6-1.mga5.i586 - hyphen-devel-2.8.8-2.mga5.i586 - kernel-userspace-headers-4.4.16-1.mga5.i586 - libatk-bridge-devel-2.14.1-2.mga5.i586 - libatk1.0-devel-2.14.0-3.mga5.i586 - libatspi-devel-2.14.1-1.mga5.i586 - libbzip2-devel-1.0.6-7.mga5.i586 - libcairo-devel-1.14.0-1.mga5.i586 - libdbus-devel-1.8.20-1.mga5.i586 - libdirectfb-devel-1.7.5-4.mga5.i586 - libdrm-devel-2.4.59-1.mga5.i586 - libenchant-devel-1.6.0-11.mga5.i586 - libexpat-devel-2.1.0-9.3.mga5.i586 - libffi-devel-3.1-4.mga5.i586 - libfontconfig-devel-2.11.1-4.1.mga5.i586 - libfontconfig1-2.11.1-4.1.mga5.i586 - libfreetype6-devel-2.5.4-2.mga5.i586 - libgbm1-devel-10.5.9-3.mga5.i586 - libgcrypt-devel-1.5.4-5.3.mga5.i586 - libgcrypt11-1.5.4-5.3.mga5.i586 - libgdk_pixbuf2.0-devel-2.32.1-1.1.mga5.i586 - libglapi0-devel-10.5.9-3.mga5.i586 - libglib2.0-devel-2.42.1-2.1.mga5.i586 - libgpg-error-devel-1.13-3.mga5.i586 - libgraphite2-devel-1.3.6-1.mga5.i586 - libgstreamer-plugins-base1.0-devel-1.4.3-2.mga5.i586 - libgstreamer1.0-devel-1.4.3-2.mga5.i586 - libgtk+3.0-devel-3.14.8-5.1.mga5.i586 - libharfbuzz-devel-0.9.36-1.1.mga5.i586 - libicu-devel-53.1-12.3.mga5.i586 - libjavascriptcore-gir4.0-2.12.4-1.mga5.i586 - libjavascriptcoregtk4.0_18-2.12.4-1.mga5.i586 - libjpeg-devel-1.3.1-4.1.mga5.i586 - liblzma-devel-5.2.0-1.mga5.i586 - libmesaegl1-devel-10.5.9-3.mga5.i586 - libmesagl1-devel-10.5.9-3.mga5.i586 - libnotify-devel-0.7.6-6.mga5.i586 - liborc-devel-0.4.22-3.mga5.i586 - libpango1.0-devel-1.36.8-3.mga5.i586 - libpciaccess-devel-0.13.2-4.mga5.i586 - libpcre-devel-8.38-1.mga5.i586 - libpcre16_0-8.38-1.mga5.i586 - libpcre32_0-8.38-1.mga5.i586 - libpixman-devel-0.32.8-1.mga5.i586 - libpng-devel-1.6.22-1.mga5.i586 - libpthread-stubs-0.3-5.mga5.i586 - libsecret-devel-0.18-4.mga5.i586 - libsoup-devel-2.48.1-1.mga5.i586 - libsqlite3-devel-3.8.10.2-1.2.mga5.i586 - libstdc++5-3.3.6-11.mga5.i586 - libstdc++5-devel-3.3.6-11.mga5.i586 - libturbojpeg0-1.3.1-4.1.mga5.i586 - libudev-devel-217-11.1.mga5.i586 - libwayland-devel-1.6.0-2.mga5.i586 - libwayland-egl1-devel-10.5.9-3.mga5.i586 - libwebkit2-devel-2.12.4-1.mga5.i586 - libwebkit2gtk-gir4.0-2.12.4-1.mga5.i586 - libwebkit2gtk4.0_37-2.12.4-1.mga5.i586 - libwebp-devel-0.4.3-1.mga5.i586 - libwebpdemux1-0.4.3-1.mga5.i586 - libx11-devel-1.6.3-1.mga5.i586 - libxau-devel-1.0.8-5.mga5.i586 - libxcb-composite0-1.11.1-1.mga5.i586 - libxcb-damage0-1.11.1-1.mga5.i586 - libxcb-devel-1.11.1-1.mga5.i586 - libxcb-dpms0-1.11.1-1.mga5.i586 - libxcb-record0-1.11.1-1.mga5.i586 - libxcb-res0-1.11.1-1.mga5.i586 - libxcb-screensaver0-1.11.1-1.mga5.i586 - libxcb-shape0-1.11.1-1.mga5.i586 - libxcb-xevie0-1.11.1-1.mga5.i586 - libxcb-xf86dri0-1.11.1-1.mga5.i586 - libxcb-xinerama0-1.11.1-1.mga5.i586 - libxcb-xprint0-1.11.1-1.mga5.i586 - libxcb-xtest0-1.11.1-1.mga5.i586 - libxcb-xv0-1.11.1-1.mga5.i586 - libxcb-xvmc0-1.11.1-1.mga5.i586 - libxcomposite-devel-0.4.4-7.mga5.i586 - libxcursor-devel-1.1.14-5.mga5.i586 - libxdamage-devel-1.1.4-7.mga5.i586 - libxdmcp-devel-1.1.1-7.mga5.i586 - libxext-devel-1.3.3-3.mga5.i586 - libxfixes-devel-5.0.1-5.mga5.i586 - libxft-devel-2.3.2-3.mga5.i586 - libxi-devel-1.7.4-3.mga5.i586 - libxinerama-devel-1.1.3-5.mga5.i586 - libxkbcommon-devel-0.4.3-1.mga5.i586 - libxml2-devel-2.9.4-1.1.mga5.i586 - libxrandr-devel-1.4.2-4.mga5.i586 - libxrender-devel-0.9.8-5.mga5.i586 - libxshmfence-devel-1.1-3.mga5.i586 - libxslt-devel-1.1.29-1.mga5.i586 - libxxf86vm-devel-1.1.3-5.mga5.i586 - libzlib-devel-1.2.8-7.mga5.i586 - meta-task-5-28.1.mga5.noarch - orc-0.4.22-3.mga5.i586 - pango-doc-1.36.8-3.mga5.noarch - wayland-tools-1.6.0-2.mga5.i586 - webkit2-2.12.4-1.mga5.i586 - webkit2-jsc-2.12.4-1.mga5.i586 - x11-proto-devel-7.7-14.mga5.i586 174MB of additional disk space will be used. 48MB of packages will be retrieved. --- viewed thumbnails - works as designed --- Reviewd photo's using shotwell - works as designed For grins - using gnome Web to post this.
Whiteboard: (none) => mga5-32-ok
CC: lewyssmith => (none)
Linux localhost 4.4.16-desktop-1.mga5 #1 SMP Tue Jul 26 09:23:40 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux The following 7 packages are going to be installed: - lib64javascriptcore-gir4.0-2.12.4-1.mga5.x86_64 - lib64javascriptcoregtk4.0_18-2.12.4-1.mga5.x86_64 - lib64webkit2-devel-2.12.4-1.mga5.x86_64 - lib64webkit2gtk-gir4.0-2.12.4-1.mga5.x86_64 - lib64webkit2gtk4.0_37-2.12.4-1.mga5.x86_64 - webkit2-2.12.4-1.mga5.x86_64 - webkit2-jsc-2.12.4-1.mga5.x86_64 187KB of additional disk space will be used. 22MB of packages will be retrieved. Thumbnails and Shotwell work in gnome.
Whiteboard: mga5-32-ok => MGA5-32-OK MGA5-64-OK
Keywords: (none) => validated_update
5/core/webkit2-2.12.3-1.mga5 listed in the advisory does not exist
CC: (none) => pterjan
The advisory in SVN needs to be updated to match Comment 11.
Advisory updated.
Whiteboard: MGA5-32-OK MGA5-64-OK => MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0294.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
LWN reference for some of the WSA-2016-0004 CVEs.
LWN reference for most of the CVEs: http://lwn.net/Vulnerabilities/700654/ (In reply to David Walser from comment #19) > LWN reference for some of the WSA-2016-0004 CVEs: http://lwn.net/Vulnerabilities/698490/