Bug 20642 - webkit2 security issues fixed upstream (WSA-2017-0003)
Summary: webkit2 security issues fixed upstream (WSA-2017-0003)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-04-10 01:05 CEST by David Walser
Modified: 2017-04-16 08:29 CEST (History)
4 users (show)

See Also:
Source RPM: webkit2-2.14.5-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-04-10 01:05:45 CEST
Upstream has issued an advisory on April 6:
https://webkitgtk.org/security/WSA-2017-0003.html

The issues are fixed upstream in 2.14.6 and 2.16.0 (there's also a 2.16.1):
https://webkitgtk.org/2017/04/06/webkitgtk2.14.6-released.html
https://webkitgtk.org/2017/03/20/webkitgtk2.16.0-released.html
https://webkitgtk.org/2017/04/04/webkitgtk2.16.1-released.html
Comment 1 Marja Van Waes 2017-04-10 07:21:11 CEST
(In reply to David Walser from comment #0)
> Upstream has issued an advisory on April 6:
> https://webkitgtk.org/security/WSA-2017-0003.html
> 
> The issues are fixed upstream in 2.14.6 and 2.16.0 (there's also a 2.16.1):
> https://webkitgtk.org/2017/04/06/webkitgtk2.14.6-released.html
> https://webkitgtk.org/2017/03/20/webkitgtk2.16.0-released.html
> https://webkitgtk.org/2017/04/04/webkitgtk2.16.1-released.html

Nicolas pushed webkit2-2.14.6-1.mga5 last Friday.


Suggested Advisory :

This verson contains the following security issues:

  CVE-2016-9643, CVE-2017-2364, CVE-2017-2367, CVE-2017-2369,
  CVE-2017-2377, CVE-2017-2392, CVE-2017-2394, CVE-2017-2405,
  CVE-2017-2419, CVE-2017-2442, CVE-2017-2446, CVE-2017-2454,
  CVE-2017-2459, CVE-2017-2460, CVE-2017-246[56], CVE-2017-2468,
  CVE-2017-247[01], CVE-2017-247[56], CVE-2017-2481

https://webkitgtk.org/security/WSA-2017-0003.html

RPMS:
    
    libjavascriptcore-gir4.0-2.14.6-1.mga5.i586
    libjavascriptcoregtk4.0_18-2.14.6-1.mga5.i586
    libwebkit2-devel-2.14.6-1.mga5.i586
    libwebkit2gtk-gir4.0-2.14.6-1.mga5.i586
    libwebkit2gtk4.0_37-2.14.6-1.mga5.i586
    webkit2-2.14.6-1.mga5.i586
    webkit2-jsc-2.14.6-1.mga5.i586

    lib64javascriptcore-gir4.0-2.14.6-1.mga5.x86_64
    lib64javascriptcoregtk4.0_18-2.14.6-1.mga5.x86_64
    lib64webkit2-devel-2.14.6-1.mga5.x86_64
    lib64webkit2gtk-gir4.0-2.14.6-1.mga5.x86_64
    lib64webkit2gtk4.0_37-2.14.6-1.mga5.x86_64
    webkit2-2.14.6-1.mga5.x86_64
    webkit2-jsc-2.14.6-1.mga5.x86_64

Assignee: nicolas.salguero => qa-bugs
CC: (none) => marja11, nicolas.salguero

Comment 2 Marja Van Waes 2017-04-10 07:21:57 CEST
ouch

s/verson contains/version fixes/

:-(
Comment 3 Marja Van Waes 2017-04-10 07:32:41 CEST
Trying again, hopefully good this time:
(Please don't hesitate to correct if it isn't good!)


Nicolas pushed webkit2-2.14.6-1.mga5 last Friday.


Suggested Advisory :

This version contains the following security fixes:

  CVE-2016-9643, CVE-2017-2364, CVE-2017-2367, CVE-2017-2369,
  CVE-2017-2377, CVE-2017-2392, CVE-2017-2394, CVE-2017-2405,
  CVE-2017-2419, CVE-2017-2442, CVE-2017-2446, CVE-2017-2454,
  CVE-2017-2459, CVE-2017-2460, CVE-2017-246[56], CVE-2017-2468,
  CVE-2017-247[01], CVE-2017-247[56], CVE-2017-2481

https://webkitgtk.org/security/WSA-2017-0003.html

RPMS:
    
    libjavascriptcore-gir4.0-2.14.6-1.mga5.i586
    libjavascriptcoregtk4.0_18-2.14.6-1.mga5.i586
    libwebkit2-devel-2.14.6-1.mga5.i586
    libwebkit2gtk-gir4.0-2.14.6-1.mga5.i586
    libwebkit2gtk4.0_37-2.14.6-1.mga5.i586
    webkit2-2.14.6-1.mga5.i586
    webkit2-jsc-2.14.6-1.mga5.i586

    lib64javascriptcore-gir4.0-2.14.6-1.mga5.x86_64
    lib64javascriptcoregtk4.0_18-2.14.6-1.mga5.x86_64
    lib64webkit2-devel-2.14.6-1.mga5.x86_64
    lib64webkit2gtk-gir4.0-2.14.6-1.mga5.x86_64
    lib64webkit2gtk4.0_37-2.14.6-1.mga5.x86_64
    webkit2-2.14.6-1.mga5.x86_64
    webkit2-jsc-2.14.6-1.mga5.x86_64
Comment 4 David Walser 2017-04-14 21:31:54 CEST
Ubuntu has issued an advisory for this on April 10:
https://www.ubuntu.com/usn/usn-3257-1/
Dave Hodgins 2017-04-15 00:30:35 CEST

Whiteboard: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Dave Hodgins 2017-04-16 00:29:28 CEST
Just testing with epiphany running under strace, confirming webkit2 is used.

X86_64 ok, testing under i586 shortly.

Whiteboard: advisory => advisory MGA5-64-OK

Comment 6 Dave Hodgins 2017-04-16 00:34:46 CEST
i586 ok. Validating the update.

Keywords: (none) => validated_update
Whiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2017-04-16 08:29:47 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0109.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.