23189 – webkit2 security issues fixed upstream (WSA-2018-0005)

Bug 23189 - webkit2 security issues fixed upstream (WSA-2018-0005)

Summary: webkit2 security issues fixed upstream (WSA-2018-0005)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK
Keywords:	advisory, has_procedure, validated_update

Depends on:
Blocks:

Reported:	2018-06-17 00:56 CEST by David Walser
Modified:	2018-07-01 19:18 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	webkit2-2.20.2-1.mga6.src.rpm
CVE:
Status comment:

Attachments
zenity test script (189 bytes, application/x-shellscript) 2018-06-30 14:53 CEST, Herman Viaene	Details
Sample pdf with hyperlinks (12.05 KB, application/pdf) 2018-06-30 14:54 CEST, Herman Viaene	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-06-17 00:56:46 CEST

Upstream has issued an advisory on June 13:
https://webkitgtk.org/security/WSA-2018-0005.html

The issues have been fixed in 2.20.3, released on June 11:
https://webkitgtk.org/2018/06/11/webkitgtk2.20.3-released.html

Mageia 6 is also affected.

It's building in Cauldron now and will be pushed in Mageia 6 when that's done.

Testing procedure in bug 22876 comment 4

Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.20.3, fixing several
security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4199
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4218
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4222
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4232
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4233
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4246
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11646
https://webkitgtk.org/security/WSA-2018-0005.html
https://webkitgtk.org/2018/06/11/webkitgtk2.20.3-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.20.3-1.mga6
webkit2-jsc-2.20.3-1.mga6
lib(64)webkit2gtk4.0_37-2.20.3-1.mga6
lib(64)javascriptcoregtk4.0_18-2.20.3-1.mga6
lib(64)webkit2-devel-2.20.3-1.mga6
lib(64)javascriptcore-gir4.0-2.20.3-1.mga6
lib(64)webkit2gtk-gir4.0-2.20.3-1.mga6

from SRPMS:
webkit2-2.20.3-1.mga6.src.rpm

Comment 1 David Walser 2018-06-17 02:05:39 CEST

Building in Mageia 6 now.  Info in Comment 0.

Assignee: bugsquad => qa-bugs
Keywords: (none) => has_procedure

Comment 2 Herman Viaene 2018-06-30 14:51:10 CEST

MGA6-32 on IBM Thinkpad R50e MATE
No installation issues.
Followed testing procedure in using zenity and the script (see attachment)
Found also an example of a pdf with internal and external hyperlinks (next attachment)
All work OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 3 Herman Viaene 2018-06-30 14:53:17 CEST

Created attachment 10262 [details]
zenity test script

Comment 4 Herman Viaene 2018-06-30 14:54:03 CEST

Created attachment 10263 [details]
Sample pdf with hyperlinks

Comment 5 Dave Hodgins 2018-07-01 04:28:52 CEST

Advisory committed to svn. Validating the update.

CC: (none) => davidwhodgins

Comment 6 Dave Hodgins 2018-07-01 04:30:00 CEST

Actually adding the keywords.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-07-01 19:18:32 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0302.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.