Upstream has issued an advisory on August 7: https://webkitgtk.org/security/WSA-2018-0006.html The issues have been fixed in 2.20.4, released on August 6: https://webkitgtk.org/2018/08/06/webkitgtk2.20.4-released.html Mageia 6 is also affected. It's building in Cauldron now and Mageia 6 now. Testing procedure in bug 22876 comment 4 Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.20.4, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4261 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4262 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4264 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4266 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4267 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4270 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4273 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4278 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4284 https://webkitgtk.org/security/WSA-2018-0006.html https://webkitgtk.org/2018/08/06/webkitgtk2.20.4-released.html ======================== Updated packages in core/updates_testing: ======================== webkit2-2.20.4-1.mga6 webkit2-jsc-2.20.4-1.mga6 lib(64)webkit2gtk4.0_37-2.20.4-1.mga6 lib(64)javascriptcoregtk4.0_18-2.20.4-1.mga6 lib(64)webkit2-devel-2.20.4-1.mga6 lib(64)javascriptcore-gir4.0-2.20.4-1.mga6 lib(64)webkit2gtk-gir4.0-2.20.4-1.mga6 from webkit2-2.20.4-1.mga6.src.rpm
Keywords: (none) => has_procedure
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Following procedure above, opened a pfd containing links with atril: expected behavior is OK Run the perl testscript provides an interacive calendar widget. All OK.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
mga6-64 $ uname -a Linux localhost 4.14.65-desktop-1.mga6 #1 SMP Sat Aug 18 14:50:29 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux This breaks midori browser so this is a no go. I'll attach journal. Let me know if you need anything else
CC: (none) => brtians1Keywords: (none) => feedback
Created attachment 10336 [details] journalctl for Aug25th. midori webkit issues Xfce platform running in virtuabox I installed midori: The following 3 packages are going to be installed: - lib64midori-core1-0.5.11-4.mga6.x86_64 - lib64zeitgeist2.0_0-1.0-1.mga6.x86_64 - midori-0.5.11-4.mga6.x86_64 5MB of additional disk space will be used. 1.1MB of packages will be retrieved. I tested it and it was access mageia and slashdot web-sites Then upgraded webkit. Afterwards midori was no longer functional. When I run from terminal I see the following: $ midori (midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:2:31: The style property GtkButton:default-border is deprecated and shouldn't be used anymore. It will be removed in a future version (midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:3:39: The style property GtkButton:default-outside-border is deprecated and shouldn't be used anymore. It will be removed in a future version (midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:4:29: The style property GtkButton:inner-border is deprecated and shouldn't be used anymore. It will be removed in a future version (midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:5:33: The style property GtkWidget:focus-line-width is deprecated and shouldn't be used anymore. It will be removed in a future version (midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:6:30: The style property GtkWidget:focus-padding is deprecated and shouldn't be used anymore. It will be removed in a future version (midori4:3915): Gtk-WARNING **: Theme parsing error: gtk3.css:26:20: The :insensitive pseudo-class is deprecated. Use :disabled instead. (midori4:3915): GLib-CRITICAL **: g_file_test: assertion 'filename != NULL' failed /usr/libexec/webkit2gtk-4.0/WebKitWebProcess: symbol lookup error: /lib64/libwebkit2gtk-4.0.so.37: undefined symbol: _ZN3JSC41DeferredStructureTransitionWatchpointFireC1ERNS_2VMEPNS_9StructureE See journal. Let me know if you need anything else from me
I guess we need to update to the 2.20.5 bugfix version.
Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.20.5, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4261 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4262 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4263 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4264 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4265 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4266 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4267 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4270 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4272 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4273 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4278 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4284 https://webkitgtk.org/security/WSA-2018-0006.html https://webkitgtk.org/2018/08/06/webkitgtk2.20.4-released.html https://webkitgtk.org/2018/08/13/webkitgtk2.20.5-released.html ======================== Updated packages in core/updates_testing: ======================== webkit2-2.20.5-1.mga6 webkit2-jsc-2.20.5-1.mga6 lib(64)webkit2gtk4.0_37-2.20.5-1.mga6 lib(64)javascriptcoregtk4.0_18-2.20.5-1.mga6 lib(64)webkit2-devel-2.20.5-1.mga6 lib(64)javascriptcore-gir4.0-2.20.5-1.mga6 lib(64)webkit2gtk-gir4.0-2.20.5-1.mga6 from webkit2-2.20.5-1.mga6.src.rpm
Whiteboard: MGA6-32-OK => (none)CC: (none) => nicolas.salgueroKeywords: feedback => (none)Status: NEW => ASSIGNED
MGA6-32 MATE on IBM Thinkpad R50e No installation issues. Following procedure above, opened a pfd containing links with atril: expected behavior is OK. Run the perl testscript provides an interacive calendar widget. All OK.
Whiteboard: (none) => MGA6-32-OK
The following 4 packages are going to be installed: - lib64webkit2gtk-gir4.0-2.20.5-1.mga6.x86_64 - lib64webkit2gtk4.0_37-2.20.5-1.mga6.x86_64 - webkit2-2.20.5-1.mga6.x86_64 - webkit2-jsc-2.20.5-1.mga6.x86_64 240KB of additional disk space will be used. midori failed. Installed the development libraries and the 230MB of additional stuff lib(64)webkit2-devel-2.20.5-1.mga6 and the following Aug 28 21:55:40 localhost [RPM][4025]: Transaction ID 5b860b2c started Aug 28 21:55:40 localhost [RPM][4025]: erase lib64javascriptcore-gir4.0-2.20.3-1 Aug 28 21:55:40 localhost [RPM][4025]: erase lib64javascriptcoregtk4.0_18-2.20.3 Aug 28 21:55:40 localhost [RPM][4025]: erase lib64xcursor1-1.1.14-6.1.mga6.x86_6 Aug 28 21:55:40 localhost [RPM][4025]: install lib64sqlite3-devel-3.17.0-2.2.mga Aug 28 21:55:41 localhost [RPM][4025]: install lib64javascriptcoregtk4.0_18-2.20 Aug 28 21:55:41 localhost [RPM][4025]: install lib64javascriptcore-gir4.0-2.20.5 Aug 28 21:55:42 localhost [RPM][4025]: install lib64soup-devel-2.58.2-1.1.mga6.x Aug 28 21:55:42 localhost [RPM][4025]: install lib64xcursor1-1.1.14-6.2.mga6.x86 Aug 28 21:55:42 localhost [RPM][4025]: install lib64xcursor-devel-1.1.14-6.2.mga Aug 28 21:55:45 localhost [RPM][4025]: install lib64gtk+3.0-devel-3.22.16-1.mga6 Aug 28 21:55:45 localhost [RPM][4025]: install lib64jpeg-devel-1:1.5.1-1.2.mga6. Aug 28 21:55:45 localhost [RPM][4025]: install lib64tasn1-devel-4.13-1.mga6.x86_ Aug 28 21:55:45 localhost [RPM][4025]: install lib64webkit2-devel-2.20.5-1.mga6. Aug 28 21:55:47 localhost [RPM][4025]: install pango-doc-1.40.6-1.1.mga6.noarch: Aug 28 21:55:47 localhost [RPM][4025]: erase lib64javascriptcore-gir4.0-2.20.3-1 Aug 28 21:55:47 localhost [RPM][4025]: erase lib64javascriptcoregtk4.0_18-2.20.3 Aug 28 21:55:47 localhost [RPM][4025]: erase lib64xcursor1-1.1.14-6.1.mga6.x86_6 Aug 28 21:55:53 localhost [RPM][4025]: install lib64sqlite3-devel-3.17.0-2.2.mga Aug 28 21:55:53 localhost [RPM][4025]: install lib64javascriptcoregtk4.0_18-2.20 Aug 28 21:55:53 localhost [RPM][4025]: install lib64javascriptcore-gir4.0-2.20.5 Aug 28 21:55:53 localhost [RPM][4025]: install lib64soup-devel-2.58.2-1.1.mga6.x Aug 28 21:55:53 localhost [RPM][4025]: install lib64xcursor1-1.1.14-6.2.mga6.x86 Aug 28 21:55:53 localhost [RPM][4025]: install lib64xcursor-devel-1.1.14-6.2.mga Aug 28 21:55:53 localhost [RPM][4025]: install lib64gtk+3.0-devel-3.22.16-1.mga6 Aug 28 21:55:53 localhost [RPM][4025]: install lib64jpeg-devel-1:1.5.1-1.2.mga6. Aug 28 21:55:53 localhost [RPM][4025]: install lib64tasn1-devel-4.13-1.mga6.x86_ Aug 28 21:55:53 localhost [RPM][4025]: install lib64webkit2-devel-2.20.5-1.mga6. Aug 28 21:55:53 localhost [RPM][4025]: install pango-doc-1.40.6-1.1.mga6.noarch: Aug 28 21:55:53 localhost [RPM][4025]: Transaction ID 5b860b2c finished: 0 behold - it works now. MGa6-64 works - we just need to note midori needs the dev libraries.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => feedback
(In reply to Brian Rockwell from comment #7) > MGa6-64 works - we just need to note midori needs the dev libraries. It shouldn't. What's with that? Packaging error?
(In reply to David Walser from comment #8) > (In reply to Brian Rockwell from comment #7) > > MGa6-64 works - we just need to note midori needs the dev libraries. > > It shouldn't. What's with that? Packaging error? The dev libraries are not needed. What is needed is lib(64)javascriptcoregtk4.0_18 and lib(64)javascriptcore-gir4.0 packages in the same version as webkit2. In comment 7, it seems that those packages have not been updated at the same time as the other packages. I made that mistake myself once and, now, I do not forget anymore :-) By installing the devel package, the two forgotten packages are forced to be updated. Best regards, Nico.
Has anyone fixed the dependency noted by Nicolas?
It's not a dependency issue, it's user error. When you QA test packages, make sure *all* of the relevant packages built from that SRPM (listed in Comment 5 in this case) get updated.
Keywords: feedback => (none)
Sounds to me like this is good to go, then. Validating. Suggested advisory in Comment 5.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
David - fine. Why didn't Midori request the package?
Midori does require the package, that's why it was already installed.
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0382.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED