Upstream has issued an advisory on October 29: https://webkitgtk.org/security/WSA-2019-0005.html
Source RPM: (none) => webkit2-2.24.4-1.mga7.src.rpm
Current version already has all the fixes.
Status: NEW => RESOLVEDResolution: (none) => INVALID
(In reply to David Walser from comment #1) > Current version already has all the fixes. Are you sure that CVE-2019-8625, CVE-2019-8720, CVE-2019-8769 and CVE-2019-8771 only apply to 2.25.x and not to 2.24.x too? Because the description of those CVEs only says "before 2.26.0" so I thought that was the case. Anyway, we will have to switch to 2.26.x for Mageia 7 because it is now the stable branch and 2.24.x will not receive security updates any more.
They're not always clear on when vulnerabilities were introduced, but yeah we should go ahead and push the update.
Status: RESOLVED => REOPENEDResolution: INVALID => (none)
And version 2.26.2 is released today: https://webkitgtk.org/2019/11/06/webkitgtk2.26.2-released.html
Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.26.2, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8720 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8769 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8771 https://webkitgtk.org/2019/09/09/webkitgtk2.26.0-released.html https://webkitgtk.org/2019/09/23/webkitgtk2.26.1-released.html https://webkitgtk.org/2019/11/06/webkitgtk2.26.2-released.html https://webkitgtk.org/security/WSA-2019-0005.html https://www.openwall.com/lists/oss-security/2019/10/29/2 ======================== Updated packages in core/updates_testing: ======================== webkit2-2.26.2-1.mga7 webkit2-jsc-2.26.2-1.mga7 lib(64)webkit2gtk4.0_37-2.26.2-1.mga7 lib(64)javascriptcoregtk4.0_18-2.26.2-1.mga7 lib(64)webkit2-devel-2.26.2-1.mga7 lib(64)javascriptcore-gir4.0-2.26.2-1.mga7 lib(64)webkit2gtk-gir4.0-2.26.2-1.mga7 from SRPMS: webkit2-2.26.2-1.mga7.src.rpm
Assignee: bugsquad => qa-bugsStatus: REOPENED => ASSIGNED
2.26.2 fixes more security issues. See the advisory from November 8: https://webkitgtk.org/security/WSA-2019-0006.html
Summary: webkit2 security issues fixed upstream (WSA-2019-0005) => webkit2 security issues fixed upstream (WSA-2019-0005 and WSA-2019-0006)
MGA7-64 Plasma on Lenovo B50 No installation issues Ref to bug 22876 Comment 4 for testing. Run atril displaying pdf with clickable links: works OK. Further at CLI: $ zenity --calendar This command displays a clickable calendar, clicking on Nov. 24 displays as feedback: 21-11-19 Looks all OK0
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
(In reply to David Walser from comment #6) > 2.26.2 fixes more security issues. See the advisory from November 8: > https://webkitgtk.org/security/WSA-2019-0006.html Make sure the advisory gets updated for this before this goes out.
Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: The webkit2 package has been updated to version 2.26.2, fixing several security issues and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8720 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8769 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8771 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8770 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8743 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8764 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8766 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8782 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8783 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8808 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8811 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8812 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8813 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8814 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8815 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8816 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8819 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8820 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8823 https://webkitgtk.org/2019/09/09/webkitgtk2.26.0-released.html https://webkitgtk.org/2019/09/23/webkitgtk2.26.1-released.html https://webkitgtk.org/2019/11/06/webkitgtk2.26.2-released.html https://webkitgtk.org/security/WSA-2019-0005.html https://www.openwall.com/lists/oss-security/2019/10/29/2 https://webkitgtk.org/security/WSA-2019-0006.html
Validating. Advisory in Comment 9.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0324.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED