Bug 25657 - webkit2 security issues fixed upstream (WSA-2019-0005 and WSA-2019-0006)
Summary: webkit2 security issues fixed upstream (WSA-2019-0005 and WSA-2019-0006)
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2019-11-05 16:51 CET by Nicolas Salguero
Modified: 2019-11-14 02:23 CET (History)
3 users (show)

See Also:
Source RPM: webkit2-2.24.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2019-11-05 16:51:01 CET
Upstream has issued an advisory on October 29:
https://webkitgtk.org/security/WSA-2019-0005.html
Nicolas Salguero 2019-11-05 16:52:25 CET

Source RPM: (none) => webkit2-2.24.4-1.mga7.src.rpm

Comment 1 David Walser 2019-11-05 17:24:47 CET
Current version already has all the fixes.

Status: NEW => RESOLVED
Resolution: (none) => INVALID

Comment 2 Nicolas Salguero 2019-11-06 09:17:34 CET
(In reply to David Walser from comment #1)
> Current version already has all the fixes.

Are you sure that CVE-2019-8625, CVE-2019-8720, CVE-2019-8769 and 
CVE-2019-8771 only apply to 2.25.x and not to 2.24.x too?  Because the description of those CVEs only says "before 2.26.0" so I thought that was the case.

Anyway, we will have to switch to 2.26.x for Mageia 7 because it is now the stable branch and 2.24.x will not receive security updates any more.
Comment 3 David Walser 2019-11-06 12:41:14 CET
They're not always clear on when vulnerabilities were introduced, but yeah we should go ahead and push the update.

Resolution: INVALID => (none)
Status: RESOLVED => REOPENED

Comment 4 Nicolas Salguero 2019-11-06 12:44:46 CET
And version 2.26.2 is released today:
https://webkitgtk.org/2019/11/06/webkitgtk2.26.2-released.html
Comment 5 Nicolas Salguero 2019-11-07 10:10:05 CET
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.26.2, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8769
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8771
https://webkitgtk.org/2019/09/09/webkitgtk2.26.0-released.html
https://webkitgtk.org/2019/09/23/webkitgtk2.26.1-released.html
https://webkitgtk.org/2019/11/06/webkitgtk2.26.2-released.html
https://webkitgtk.org/security/WSA-2019-0005.html
https://www.openwall.com/lists/oss-security/2019/10/29/2
========================

Updated packages in core/updates_testing:
========================
webkit2-2.26.2-1.mga7
webkit2-jsc-2.26.2-1.mga7
lib(64)webkit2gtk4.0_37-2.26.2-1.mga7
lib(64)javascriptcoregtk4.0_18-2.26.2-1.mga7
lib(64)webkit2-devel-2.26.2-1.mga7
lib(64)javascriptcore-gir4.0-2.26.2-1.mga7
lib(64)webkit2gtk-gir4.0-2.26.2-1.mga7

from SRPMS:
webkit2-2.26.2-1.mga7.src.rpm

Status: REOPENED => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 6 David Walser 2019-11-09 14:57:25 CET
2.26.2 fixes more security issues.  See the advisory from November 8:
https://webkitgtk.org/security/WSA-2019-0006.html

Summary: webkit2 security issues fixed upstream (WSA-2019-0005) => webkit2 security issues fixed upstream (WSA-2019-0005 and WSA-2019-0006)

Comment 7 Herman Viaene 2019-11-09 15:57:31 CET
MGA7-64 Plasma on Lenovo B50
No installation issues
Ref to bug 22876 Comment 4 for testing.
Run atril displaying pdf with clickable links: works OK.
Further at CLI:
$ zenity --calendar
This command displays a clickable calendar, clicking on Nov. 24 displays as feedback:
21-11-19
Looks all OK0

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 8 David Walser 2019-11-10 18:39:03 CET
(In reply to David Walser from comment #6)
> 2.26.2 fixes more security issues.  See the advisory from November 8:
> https://webkitgtk.org/security/WSA-2019-0006.html

Make sure the advisory gets updated for this before this goes out.
Comment 9 Nicolas Salguero 2019-11-12 10:05:55 CET
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.26.2, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8625
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8769
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8771
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8770
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8743
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8764
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8766
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8783
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8808
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8811
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8812
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8813
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8815
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8816
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8819
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8820
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8823
https://webkitgtk.org/2019/09/09/webkitgtk2.26.0-released.html
https://webkitgtk.org/2019/09/23/webkitgtk2.26.1-released.html
https://webkitgtk.org/2019/11/06/webkitgtk2.26.2-released.html
https://webkitgtk.org/security/WSA-2019-0005.html
https://www.openwall.com/lists/oss-security/2019/10/29/2
https://webkitgtk.org/security/WSA-2019-0006.html
Comment 10 Thomas Andrews 2019-11-14 02:23:14 CET
Validating. Advisory in Comment 9.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update


Note You need to log in before you can comment on or make changes to this bug.