Bug 26127 - webkit2 security issues fixed upstream (WSA-2020-0001)
Summary: webkit2 security issues fixed upstream (WSA-2020-0001)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-01-24 09:43 CET by Nicolas Salguero
Modified: 2020-01-28 12:34 CET (History)
3 users (show)

See Also:
Source RPM: webkit2-2.26.2-1.mga7.src.rpm
CVE: CVE-2019-8835, CVE-2019-8844, CVE-2019-8846
Status comment:


Attachments

Description Nicolas Salguero 2020-01-24 09:43:34 CET
Upstream has issued an advisory on January 23:
https://webkitgtk.org/security/WSA-2020-0001.html
Comment 1 Nicolas Salguero 2020-01-24 09:47:40 CET
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.26.3, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8835
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8844
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8846
https://webkitgtk.org/2020/01/22/webkitgtk2.26.3-released.html
https://webkitgtk.org/security/WSA-2020-0001.html
https://www.openwall.com/lists/oss-security/2020/01/23/2
========================

Updated packages in core/updates_testing:
========================
webkit2-2.26.3-1.mga7
webkit2-jsc-2.26.3-1.mga7
lib(64)webkit2gtk4.0_37-2.26.3-1.mga7
lib(64)javascriptcoregtk4.0_18-2.26.3-1.mga7
lib(64)webkit2-devel-2.26.3-1.mga7
lib(64)javascriptcore-gir4.0-2.26.3-1.mga7
lib(64)webkit2gtk-gir4.0-2.26.3-1.mga7

from SRPMS:
webkit2-2.26.3-1.mga7.src.rpm

CVE: (none) => CVE-2019-8835, CVE-2019-8844, CVE-2019-8846
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Source RPM: (none) => webkit2-2.26.2-1.mga7.src.rpm

Comment 2 Thomas Andrews 2020-01-24 20:34:10 CET
Referred to Bug 25657 for a testing procedure.

The following 5 packages are going to be installed:

- lib64javascriptcore-gir4.0-2.26.3-1.mga7.x86_64
- lib64javascriptcoregtk4.0_18-2.26.3-1.mga7.x86_64
- lib64webkit2gtk-gir4.0-2.26.3-1.mga7.x86_64
- lib64webkit2gtk4.0_37-2.26.3-1.mga7.x86_64
- webkit2-2.26.3-1.mga7.x86_64

Used atril to load a copy of an old tax form instructions, and from there clicked on a link to the IRS Taxpayer Bill of Rights, where I learned I have the right to a fair and just tax system. Reserving judgement on that one for the moment.

From the CLI, "zenity --calendar" returned a clickable calendar.

Looks OK here.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2020-01-24 23:28:47 CET
Validating. Advisory in Comment 1.

CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Thomas Backlund 2020-01-28 12:07:19 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 4 Mageia Robot 2020-01-28 12:34:09 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0067.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.