Bug 26340 - webkit2 security issue fixed upstream (WSA-2020-0003, CVE-2020-10018)
Summary: webkit2 security issue fixed upstream (WSA-2020-0003, CVE-2020-10018)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-03-13 18:00 CET by David Walser
Modified: 2020-03-18 16:28 CET (History)
5 users (show)

See Also:
Source RPM: webkit2-2.26.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-03-13 18:00:18 CET
Upstream has issued an advisory on March 12:
https://webkitgtk.org/security/WSA-2020-0003.html

The issue is fixed upstream in 2.28.0:
https://webkitgtk.org/2020/03/10/webkitgtk2.28.0-released.html
Comment 1 David Walser 2020-03-14 02:26:46 CET
Updated package uploaded by Nicolas.

Advisory:
========================

Updated webkit2 packages fix security vulnerability:

WebKitGTK through 2.26.4 contains a memory corruption issue (use-after-free)
that may lead to arbitrary code execution (CVE-2020-10018).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10018
https://webkitgtk.org/2020/03/10/webkitgtk2.28.0-released.html
https://webkitgtk.org/security/WSA-2020-0003.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.28.0-1.mga7
webkit2-jsc-2.28.0-1.mga7
libwebkit2gtk4.0_37-2.28.0-1.mga7
libjavascriptcoregtk4.0_18-2.28.0-1.mga7
libwebkit2-devel-2.28.0-1.mga7
libjavascriptcore-gir4.0-2.28.0-1.mga7
libwebkit2gtk-gir4.0-2.28.0-1.mga7

from webkit2-2.28.0-1.mga7.src.rpm

CC: (none) => nicolas.salguero
Assignee: nicolas.salguero => qa-bugs

Thomas Backlund 2020-03-14 08:57:13 CET

CC: (none) => tmb
Keywords: (none) => advisory

Comment 2 Herman Viaene 2020-03-15 11:07:30 CET
MGA7-64 Plasma on Lenovo B50
Noinstallation issues.
Ref bug 26127 for test.
$ zenity --calendar
pick March 24 on it and get feedback.
24/03/20
OK for me.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2020-03-17 15:00:04 CET
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 4 Mageia Robot 2020-03-18 16:28:52 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0144.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.