Upstream has issued an advisory today (April 27): https://webkitgtk.org/security/WSA-2020-0005.html The issue is fixed upstream in 2.28.2: https://webkitgtk.org/2020/04/24/webkitgtk2.28.2-released.html
Updates building for Mageia 7 and Cauldron. Suggested advisory: ======================== Updated webkit2 packages fix security vulnerabilities: A memory consumption issue was addressed with improved memory handling. A remote attacker may be able to cause arbitrary code execution (CVE-2020-3899). The webkit2 package has been updated to version 2.28.2, fixing this issue and other bugs. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3899 https://webkitgtk.org/2020/04/24/webkitgtk2.28.2-released.html https://webkitgtk.org/security/WSA-2020-0005.html ======================== Updated packages in core/updates_testing: ======================== webkit2-2.28.2-1.mga7 webkit2-jsc-2.28.2-1.mga7 libwebkit2gtk4.0_37-2.28.2-1.mga7 libjavascriptcoregtk4.0_18-2.28.2-1.mga7 libwebkit2-devel-2.28.2-1.mga7 libjavascriptcore-gir4.0-2.28.2-1.mga7 libwebkit2gtk-gir4.0-2.28.2-1.mga7 from webkit2-2.28.2-1.mga7.src.rpm
Should be uploading soon. See Comment 1.
Assignee: bugsquad => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues Ref bug 26487 for testing. $ zenity --calendar 30/04/20 seems OK, but I see a difference with the previous test: Now if I click once on a date, I get no feedback, double clicking displays the feedback and closes the window (same as selecting and clicking OK). In previous tests, I could click on a date, get the feedback, click on another date, get feedback and only close the window when clicking OK. AFAIK, there hasn't been an update on zenity lately, so I wonder. Someone else might hae other testing ideas, I will however not object the OK.
CC: (none) => herman.viaene
Ubuntu has issued an advisory for this on April 29: https://usn.ubuntu.com/4347-1/
(In reply to Herman Viaene from comment #3) > MGA7-64 Plasma on Lenovo B50 > No installation issues > Ref bug 26487 for testing. > $ zenity --calendar > 30/04/20 > seems OK, but I see a difference with the previous test: > Now if I click once on a date, I get no feedback, double clicking displays > the feedback and closes the window (same as selecting and clicking OK). > In previous tests, I could click on a date, get the feedback, click on > another date, get feedback and only close the window when clicking OK. > AFAIK, there hasn't been an update on zenity lately, so I wonder. > Someone else might hae other testing ideas, I will however not object the OK. Herman, I see the same thing with that command both before and after the webkit2 update, so it would appear that observation is not related to those packages. I'm going to give it an OK, and validate it. Advisory in Comment 1.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA7-64-OK
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0188.html
Status: NEW => RESOLVEDResolution: (none) => FIXED