Bug 26928 - webkit2 security issues fixed upstream (WSA-2020-0006 and WSA-2020-0007)
Summary: webkit2 security issues fixed upstream (WSA-2020-0006 and WSA-2020-0007)
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2020-07-10 13:18 CEST by Nicolas Salguero
Modified: 2020-08-05 00:10 CEST (History)
3 users (show)

See Also:
Source RPM: webkit2-2.28.2-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description Nicolas Salguero 2020-07-10 13:18:34 CEST
Hi,

Upstream has released 2.28.3: https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html, which seems to only fix bugs but not security issues.

Best regards,

Nico.
Comment 1 Nicolas Salguero 2020-07-10 13:28:51 CEST
Suggested advisory:
========================

The webkit2 package has been updated to version 2.28.3, fixing several bugs.

References:
https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.28.3-1.mga7
webkit2-jsc-2.28.3-1.mga7
lib(64)webkit2gtk4.0_37-2.28.3-1.mga7
lib(64)javascriptcoregtk4.0_18-2.28.3-1.mga7
lib(64)webkit2-devel-2.28.3-1.mga7
lib(64)javascriptcore-gir4.0-2.28.3-1.mga7
lib(64)webkit2gtk-gir4.0-2.28.3-1.mga7

from webkit2-2.28.3-1.mga7.src.rpm

Source RPM: (none) => webkit2-2.28.2-1.mga7.src.rpm
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2020-07-10 19:42:27 CEST
Upstream has issued an advisory today (July 10):
https://webkitgtk.org/security/WSA-2020-0006.html

Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.28.3, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13753
https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html
https://webkitgtk.org/security/WSA-2020-0006.html

QA Contact: (none) => security
Component: RPM Packages => Security
Summary: webkit2 2.28.3 => webkit2 security issues fixed upstream (WSA-2020-0006)

Comment 3 David Walser 2020-07-14 22:29:06 CEST
Ubuntu has issued an advisory for this today (July 14):
https://ubuntu.com/security/notices/USN-4422-1

Severity: normal => major

Comment 4 Herman Viaene 2020-07-24 14:50:34 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Testing with
$ zenity  --calendar
21/07/20
and getting ssame behavior asin bug 26550, so OK on this.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 5 Thomas Andrews 2020-07-25 15:04:53 CEST
Validating. Dueling advisories, but it looks like the best one is in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Comment 6 Nicolas Salguero 2020-07-29 13:08:57 CEST
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.28.4, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13753
https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html
https://webkitgtk.org/2020/07/28/webkitgtk2.28.4-released.html
https://webkitgtk.org/security/WSA-2020-0006.html
https://ubuntu.com/security/notices/USN-4422-1
========================

Updated packages in core/updates_testing:
========================
webkit2-2.28.4-1.mga7
webkit2-jsc-2.28.4-1.mga7
lib(64)webkit2gtk4.0_37-2.28.4-1.mga7
lib(64)javascriptcoregtk4.0_18-2.28.4-1.mga7
lib(64)webkit2-devel-2.28.4-1.mga7
lib(64)javascriptcore-gir4.0-2.28.4-1.mga7
lib(64)webkit2gtk-gir4.0-2.28.4-1.mga7

from webkit2-2.28.4-1.mga7.src.rpm

Keywords: validated_update => (none)
Whiteboard: MGA7-64-OK => (none)

Comment 7 David Walser 2020-07-29 16:34:14 CEST
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.28.4, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9803
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9805
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9806
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9807
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9843
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9850
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9862
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9893
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9894
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9895
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9915
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9925
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13753
https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html
https://webkitgtk.org/2020/07/28/webkitgtk2.28.4-released.html
https://webkitgtk.org/security/WSA-2020-0006.html
https://webkitgtk.org/security/WSA-2020-0007.html
https://ubuntu.com/security/notices/USN-4422-1

Summary: webkit2 security issues fixed upstream (WSA-2020-0006) => webkit2 security issues fixed upstream (WSA-2020-0006 and WSA-2020-0007)

Comment 8 Herman Viaene 2020-08-03 13:51:00 CEST
Testing newer version
$ zenity  --calendar
20/09/20
OK again.

Whiteboard: (none) => MGA7-64-OK

Comment 9 Thomas Andrews 2020-08-03 14:30:22 CEST
We'll try again. Validating. New advisory in Comment 7.

Keywords: (none) => validated_update

Comment 10 David Walser 2020-08-05 00:10:47 CEST
Ubuntu has issued an advisory for the 2.28.4 fixes on August 3:
https://ubuntu.com/security/notices/USN-4444-1

Please append that to the references in the advisory.

Note You need to log in before you can comment on or make changes to this bug.