Bug 27656 - webkit2 security issues fixed upstream (WSA-2020-0008 and WSA-2020-0009)
Summary: webkit2 security issues fixed upstream (WSA-2020-0008 and WSA-2020-0009)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-23 20:45 CET by David Walser
Modified: 2020-12-01 11:21 CET (History)
5 users (show)

See Also:
Source RPM: webkit2-2.28.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-11-23 20:45:05 CET
Upstream has issued an advisory today (November 23):
https://webkitgtk.org/security/WSA-2020-0008.html

The issues are fixed upstream in 2.30.3:
https://webkitgtk.org/2020/11/20/webkitgtk2.30.3-released.html
Comment 1 Nicolas Salguero 2020-11-24 13:01:22 CET
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.30.3, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13584
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9948
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9951
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9952
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9983
https://webkitgtk.org/2020/11/20/webkitgtk2.30.3-released.html
https://webkitgtk.org/security/WSA-2020-0008.html
========================

Updated packages in core/updates_testing:
========================
webkit2-2.30.3-1.mga7
webkit2-jsc-2.30.3-1.mga7
lib(64)webkit2gtk4.0_37-2.30.3-1.mga7
lib(64)javascriptcoregtk4.0_18-2.30.3-1.mga7
lib(64)webkit2-devel-2.30.3-1.mga7
lib(64)javascriptcore-gir4.0-2.30.3-1.mga7
lib(64)webkit2gtk-gir4.0-2.30.3-1.mga7

from webkit2-2.30.3-1.mga7.src.rpm

CC: (none) => nicolas.salguero
Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED

Comment 2 David Walser 2020-11-24 14:16:28 CET
CVE-2020-9952 shouldn't be listed in the advisory, as it was fixed in our previous update.
Comment 3 Herman Viaene 2020-11-25 16:06:10 CET
MGA7-64 MATE on Peaq C1011
No installation issues
Ref to bug 26928 e.a. for testing
$ zenity  --calendar
22/12/20
Is what I expected, OK

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 4 Thomas Andrews 2020-11-27 01:35:02 CET
Validating. Advisory in Comment 1, but should be revised according to Comment 2.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Aurelien Oudelet 2020-11-27 09:48:38 CET
Advisory pushed to SVN.

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 6 Mageia Robot 2020-11-27 21:16:11 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0441.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 7 David Walser 2020-11-29 17:15:18 CET
Ubuntu has issued an advisory for this on November 26:
https://ubuntu.com/security/notices/USN-4648-1

Apparently our update introduced a lot of new dependencies, see Bug 27683.
Nicolas Salguero 2020-12-01 10:47:53 CET

Summary: webkit2 security issues fixed upstream (WSA-2020-0008) => webkit2 security issues fixed upstream (WSA-2020-0008 and WSA-2020-0009)

Comment 8 David Walser 2020-12-01 11:15:06 CET
Please add CVE-2020-13543 and the following reference to the SVN advisory:
https://webkitgtk.org/security/WSA-2020-0009.html
Comment 9 Aurelien Oudelet 2020-12-01 11:21:23 CET
(In reply to David Walser from comment #8)
> Please add CVE-2020-13543 and the following reference to the SVN advisory:
> https://webkitgtk.org/security/WSA-2020-0009.html

Added.

Note You need to log in before you can comment on or make changes to this bug.