Bug 28370 - webkit2 security issues fixed upstream (WSA-2021-0001)
Summary: webkit2 security issues fixed upstream (WSA-2021-0001)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO MGA8-64-OK MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2021-02-17 16:12 CET by Nicolas Salguero
Modified: 2021-03-04 17:55 CET (History)
5 users (show)

See Also:
Source RPM: webkit2-2.30.4-1.mga8.src.rpm
CVE: CVE-2020-13558
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2021-02-17 16:12:38 CET 
Upstream has issued an advisory on February 15:
https://webkitgtk.org/security/WSA-2021-0001.html

See also:
https://webkitgtk.org/2021/02/11/webkitgtk2.30.5-released.html
Nicolas Salguero 2021-02-17 16:13:01 CET

Whiteboard: (none) => MGA7TOO
Source RPM: (none) => webkit2-2.30.4-1.mga8.src.rpm

David Walser 2021-02-17 16:41:16 CET

Whiteboard: MGA7TOO => MGA7TOO, MGA8TOO

Comment 1 Lewis Smith 2021-02-18 08:54:56 CET 
Assigning this to you, Nicolas, as you did the last two new versions.

Assignee: bugsquad => nicolas.salguero

Comment 2 David Walser 2021-02-26 19:17:49 CET 
Ubuntu has issued an advisory for this on February 18:
https://ubuntu.com/security/notices/USN-4739-1

Severity: normal => major

Comment 3 Nicolas Lécureuil 2021-02-27 01:51:10 CET 
pushed in cauldron mga7/8

src:
    webkit2-2.30.5-1.1.mga7
    webkit2-2.30.5-1.1.mga8

CC: (none) => mageia
Assignee: nicolas.salguero => qa-bugs
Whiteboard: MGA7TOO, MGA8TOO => MGA7TOO
Version: Cauldron => 8

Comment 4 David Walser 2021-02-27 02:05:17 CET 
No, it shouldn't have a subrel.  Mageia 7 build needs to be deleted and re-submitted.

Assignee: qa-bugs => nicolas.salguero

Comment 5 Nicolas Lécureuil 2021-02-27 09:33:50 CET 
no need it failed :-)
Comment 6 Nicolas Lécureuil 2021-02-27 10:01:12 CET 
pushed in cauldron mga7/8

src:
    webkit2-2.30.5-1.mga7
    webkit2-2.30.5-1.mga8
Nicolas Lécureuil 2021-02-27 11:26:37 CET

Assignee: nicolas.salguero => qa-bugs

Comment 7 David Walser 2021-02-27 17:44:05 CET 
Package list:
webkit2-2.30.5-1.mga7
webkit2-jsc-2.30.5-1.mga7
libwebkit2gtk4.0_37-2.30.5-1.mga7
libjavascriptcoregtk4.0_18-2.30.5-1.mga7
libwebkit2-devel-2.30.5-1.mga7
libjavascriptcore-gir4.0-2.30.5-1.mga7
libwebkit2gtk-gir4.0-2.30.5-1.mga7
webkit2-2.30.5-1.mga8
webkit2-jsc-2.30.5-1.mga8
libjavascriptcoregtk4.0_18-2.30.5-1.mga8
libwebkit2gtk4.0_37-2.30.5-1.mga8
libwebkit2gtk-gir4.0-2.30.5-1.mga8
libjavascriptcore-gir4.0-2.30.5-1.mga8
libwebkit2-devel-2.30.5-1.mga8
Manuel Hiebel 2021-03-01 20:05:33 CET

Whiteboard: MGA7TOO => MGA7TOO MGA8-64-OK

Comment 8 David Walser 2021-03-03 01:10:32 CET 
Suggested advisory:
========================

Updated webkit2 packages fix security vulnerabilities:

The webkit2 package has been updated to version 2.30.5, fixing several security issues and other bugs.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13558
https://webkitgtk.org/security/WSA-2021-0001.html
https://webkitgtk.org/2020/12/15/webkitgtk2.30.4-released.html
https://webkitgtk.org/2021/02/11/webkitgtk2.30.5-released.html

CC: (none) => luigiwalser

Comment 9 Aurelien Oudelet 2021-03-04 14:16:46 CET 
MGA8-64

Using QA Repo
webkit2-2.30.5-1.mga8
webkit2-jsc-2.30.5-1.mga8
libjavascriptcoregtk4.0_18-2.30.5-1.mga8
libwebkit2gtk4.0_37-2.30.5-1.mga8
libwebkit2gtk-gir4.0-2.30.5-1.mga8
libjavascriptcore-gir4.0-2.30.5-1.mga8

Install OK.

CC: (none) => ouaurelien

Comment 10 Herman Viaene 2021-03-04 15:16:40 CET 
MGA7-64 MATE on Peaq C1011
No installation issues
Ref bug 27656 for testing
$ zenity  --calendar
17/03/21
$ zenity  --calendar
24/03/21
The first one is by pressing OK on the dialogue, the second one by double clicking on the date cheosen.
OK for me.

CC: (none) => herman.viaene
Whiteboard: MGA7TOO MGA8-64-OK => MGA7TOO MGA8-64-OK MGA7-64-OK

Comment 11 Aurelien Oudelet 2021-03-04 15:28:42 CET 
Forward from Comment 9, installs OK also on MGA7-64 Plasma.

Note also that Mageia Control Centre runs fine on both systems.

Giving this a OK.
Validating
Advisory pushed to SVN.
Aurelien Oudelet 2021-03-04 15:29:07 CET

Keywords: (none) => advisory, validated_update
CVE: (none) => CVE-2020-13558
CC: (none) => sysadmin-bugs

Comment 12 Mageia Robot 2021-03-04 17:55:16 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0107.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.