29886 – epiphany new security issues CVE-2021-4508[5-8]

Bug 29886 - epiphany new security issues CVE-2021-4508[5-8]

Summary: epiphany new security issues CVE-2021-4508[5-8]

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2022-01-13 17:15 CET by David Walser
Modified:	2022-07-07 08:47 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	epiphany-3.38.2-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-01-13 17:15:10 CET

Debian has issued an advisory on January 12:
https://www.debian.org/security/2022/dsa-5042

The issues are fixed upstream in 40.4 and 41.1; Debian patched 3.38.2.

David Walser 2022-01-13 17:15:20 CET

Status comment: (none) => Patches available from Debian

Comment 1 Mike Rambo 2022-01-29 14:53:03 CET

Updated package uploaded for Mageia 8.

Advisory:
========================

Updated epiphany package fixes security vulnerabilities:

XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list (CVE-2021-45085).

XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server's suggested_filename is used as the pdf_name value in PDF.js (CVE-2021-45086).

XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used, as demonstrated by a a page title (CVE-2021-45087).

XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page (CVE-2021-45088).


References:
https://www.debian.org/security/2022/dsa-5042
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45088
========================

Updated packages in core/updates_testing:
========================
epiphany-3.38.2-1.1.mga8

from epiphany-3.38.2-1.1.mga8.src.rpm

Assignee: gnome => qa-bugs
CC: (none) => mhrambo3501

David Walser 2022-01-29 17:25:31 CET

Status comment: Patches available from Debian => (none)

Comment 2 Hugues Detavernier 2022-02-01 15:21:59 CET

Mageia8 X64 Gnome VmWare
No installation issue.

Gnome Web (Epiphany) is working fine.
Tested with streaming web sites and others differents websites without issue.

CC: (none) => hdetavernier

Comment 3 Thomas Andrews 2022-02-07 03:09:02 CET

Giving this an OK based on Comment 2. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-02-09 20:23:09 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2022-02-09 21:47:00 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0053.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 5 Thomas Frank 2022-07-07 08:47:33 CEST Comment hidden (spam)

Thanks for finding this bug. Visit https://quordlegame.io/ & https://iogamesio.org/ for more details.

CC: (none) => thomasfrank1803

Note You need to log in before you can comment on or make changes to this bug.