34866 – webkit2 security issues fixed upstream (WSA-2025-0010)

Bug 34866 - webkit2 security issues fixed upstream (WSA-2025-0010)

Summary: webkit2 security issues fixed upstream (WSA-2025-0010)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK MGA9-32-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-12-17 09:21 CET by Nicolas Salguero
Modified:	2025-12-21 05:12 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	webkit2-2.50.3-1.mga9.src.rpm
CVE:	CVE-2025-43501, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-12-17 09:21:34 CET

Upstream has issued an advisory on December 17:
https://webkitgtk.org/security/WSA-2025-0010.html

The issues are fixed upstream in 2.50.4:
https://webkitgtk.org/2025/12/16/webkitgtk2.50.4-released.html

Nicolas Salguero 2025-12-17 09:23:32 CET

Source RPM: (none) => webkit2-2.50.3-1.mga10.src.rpm, webkit2-2.50.3-1.mga9.src.rpm
CVE: (none) => CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541
Whiteboard: (none) => MGA9TOO

Comment 1 Lewis Smith 2025-12-17 13:45:47 CET

Nicolas has just updated this in Cauldron, so remains M9 to do.

Whiteboard: MGA9TOO => (none)
Assignee: bugsquad => pkg-bugs
Version: Cauldron => 9
Status comment: (none) => fixed upstream in 2.50.4

Comment 2 Nicolas Salguero 2025-12-19 10:40:49 CET

Suggested advisory:
========================

The updated packages fix security vulnerabilities: CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541.

References:
https://webkitgtk.org/security/WSA-2025-0010.html
https://webkitgtk.org/2025/12/16/webkitgtk2.50.4-released.html
========================

Updated packages in core/updates_testing:
========================
lib(64)javascriptcore-gir4.0-2.50.4-1.mga9
lib(64)javascriptcore-gir4.1-2.50.4-1.mga9
lib(64)javascriptcore-gir6.0-2.50.4-1.mga9
lib(64)javascriptcoregtk4.0_18-2.50.4-1.mga9
lib(64)javascriptcoregtk4.1_0-2.50.4-1.mga9
lib(64)javascriptcoregtk6.0_1-2.50.4-1.mga9
lib(64)webkit2gtk-gir4.0-2.50.4-1.mga9
lib(64)webkit2gtk-gir4.1-2.50.4-1.mga9
lib(64)webkit2gtk4.0-devel-2.50.4-1.mga9
lib(64)webkit2gtk4.0_37-2.50.4-1.mga9
lib(64)webkit2gtk4.1-devel-2.50.4-1.mga9
lib(64)webkit2gtk4.1_0-2.50.4-1.mga9
lib(64)webkitgtk-gir6.0-2.50.4-1.mga9
lib(64)webkitgtk6.0-devel-2.50.4-1.mga9
lib(64)webkitgtk6.0_4-2.50.4-1.mga9
webkit2-driver-2.50.4-1.mga9
webkit2gtk4.0-2.50.4-1.mga9
webkit2gtk4.0-jsc-2.50.4-1.mga9
webkit2gtk4.1-2.50.4-1.mga9
webkit2gtk4.1-jsc-2.50.4-1.mga9
webkitgtk6.0-2.50.4-1.mga9
webkitgtk6.0-jsc-2.50.4-1.mga9

from SRPM:
webkit2-2.50.4-1.mga9.src.rpm

Source RPM: webkit2-2.50.3-1.mga10.src.rpm, webkit2-2.50.3-1.mga9.src.rpm => webkit2-2.50.3-1.mga9.src.rpm
Assignee: pkg-bugs => qa-bugs
Status comment: fixed upstream in 2.50.4 => (none)
Status: NEW => ASSIGNED

Comment 3 katnatek 2025-12-19 23:39:47 CET

Removed CVEs for Apple's system & software

Keywords: (none) => advisory
CVE: CVE-2025-14174, CVE-2025-43501, CVE-2025-43529, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536, CVE-2025-43541 => CVE-2025-43501, CVE-2025-43531, CVE-2025-43535, CVE-2025-43536

Comment 4 katnatek 2025-12-20 00:00:49 CET

installing webkit2gtk4.1-2.50.4-1.mga9.x86_64.rpm lib64javascriptcore-gir4.1-2.50.4-1.mga9.x86_64.rpm lib64javascriptcoregtk4.1_0-2.50.4-1.mga9.x86_64.rpm lib64webkit2gtk4.1_0-2.50.4-1.mga9.x86_64.rpm webkit2-driver-2.50.4-1.mga9.x86_64.rpm lib64webkit2gtk-gir4.1-2.50.4-1.mga9.x86_64.rpm from //home/katnatek/qa-testing/x86_64
Preparing...                     ###################################################################################################
      1/6: lib64javascriptcoregtk4.1_0
                                 ###################################################################################################
      2/6: lib64javascriptcore-gir4.1
                                 ###################################################################################################
      3/6: webkit2-driver        ###################################################################################################
      4/6: lib64webkit2gtk4.1_0  ###################################################################################################
      5/6: webkit2gtk4.1         ###################################################################################################
      6/6: lib64webkit2gtk-gir4.1
                                 ###################################################################################################
      1/6: removing lib64webkit2gtk-gir4.1-2.50.3-1.mga9.x86_64
                                 ###################################################################################################
      2/6: removing webkit2gtk4.1-2.50.3-1.mga9.x86_64
                                 ###################################################################################################
      3/6: removing lib64javascriptcore-gir4.1-2.50.3-1.mga9.x86_64
                                 ###################################################################################################
      4/6: removing lib64webkit2gtk4.1_0-2.50.3-1.mga9.x86_64
                                 ###################################################################################################
      5/6: removing lib64javascriptcoregtk4.1_0-2.50.3-1.mga9.x86_64
                                 ###################################################################################################
      6/6: removing webkit2-driver-2.50.3-1.mga9.x86_64
                                 ###################################################################################################

mcc works
poedit works
gnome-boxes-works

install evolution, the application start but as I not user of the application 
I can't confirm if bug#34855 is still here

Install epiphany, browse some mageia's sites 

Looks good here

Comment 5 Herman Viaene 2025-12-20 14:29:59 CET

MGA9-64 server Plasma Wayland on Compaq H000SB.
No installation issues.
Ref bug 34792.
Jumped around in MCC as test,opened a pdf with atril and used:
$ zenity --calendar
22/12/25
In view of other tes above, OK.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2025-12-20 17:44:57 CET

MGA9-32 Xfce on a HP Probook 6550b, i3 M350, Intel graphics. This install on this laptop has seen issues with MCC and webkit2. See bug 33208. 64-bit installs are OK.

I'm seeing this in drakrpm-update:

The following packages have to be removed for others to be upgraded:
libboost_python310_1.81.0-1.81.0-3.1.mga9.i586
 (due to missing libpython3.10.so.1.0)
libpython3.10-3.10.18-1.4.mga9.i586
 (due to unsatisfied libpython3.10-stdlib == 3.10.18-1.4.mga9)
libpython3.10-stdlib-3.10.18-1.4.mga9.i586
 (due to unsatisfied python(abi) == 3.10,
  due to missing libpython3.10.so.1.0)

Nobody is mentioning them in the 64-bit tests. Is this an issue, or should I go ahead with the 32-bit test?

CC: (none) => andrewsfarm

Comment 7 Herman Viaene 2025-12-20 17:58:35 CET

My guess is that those packages got installed as dependencies for some other package. Which one , your guess would be as good as mine, since I suspect that "how many?" are dependent on python libs.
I would proceed, but if your conscience keeps nagging you, try urpmq --whatrequires.

Comment 8 katnatek 2025-12-20 18:18:17 CET

(In reply to Thomas Andrews from comment #6)
> MGA9-32 Xfce on a HP Probook 6550b, i3 M350, Intel graphics. This install on
> this laptop has seen issues with MCC and webkit2. See bug 33208. 64-bit
> installs are OK.
> 
> I'm seeing this in drakrpm-update:
> 
> The following packages have to be removed for others to be upgraded:
> libboost_python310_1.81.0-1.81.0-3.1.mga9.i586
>  (due to missing libpython3.10.so.1.0)
> libpython3.10-3.10.18-1.4.mga9.i586
>  (due to unsatisfied libpython3.10-stdlib == 3.10.18-1.4.mga9)
> libpython3.10-stdlib-3.10.18-1.4.mga9.i586
>  (due to unsatisfied python(abi) == 3.10,
>   due to missing libpython3.10.so.1.0)
> 
> Nobody is mentioning them in the 64-bit tests. Is this an issue, or should I
> go ahead with the 32-bit test?

The interesting is the packages are i586
Did you have all the necessary 32b repositories enabled?

Comment 9 Thomas Andrews 2025-12-20 18:44:11 CET

Uh-oh. Now I see what has happened. I must have tried upgrading this install to Cauldron using urpmi a while back, so long ago that I forgot about it. It must have failed part way through, leaving me with a hybrid system, partly MGA9, partly MGA10, identifying itself as MGA9. 

I'm surprised it works as well as it does. Sorry about the noise.

Comment 10 Thomas Andrews 2025-12-20 18:52:22 CET

(In reply to katnatek from comment #8)
> (In reply to Thomas Andrews from comment #6)
> > MGA9-32 Xfce on a HP Probook 6550b, i3 M350, Intel graphics. This install on
> > this laptop has seen issues with MCC and webkit2. See bug 33208. 64-bit
> > installs are OK.
> > 
> > I'm seeing this in drakrpm-update:
> > 
> > The following packages have to be removed for others to be upgraded:
> > libboost_python310_1.81.0-1.81.0-3.1.mga9.i586
> >  (due to missing libpython3.10.so.1.0)
> > libpython3.10-3.10.18-1.4.mga9.i586
> >  (due to unsatisfied libpython3.10-stdlib == 3.10.18-1.4.mga9)
> > libpython3.10-stdlib-3.10.18-1.4.mga9.i586
> >  (due to unsatisfied python(abi) == 3.10,
> >   due to missing libpython3.10.so.1.0)
> > 
> > Nobody is mentioning them in the 64-bit tests. Is this an issue, or should I
> > go ahead with the 32-bit test?
> 
> The interesting is the packages are i586
> Did you have all the necessary 32b repositories enabled?

It's 64-bit hardware, but a 32-bit install. 32-bit repos are the only ones that are enabled.

Going to try finishing the upgrade, using drakrpm-edit-media --expert to enable the core repos for update, and see what happens. Probably would be easier and more reliable to do a clean install from the live media, but I'm curious...

Comment 11 Thomas Andrews 2025-12-20 18:56:07 CET

1677 packages left to go...

Comment 12 Thomas Andrews 2025-12-20 19:09:45 CET

Nope. Failed, miserably. On to other things.

Comment 13 Thomas Andrews 2025-12-20 20:31:02 CET

MGA9-32 Xfce on Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics

No installation issues. Checked with urpmq, ran MCC (no issues), and installed two Gnome games, four-in-a-row and five-or-more. Played a game of each with no issues, except that I lost to the computer.

Looks good on 32-bit real hardware.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA9-64-OK => MGA9-64-OK MGA9-32-OK

Comment 14 Mageia Robot 2025-12-21 05:12:28 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0331.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.