Gentoo Archives: gentoo-announce

From: "Christopher Díaz Riveros" <chrisadr@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 201803-11 ] WebKitGTK+: Multiple Vulnerabilities
Date: Thu, 22 Mar 2018 00:31:55
Message-Id: 1521678631.23921.11.camel@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 201803-11
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: WebKitGTK+: Multiple Vulnerabilities
9 Date: March 22, 2018
10 Bugs: #645686
11 ID: 201803-11
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in WebKitGTK+, the worst of
19 which may lead to arbitrary code execution.
20
21 Background
22 ==========
23
24 WebKitGTK+ is a full-featured port of the WebKit rendering engine,
25 suitable for projects requiring any kind of web integration, from
26 hybrid HTML/CSS applications to full-fledged web browsers.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 net-libs/webkit-gtk < 2.18.6 >= 2.18.6
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in WebKitGTK+. Please
40 review the referenced CVE identifiers for details.
41
42 Impact
43 ======
44
45 An attacker could execute arbitrary commands via maliciously crafted
46 web content.
47
48 Workaround
49 ==========
50
51 There is no known workaround at this time.
52
53 Resolution
54 ==========
55
56 All WebKitGTK+ users should upgrade to the latest version:
57
58 # emerge --sync
59 # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.18.6"
60
61 References
62 ==========
63
64 [ 1 ] CVE-2017-13884
65 https://nvd.nist.gov/vuln/detail/CVE-2017-13884
66 [ 2 ] CVE-2017-13885
67 https://nvd.nist.gov/vuln/detail/CVE-2017-13885
68 [ 3 ] CVE-2017-7153
69 https://nvd.nist.gov/vuln/detail/CVE-2017-7153
70 [ 4 ] CVE-2017-7160
71 https://nvd.nist.gov/vuln/detail/CVE-2017-7160
72 [ 5 ] CVE-2017-7161
73 https://nvd.nist.gov/vuln/detail/CVE-2017-7161
74 [ 6 ] CVE-2017-7165
75 https://nvd.nist.gov/vuln/detail/CVE-2017-7165
76 [ 7 ] CVE-2018-4088
77 https://nvd.nist.gov/vuln/detail/CVE-2018-4088
78 [ 8 ] CVE-2018-4089
79 https://nvd.nist.gov/vuln/detail/CVE-2018-4089
80 [ 9 ] CVE-2018-4096
81 https://nvd.nist.gov/vuln/detail/CVE-2018-4096
82
83 Availability
84 ============
85
86 This GLSA and any updates to it are available for viewing at
87 the Gentoo Security Website:
88
89 https://security.gentoo.org/glsa/201803-11
90
91 Concerns?
92 =========
93
94 Security is a primary focus of Gentoo Linux and ensuring the
95 confidentiality and security of our users' machines is of utmost
96 importance to us. Any security concerns should be addressed to
97 security@g.o or alternatively, you may file a bug at
98 https://bugs.gentoo.org.
99
100 License
101 =======
102
103 Copyright 2018 Gentoo Foundation, Inc; referenced text
104 belongs to its owner(s).
105
106 The contents of this document are licensed under the
107 Creative Commons - Attribution / Share Alike license.
108
109 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature