Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-announce

From: Thomas Deutschmann <whissi@g.o>
To: gentoo-announce@l.g.o
Subject: [gentoo-announce] [ GLSA 202003-22 ] WebkitGTK+: Multiple vulnerabilities
Date: Sun, 15 Mar 2020 04:45:06
Message-Id: 8ef58b6f-4ba4-539b-6a49-74a6e6302bdc@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 202003-22
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 https://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: WebkitGTK+: Multiple vulnerabilities
9 Date: March 15, 2020
10 Bugs: #699156, #706374, #709612
11 ID: 202003-22
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Multiple vulnerabilities have been found in WebKitGTK+, the worst of
19 which may lead to arbitrary code execution.
20
21 Background
22 ==========
23
24 WebKitGTK+ is a full-featured port of the WebKit rendering engine,
25 suitable for projects requiring any kind of web integration, from
26 hybrid HTML/CSS applications to full-fledged web browsers.
27
28 Affected packages
29 =================
30
31 -------------------------------------------------------------------
32 Package / Vulnerable / Unaffected
33 -------------------------------------------------------------------
34 1 net-libs/webkit-gtk < 2.26.4 >= 2.26.4
35
36 Description
37 ===========
38
39 Multiple vulnerabilities have been discovered in WebKitGTK+. Please
40 review the referenced CVE identifiers for details.
41
42 Impact
43 ======
44
45 A remote attacker could execute arbitrary code, cause a Denial of
46 Service condition, bypass intended memory-read restrictions, conduct a
47 timing side-channel attack to bypass the Same Origin Policy or obtain
48 sensitive information.
49
50 Workaround
51 ==========
52
53 There is no known workaround at this time.
54
55 Resolution
56 ==========
57
58 All WebkitGTK+ users should upgrade to the latest version:
59
60 # emerge --sync
61 # emerge --ask --oneshot --verbose ">=net-libs/webkit-gtk-2.26.4"
62
63 References
64 ==========
65
66 [ 1 ] CVE-2019-8625
67 https://nvd.nist.gov/vuln/detail/CVE-2019-8625
68 [ 2 ] CVE-2019-8674
69 https://nvd.nist.gov/vuln/detail/CVE-2019-8674
70 [ 3 ] CVE-2019-8707
71 https://nvd.nist.gov/vuln/detail/CVE-2019-8707
72 [ 4 ] CVE-2019-8710
73 https://nvd.nist.gov/vuln/detail/CVE-2019-8710
74 [ 5 ] CVE-2019-8719
75 https://nvd.nist.gov/vuln/detail/CVE-2019-8719
76 [ 6 ] CVE-2019-8720
77 https://nvd.nist.gov/vuln/detail/CVE-2019-8720
78 [ 7 ] CVE-2019-8726
79 https://nvd.nist.gov/vuln/detail/CVE-2019-8726
80 [ 8 ] CVE-2019-8733
81 https://nvd.nist.gov/vuln/detail/CVE-2019-8733
82 [ 9 ] CVE-2019-8735
83 https://nvd.nist.gov/vuln/detail/CVE-2019-8735
84 [ 10 ] CVE-2019-8743
85 https://nvd.nist.gov/vuln/detail/CVE-2019-8743
86 [ 11 ] CVE-2019-8763
87 https://nvd.nist.gov/vuln/detail/CVE-2019-8763
88 [ 12 ] CVE-2019-8764
89 https://nvd.nist.gov/vuln/detail/CVE-2019-8764
90 [ 13 ] CVE-2019-8765
91 https://nvd.nist.gov/vuln/detail/CVE-2019-8765
92 [ 14 ] CVE-2019-8766
93 https://nvd.nist.gov/vuln/detail/CVE-2019-8766
94 [ 15 ] CVE-2019-8768
95 https://nvd.nist.gov/vuln/detail/CVE-2019-8768
96 [ 16 ] CVE-2019-8769
97 https://nvd.nist.gov/vuln/detail/CVE-2019-8769
98 [ 17 ] CVE-2019-8771
99 https://nvd.nist.gov/vuln/detail/CVE-2019-8771
100 [ 18 ] CVE-2019-8782
101 https://nvd.nist.gov/vuln/detail/CVE-2019-8782
102 [ 19 ] CVE-2019-8783
103 https://nvd.nist.gov/vuln/detail/CVE-2019-8783
104 [ 20 ] CVE-2019-8808
105 https://nvd.nist.gov/vuln/detail/CVE-2019-8808
106 [ 21 ] CVE-2019-8811
107 https://nvd.nist.gov/vuln/detail/CVE-2019-8811
108 [ 22 ] CVE-2019-8812
109 https://nvd.nist.gov/vuln/detail/CVE-2019-8812
110 [ 23 ] CVE-2019-8813
111 https://nvd.nist.gov/vuln/detail/CVE-2019-8813
112 [ 24 ] CVE-2019-8814
113 https://nvd.nist.gov/vuln/detail/CVE-2019-8814
114 [ 25 ] CVE-2019-8815
115 https://nvd.nist.gov/vuln/detail/CVE-2019-8815
116 [ 26 ] CVE-2019-8816
117 https://nvd.nist.gov/vuln/detail/CVE-2019-8816
118 [ 27 ] CVE-2019-8819
119 https://nvd.nist.gov/vuln/detail/CVE-2019-8819
120 [ 28 ] CVE-2019-8820
121 https://nvd.nist.gov/vuln/detail/CVE-2019-8820
122 [ 29 ] CVE-2019-8821
123 https://nvd.nist.gov/vuln/detail/CVE-2019-8821
124 [ 30 ] CVE-2019-8822
125 https://nvd.nist.gov/vuln/detail/CVE-2019-8822
126 [ 31 ] CVE-2019-8823
127 https://nvd.nist.gov/vuln/detail/CVE-2019-8823
128 [ 32 ] CVE-2019-8835
129 https://nvd.nist.gov/vuln/detail/CVE-2019-8835
130 [ 33 ] CVE-2019-8844
131 https://nvd.nist.gov/vuln/detail/CVE-2019-8844
132 [ 34 ] CVE-2019-8846
133 https://nvd.nist.gov/vuln/detail/CVE-2019-8846
134 [ 35 ] CVE-2020-3862
135 https://nvd.nist.gov/vuln/detail/CVE-2020-3862
136 [ 36 ] CVE-2020-3864
137 https://nvd.nist.gov/vuln/detail/CVE-2020-3864
138 [ 37 ] CVE-2020-3865
139 https://nvd.nist.gov/vuln/detail/CVE-2020-3865
140 [ 38 ] CVE-2020-3867
141 https://nvd.nist.gov/vuln/detail/CVE-2020-3867
142 [ 39 ] CVE-2020-3868
143 https://nvd.nist.gov/vuln/detail/CVE-2020-3868
144
145 Availability
146 ============
147
148 This GLSA and any updates to it are available for viewing at
149 the Gentoo Security Website:
150
151 https://security.gentoo.org/glsa/202003-22
152
153 Concerns?
154 =========
155
156 Security is a primary focus of Gentoo Linux and ensuring the
157 confidentiality and security of our users' machines is of utmost
158 importance to us. Any security concerns should be addressed to
159 security@g.o or alternatively, you may file a bug at
160 https://bugs.gentoo.org.
161
162 License
163 =======
164
165 Copyright 2020 Gentoo Foundation, Inc; referenced text
166 belongs to its owner(s).
167
168 The contents of this document are licensed under the
169 Creative Commons - Attribution / Share Alike license.
170
171 https://creativecommons.org/licenses/by-sa/2.5

Attachments

File name MIME type
signature.asc application/pgp-signature
Report Message
Find on MARC Find on Google Groups