On Thu, 2015-11-05 at 09:37 -0700, Kevin Fenzi wrote: > So, in no particular order: > > * I don't really think it's 'irresponsible' to ship midori in it's > current state. It's not ideal, but if you know of specific critical > issues not fixed, please let me know. There are two ways to look up WebKit security bugs: * You can just go through the WebKit commit history and look for bugs that you don't have permission to see. This way you can see what releases the bug was fixed in, and you can see the changes and the commit log description, but you cannot see the bug report nor what the CVEs were. This is what we've been doing recently when we provide a count of the number of security bugs fixed in a release. In this way, I can tell you that we've backported the following security fixes to the 2.10 branch in the past three weeks. I'm not going further back than three weeks, since it would take too long: https://trac.webkit.org/changeset/190820 https://trac.webkit.org/changeset/190570 https://trac.webkit.org/changeset/190339 There's never enough data in the commit message to make it easy to exploit the crash, for obvious reasons, but it's enough to be good starting points for bad guys. Anyway, if you assume one security issue a week, you can say you've missed roughly 40-50 security updates so far this year. Most of these let attackers control your computer. * You can look at Safari security advisories and read the CVEs listed under WebKit headings. Apple never releases any details on these bugs except when Google discovers the bug; it's almost always "Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution." You don't know what WebKitGTK+ release a CVE was fixed in, nor whether the bug is a Mac- specific issue or a cross-platform issue, nor can you see the commit the CVE was fixed in. (We were able to say what CVEs were fixed in a WebKitGTK+ release for the first time with 2.4.8... and that was also the last time, since Apple stopped providing us with that info.) Just the most recent advisories indicate: September: 34 bugs with impact "Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution" https://support.apple.com/en-us/HT205377 October: 9 bugs with impact "Visiting a maliciously crafted website may lead to arbitrary code execution" https://support.apple.com/kb/HT205377 You can imagine that there are hundreds of such issues fixed since January. I'm concerned that the number of CVEs reported here is much greater than the number of security bugs found by going through the changelog, and can't explain the difference. > * Midori upstream is working on moving to webkit2 (for quite a while > now). They have the base browser pretty much done, but they still > are > working on porting some of the plugins. They keep hoping to switch > defaults soon, but they are a small project and have as much time > as > they have. Any assistance with porting I'm sure would be welcome. Unfortunately there are too many apps that need assistance with porting. :( We have to focus on the GNOME stuff first, which is still not done. Midori's switch to WK2 has been taking very long, and it will be great if they manage to finish soon. Note that all of my complaints about Midori being insecure apply equally to Evolution and Geary (unless you turn off display of HTML mail) and anything else stuck on 2.4. Michael -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
