WebKitGTK+ security status

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

This mail is in regards to WSA-2015-0002: http://webkitgtk.org/security
/WSA-2015-0002.html

In short, we have by my count:

* Zero CVEs affecting the webkitgtk4 package in F23
* 40 CVEs affecting the webkitgtk4 package in F22
* 129 CVEs affecting the webkitgtk and webkitgtk3 packages in F22/F23

The vast majority of these issues allow for "remote attackers to
execute arbitrary code or cause a denial of service (memory corruption
and application crash) via a crafted web site."

My proposal is to update webkitgtk4 in F22 from 2.8.5 to 2.10.4 and
hope that not much breaks. This is probably relatively safe, since
2.10.4 has been in F23 for a while, I'm not aware of any issues related
to the upgrade, and it's API/ABI compatible. 2.8 -> 2.10 is a major
upgrade encompassing six months of development on WebKit trunk (from
February to August 2015). This means there will inevitably be
regressions. Normally I don't advocate large version updates for stable
Fedora releases, but web engines are special in that it's the only
practical way to provide security support. We can't backport 40 patches
to F22, so if we don't do this update, we should instead announce that
security support for webkitgtk4 is provided only to the latest Fedora
release.

Certainly it's not practical to provide security support for the
webkitgtk or webkitgtk3 packages going forward. We can either remove
them from the distro at some flag date (F25 branch point?), or ignore
the problem like we do for qtwebkit. Probably the later is a better
approach, since there is a lot that still depends on these packages.

'reqoquery --whatrequires webkitgtk' says:

atril-0:1.10.2-1.fc23.x86_64
atril-0:1.12.1-1.fc23.x86_64
atril-libs-0:1.10.2-1.fc23.i686
atril-libs-0:1.10.2-1.fc23.x86_64
atril-libs-0:1.12.1-1.fc23.i686
atril-libs-0:1.12.1-1.fc23.x86_64
banshee-0:2.6.2-12.fc23.x86_64
claws-mail-plugins-fancy-0:3.12.0-1.fc23.x86_64
compat-wxGTK3-gtk2-0:3.0.2-5.1.fc23.i686
compat-wxGTK3-gtk2-0:3.0.2-5.1.fc23.x86_64
compat-wxGTK3-gtk2-0:3.0.2-6.fc23.i686
compat-wxGTK3-gtk2-0:3.0.2-6.fc23.x86_64
eclipse-swt-1:4.5.1-1.fc23.x86_64
eclipse-swt-1:4.5.1-6.fc23.x86_64
geany-plugins-devhelp-0:1.24-6.fc23.x86_64
geany-plugins-devhelp-0:1.25-4.fc23.x86_64
geany-plugins-markdown-0:1.24-6.fc23.x86_64
geany-plugins-markdown-0:1.25-4.fc23.x86_64
geany-plugins-webhelper-0:1.24-6.fc23.x86_64
geany-plugins-webhelper-0:1.25-4.fc23.x86_64
ghc-webkit-0:0.13.1.3-1.fc23.x86_64
gimp-2:2.8.14-3.fc23.x86_64
gimp-2:2.8.16-1.fc23.x86_64
gimp-help-browser-2:2.8.14-3.fc23.x86_64
gimp-help-browser-2:2.8.16-1.fc23.x86_64
gmpc-0:11.8.16-9.fc23.x86_64
gnucash-0:2.6.9-1.fc23.x86_64
gphpedit-0:0.9.98-0.10.RC1.fc23.x86_64
guitarix-0:0.34.0-1.fc23.x86_64
gyachi-0:1.2.11-13.fc23.x86_64
jumanji-0:0-5.20111209git963b309.fc23.x86_64
kazehakase-webkit-0:0.5.8-19.svn3873_trunk.fc23.x86_64
lekhonee-gnome-0:0.12-8.fc23.x86_64
midori-0:0.5.10-2.fc23.i686
midori-0:0.5.10-2.fc23.x86_64
midori-0:0.5.11-1.fc23.i686
midori-0:0.5.11-1.fc23.x86_64
osmo-0:0.2.12-0.8.svn924.fc23.1.x86_64
perl-Gtk2-WebKit-0:0.09-13.fc23.x86_64
pywebkitgtk-0:1.1.8-10.fc23.x86_64
surf-0:0.6-5.fc23.x86_64
techne-0:0.2.3-15.fc23.x86_64
webkit-sharp-0:0.3-16.fc23.x86_64
webkitgtk-devel-0:2.4.9-3.fc23.i686
webkitgtk-devel-0:2.4.9-3.fc23.x86_64
webkitgtk-doc-0:2.4.9-3.fc23.noarch
xiphos-gtk2-0:4.0.3-1.fc23.x86_64
xiphos-gtk2-0:4.0.4-1.fc23.x86_64

'reqoquery --whatrequires webkitgtk3'

balsa-0:2.5.2-2.fc23.x86_64
bijiben-0:3.18.1-1.fc23.x86_64
bijiben-0:3.18.2-1.fc23.x86_64
cairo-dock-plug-ins-webkit-0:3.4.1-4.fc23.x86_64
dwb-0:2014.03.07-4.fc22.x86_64
empathy-0:3.12.11-1.fc23.x86_64
evolution-0:3.18.1-1.fc23.i686
evolution-0:3.18.1-1.fc23.x86_64
evolution-0:3.18.3-1.fc23.i686
evolution-0:3.18.3-1.fc23.x86_64
evolution-bogofilter-0:3.18.1-1.fc23.x86_64
evolution-bogofilter-0:3.18.3-1.fc23.x86_64
evolution-ews-0:3.18.1-1.fc23.x86_64
evolution-ews-0:3.18.3-1.fc23.x86_64
evolution-mapi-0:3.18.0-1.fc23.i686
evolution-mapi-0:3.18.0-1.fc23.x86_64
evolution-mapi-0:3.18.3-1.fc23.i686
evolution-mapi-0:3.18.3-1.fc23.x86_64
evolution-pst-0:3.18.1-1.fc23.x86_64
evolution-pst-0:3.18.3-1.fc23.x86_64
evolution-rss-1:0.3.95-4.fc23.x86_64
evolution-spamassassin-0:3.18.1-1.fc23.x86_64
evolution-spamassassin-0:3.18.3-1.fc23.x86_64
geary-0:0.10.0-3.fc23.x86_64
gnome-web-photo-0:0.10.5-8.fc23.x86_64
gphotoframe-0:2.0.2-1.hg2084299dffb6.fc23.1.noarch
libproxy-webkitgtk3-0:0.4.11-12.fc23.x86_64
liferea-1:1.10.16-1.fc23.x86_64
liferea-1:1.10.17-1.fc23.x86_64
nemo-preview-0:2.6.x-5.fc23.x86_64
nemo-preview-0:2.8.x-2.fc23.x86_64
nuvolaplayer-0:2.5-1.fc22.x86_64
rhythmbox-0:3.2.1-3.fc23.i686
rhythmbox-0:3.2.1-3.fc23.x86_64
rhythmbox-lirc-0:3.2.1-3.fc23.x86_64
rubygem-webkit-gtk-0:3.0.5-1.fc23.noarch
rubygem-webkit-gtk-0:3.0.7-1.fc23.noarch
seed-0:3.8.1-6.fc23.i686
seed-0:3.8.1-6.fc23.x86_64
shotwell-0:0.22.0-5.fc23.x86_64
sugar-browse-0:157.2-1.fc23.noarch
uzbl-core-0:0-0.38.20120514git228bc38cbd.fc23.x86_64
vfrnav-0:20150429-1.fc23.i686
vfrnav-0:20150429-1.fc23.x86_64
webkitgtk3-devel-0:2.4.9-3.fc23.i686
webkitgtk3-devel-0:2.4.9-3.fc23.x86_64
webkitgtk3-doc-0:2.4.9-3.fc23.noarch
wxGTK3-0:3.0.2-8.fc23.i686
wxGTK3-0:3.0.2-8.fc23.x86_64
wxGTK3-0:3.0.2-11.fc23.i686
wxGTK3-0:3.0.2-11.fc23.x86_64
xiphos-gtk3-0:4.0.3-1.fc23.x86_64
xiphos-gtk3-0:4.0.4-1.fc23.x86_64
yelp-2:3.17.2-3.fc23.x86_64
yelp-libs-2:3.17.2-3.fc23.i686
yelp-libs-2:3.17.2-3.fc23.x86_64

Michael
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux