On Mon, 2015-12-28 at 14:24 -0600, Michael Catanzaro wrote: > This mail is in regards to WSA-2015-0002: http://webkitgtk.org/securi > ty > /WSA-2015-0002.html > > In short, we have by my count: > > * Zero CVEs affecting the webkitgtk4 package in F23 > * 40 CVEs affecting the webkitgtk4 package in F22 > * 129 CVEs affecting the webkitgtk and webkitgtk3 packages in F22/F23 > > The vast majority of these issues allow for "remote attackers to > execute arbitrary code or cause a denial of service (memory corruption > and application crash) via a crafted web site." > > My proposal is to update webkitgtk4 in F22 from 2.8.5 to 2.10.4 and > hope that not much breaks. This is probably relatively safe, since > 2.10.4 has been in F23 for a while, I'm not aware of any issues related > to the upgrade, and it's API/ABI compatible. 2.8 -> 2.10 is a major > upgrade encompassing six months of development on WebKit trunk (from > February to August 2015). This means there will inevitably be > regressions. Normally I don't advocate large version updates for stable > Fedora releases, but web engines are special in that it's the only > practical way to provide security support. We can't backport 40 patches > to F22, so if we don't do this update, we should instead announce that > security support for webkitgtk4 is provided only to the latest Fedora > release. > > Certainly it's not practical to provide security support for the > webkitgtk or webkitgtk3 packages going forward. We can either remove > them from the distro at some flag date (F25 branch point?), or ignore > the problem like we do for qtwebkit. Probably the later is a better > approach, since there is a lot that still depends on these packages. As we already spoke about this on the Web Engines Hackfest I'm in favor of doing the rebase. If no one will raise any objections until the end of the week we will proceed with the rebase. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
