[Git][security-tracker-team/security-tracker][master] Add fixed versions for several WebKit CVEs from recent Apple advisories

Fri Nov 3 11:52:48 GMT 2023


Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker


Commits:
a8d80b1b by Alberto Garcia at 2023-11-03T12:51:55+01:00
Add fixed versions for several WebKit CVEs from recent Apple advisories

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1578,7 +1578,11 @@ CVE-2023-34447 (iTop is an open source, web-based IT service management platform
 CVE-2023-34446 (iTop is an open source, web-based IT service management platform. Prio ...)
 	NOT-FOR-US: iTop
 CVE-2023-32359 (This issue was addressed with improved redaction of sensitive informat ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.0-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.0-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.42 can no longer be sensibly backported)
 CVE-2023-46660 (Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time compari ...)
 	NOT-FOR-US: Jenkins plugin
 CVE-2023-46659 (Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac ...)
@@ -58564,7 +58568,8 @@ CVE-2022-46727
 CVE-2022-46726
 	RESERVED
 CVE-2022-46725 (A spoofing issue existed in the handling of URLs. This issue was addre ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.38.4-1
+	- wpewebkit 2.38.4-1
 CVE-2022-46724 (This issue was addressed by restricting options offered on a locked de ...)
 	NOT-FOR-US: Apple
 CVE-2022-46723 (This issue was addressed with improved checks. This issue is fixed in  ...)
@@ -58604,7 +58609,8 @@ CVE-2022-46707
 CVE-2022-46706 (A type confusion issue was addressed with improved state handling. Thi ...)
 	NOT-FOR-US: Apple
 CVE-2022-46705 (A spoofing issue existed in the handling of URLs. This issue was addre ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.38.4-1
+	- wpewebkit 2.38.4-1
 CVE-2022-46704 (A logic issue was addressed with improved state management. This issue ...)
 	NOT-FOR-US: Apple
 CVE-2022-46703 (A logic issue was addressed with improved restrictions. This issue is  ...)
@@ -99745,8 +99751,9 @@ CVE-2022-32935 (A lock screen issue was addressed with improved state management
 	NOT-FOR-US: Apple
 CVE-2022-32934 (The issue was addressed with improved memory handling. This issue is f ...)
 	NOT-FOR-US: Apple
-CVE-2022-32933
-	RESERVED
+CVE-2022-32933 [A website may be able to track the websites a user visited in Safari private browsing mode]
+	- webkit2gtk 2.38.0-1
+	- wpewebkit 2.38.0-1
 CVE-2022-32932 (The issue was addressed with improved memory handling. This issue is f ...)
 	NOT-FOR-US: Apple
 CVE-2022-32931
@@ -99776,8 +99783,9 @@ CVE-2022-32921
 	REJECTED
 CVE-2022-32920 (The issue was addressed with improved checks. This issue is fixed in X ...)
 	NOT-FOR-US: Apple Xcode
-CVE-2022-32919
-	RESERVED
+CVE-2022-32919 [Visiting a website that frames malicious content may lead to UI spoofing]
+	- webkit2gtk 2.38.4-1
+	- wpewebkit 2.38.4-1
 CVE-2022-32918 (This issue was addressed with improved data protection. This issue is  ...)
 	NOT-FOR-US: Apple
 CVE-2022-32917 (The issue was addressed with improved bounds checks. This issue is fix ...)


=====================================
data/DSA/list
=====================================
@@ -75,7 +75,7 @@
 [12 Oct 2023] DSA-5522-2 tomcat9 - regression update
 	[bullseye] - tomcat9 9.0.43-2~deb11u8
 [12 Oct 2023] DSA-5527-1 webkit2gtk - security update
-	{CVE-2023-39928 CVE-2023-41074 CVE-2023-41993}
+	{CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993}
 	[bullseye] - webkit2gtk 2.42.1-1~deb11u1
 	[bookworm] - webkit2gtk 2.42.1-1~deb12u1
 [12 Oct 2023] DSA-5526-1 chromium - security update
@@ -710,10 +710,10 @@
 	{CVE-2023-0494}
 	[bullseye] - xorg-server 2:1.20.11-1+deb11u5
 [06 Feb 2023] DSA-5341-1 wpewebkit - security update
-	{CVE-2022-42826 CVE-2023-23517 CVE-2023-23518}
+	{CVE-2022-32919 CVE-2022-42826 CVE-2022-46705 CVE-2022-46725 CVE-2023-23517 CVE-2023-23518}
 	[bullseye] - wpewebkit 2.38.4-1~deb11u1
 [06 Feb 2023] DSA-5340-1 webkit2gtk - security update
-	{CVE-2022-42826 CVE-2023-23517 CVE-2023-23518}
+	{CVE-2022-32919 CVE-2022-42826 CVE-2022-46705 CVE-2022-46725 CVE-2023-23517 CVE-2023-23518}
 	[bullseye] - webkit2gtk 2.38.4-2~deb11u1
 [05 Feb 2023] DSA-5339-1 libhtml-stripscripts-perl - security update
 	{CVE-2023-24038}
@@ -1013,10 +1013,10 @@
 	{CVE-2022-29599}
 	[bullseye] - maven-shared-utils 3.3.0-1+deb11u1
 [28 Sep 2022] DSA-5241-1 wpewebkit - security update
-	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
 	[bullseye] - wpewebkit 2.38.0-1~deb11u1
 [28 Sep 2022] DSA-5240-1 webkit2gtk - security update
-	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
 	[bullseye] - webkit2gtk 2.38.0-1~deb11u1
 [27 Sep 2022] DSA-5239-1 gdal - security update
 	{CVE-2021-45943}



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8d80b1b0de6f9a1ded4ed1c040e06e8f98ee8cd

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a8d80b1b0de6f9a1ded4ed1c040e06e8f98ee8cd
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231103/7352fa06/attachment-0001.htm>
