[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2023-0010

Alberto Garcia (@berto) berto at debian.org
Wed Nov 15 21:46:49 GMT 2023 


Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker


Commits:
da193412 by Alberto Garcia at 2023-11-15T22:46:16+01:00
webkit2gtk / wpewebkit upstream advisory WSA-2023-0010

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -3482,7 +3482,12 @@ CVE-2023-42856 (The issue was addressed with improved memory handling. This issu
 CVE-2023-42854 (This issue was addressed by removing the vulnerable code. This issue i ...)
 	NOT-FOR-US: Apple
 CVE-2023-42852 (A logic issue was addressed with improved checks. This issue is fixed  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.2-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.2-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.42 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2023-0010.html
 CVE-2023-42850 (The issue was addressed with improved permissions logic. This issue is ...)
 	NOT-FOR-US: Apple
 CVE-2023-42849 (The issue was addressed with improved memory handling. This issue is f ...)
@@ -3522,7 +3527,11 @@ CVE-2023-41989 (The issue was addressed by restricting options offered on a lock
 CVE-2023-41988 (This issue was addressed by restricting options offered on a locked de ...)
 	NOT-FOR-US: Apple
 CVE-2023-41983 (The issue was addressed with improved memory handling. This issue is f ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.2-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.2-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	NOTE: https://webkitgtk.org/security/WSA-2023-0010.html
 CVE-2023-41982 (This issue was addressed by restricting options offered on a locked de ...)
 	NOT-FOR-US: Apple
 CVE-2023-41977 (The issue was addressed with improved handling of caches. This issue i ...)
@@ -3594,6 +3603,7 @@ CVE-2023-32359 (This issue was addressed with improved redaction of sensitive in
 	- wpewebkit 2.42.0-1
 	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
 	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.42 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2023-0010.html
 CVE-2023-46660 (Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time compari ...)
 	NOT-FOR-US: Jenkins plugin
 CVE-2023-46659 (Jenkins Edgewall Trac Plugin 1.13 and earlier does not escape the Trac ...)
@@ -60696,6 +60706,7 @@ CVE-2022-46725 (A spoofing issue existed in the handling of URLs. This issue was
 	{DSA-5341-1 DSA-5340-1}
 	- webkit2gtk 2.38.4-1
 	- wpewebkit 2.38.4-1
+	NOTE: https://webkitgtk.org/security/WSA-2023-0010.html
 CVE-2022-46724 (This issue was addressed by restricting options offered on a locked de ...)
 	NOT-FOR-US: Apple
 CVE-2022-46723 (This issue was addressed with improved checks. This issue is fixed in  ...)
@@ -60738,6 +60749,7 @@ CVE-2022-46705 (A spoofing issue existed in the handling of URLs. This issue was
 	{DSA-5341-1 DSA-5340-1}
 	- webkit2gtk 2.38.4-1
 	- wpewebkit 2.38.4-1
+	NOTE: https://webkitgtk.org/security/WSA-2023-0010.html
 CVE-2022-46704 (A logic issue was addressed with improved state management. This issue ...)
 	NOT-FOR-US: Apple
 CVE-2022-46703 (A logic issue was addressed with improved restrictions. This issue is  ...)
@@ -101894,6 +101906,7 @@ CVE-2022-32933 [A website may be able to track the websites a user visited in Sa
 	{DSA-5241-1 DSA-5240-1}
 	- webkit2gtk 2.38.0-1
 	- wpewebkit 2.38.0-1
+	NOTE: https://webkitgtk.org/security/WSA-2023-0010.html
 CVE-2022-32932 (The issue was addressed with improved memory handling. This issue is f ...)
 	NOT-FOR-US: Apple
 CVE-2022-32931
@@ -101927,6 +101940,7 @@ CVE-2022-32919 [Visiting a website that frames malicious content may lead to UI
 	{DSA-5341-1 DSA-5340-1}
 	- webkit2gtk 2.38.4-1
 	- wpewebkit 2.38.4-1
+	NOTE: https://webkitgtk.org/security/WSA-2023-0010.html
 CVE-2022-32918 (This issue was addressed with improved data protection. This issue is  ...)
 	NOT-FOR-US: Apple
 CVE-2022-32917 (The issue was addressed with improved bounds checks. This issue is fix ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -94,6 +94,8 @@ tiff (aron)
 --
 tor
 --
+webkit2gtk (berto)
+--
 xen (jmm)
 --
 zbar



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da1934120544a2c5aa22d2ecd9a5efa5ba31ded2

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/da1934120544a2c5aa22d2ecd9a5efa5ba31ded2
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20231115/4f6e9426/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list