[Git][security-tracker-team/security-tracker][master] 2 commits: CVE-2023-32409 is fixed in wpewebkit 2.42.0-1

Alberto Garcia (@berto) berto at debian.org
Thu Sep 28 15:06:06 BST 2023 


Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2f32a089 by Alberto Garcia at 2023-09-28T16:05:23+02:00
CVE-2023-32409 is fixed in wpewebkit 2.42.0-1

- - - - -
1fa4a827 by Alberto Garcia at 2023-09-28T16:05:24+02:00
webkit2gtk / wpewebkit upstream advisory WSA-2023-0009

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -382,7 +382,10 @@ CVE-2023-41079 (The issue was addressed with improved permissions logic. This is
 CVE-2023-41078 (An authorization issue was addressed with improved state management. T ...)
 	TODO: check
 CVE-2023-41074 (The issue was addressed with improved checks. This issue is fixed in t ...)
-	TODO: check
+	- webkit2gtk 2.42.0-1
+	- wpewebkit 2.42.0-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	NOTE: https://webkitgtk.org/security/WSA-2023-0009.html
 CVE-2023-41073 (An authorization issue was addressed with improved state management. T ...)
 	TODO: check
 CVE-2023-41071 (A use-after-free issue was addressed with improved memory management.  ...)
@@ -434,7 +437,10 @@ CVE-2023-40454 (A permissions issue was addressed with additional restrictions.
 CVE-2023-40452 (The issue was addressed with improved bounds checks. This issue is fix ...)
 	TODO: check
 CVE-2023-40451 (This issue was addressed with improved iframe sandbox enforcement. Thi ...)
-	TODO: check
+	- webkit2gtk 2.40.5-1
+	- wpewebkit 2.40.5-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	NOTE: https://webkitgtk.org/security/WSA-2023-0009.html
 CVE-2023-40450 (The issue was addressed with improved checks. This issue is fixed in m ...)
 	TODO: check
 CVE-2023-40448 (The issue was addressed with improved handling of protocols. This issu ...)
@@ -504,7 +510,10 @@ CVE-2023-40384 (A permissions issue was addressed with improved redaction of sen
 CVE-2023-40330 (Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Milan Pe ...)
 	TODO: check
 CVE-2023-39434 (A use-after-free issue was addressed with improved memory management.  ...)
-	TODO: check
+	- webkit2gtk 2.40.5-1
+	- wpewebkit 2.40.5-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	NOTE: https://webkitgtk.org/security/WSA-2023-0009.html
 CVE-2023-39233 (The issue was addressed with improved checks. This issue is fixed in m ...)
 	TODO: check
 CVE-2023-38615 (The issue was addressed with improved memory handling. This issue is f ...)
@@ -522,7 +531,10 @@ CVE-2023-35984 (The issue was addressed with improved checks. This issue is fixe
 CVE-2023-35793 (An issue was discovered in Cassia Access Controller 2.1.1.2303271039.  ...)
 	TODO: check
 CVE-2023-35074 (The issue was addressed with improved memory handling. This issue is f ...)
-	TODO: check
+	- webkit2gtk 2.40.0-1
+	- wpewebkit 2.40.2-2
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	NOTE: https://webkitgtk.org/security/WSA-2023-0009.html
 CVE-2023-35071 (Improper Neutralization of Special Elements used in an SQL Command ('S ...)
 	TODO: check
 CVE-2023-32421 (A privacy issue was addressed with improved handling of temporary file ...)
@@ -1055,7 +1067,10 @@ CVE-2023-42280 (mee-admin 1.5 is vulnerable to Directory Traversal. The download
 CVE-2023-42279 (Dreamer CMS 4.1.3 is vulnerable to SQL Injection.)
 	NOT-FOR-US: Dreamer CMS
 CVE-2023-41993 (The issue was addressed with improved checks. This issue is fixed in S ...)
-	TODO: check
+	- webkit2gtk 2.42.1-1
+	- wpewebkit 2.42.1-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	NOTE: https://webkitgtk.org/security/WSA-2023-0009.html
 CVE-2023-41992 (The issue was addressed with improved checks. This issue is fixed in m ...)
 	TODO: check
 CVE-2023-41991 (A certificate validation issue was addressed. This issue is fixed in m ...)
@@ -1928,6 +1943,11 @@ CVE-2023-3588 (A stored Cross-site Scripting (XSS) vulnerability affecting Teamw
 	NOT-FOR-US: 3ds
 CVE-2023-3280 (A problem with a protection mechanism in the Palo Alto Networks Cortex ...)
 	NOT-FOR-US: Palo Alto Networks
+CVE-2023-39928 [A malicious web page can cause memory corruption and potentially arbitrary code execution]
+	- webkit2gtk 2.42.0-1
+	- wpewebkit 2.42.0-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	NOTE: https://webkitgtk.org/security/WSA-2023-0009.html
 CVE-2023-39916 (NLnet Labs\u2019 Routinator 0.9.0 up to and including 0.12.1 contains  ...)
 	- routinator <itp> (bug #929024)
 CVE-2023-39915 (NLnet Labs\u2019 Routinator up to and including version 0.12.1 may cra ...)
@@ -16421,7 +16441,7 @@ CVE-2023-33293 (An issue was discovered in KaiOS 3.0 and 3.1. The binary /system
 	NOT-FOR-US: KaiOS
 CVE-2023-32409 (The issue was addressed with improved bounds checks. This issue is fix ...)
 	- webkit2gtk 2.42.0-1 (unimportant)
-	- wpewebkit <unfixed> (unimportant)
+	- wpewebkit 2.42.0-1 (unimportant)
 	NOTE: Affects the GPU process which is not supported by the GTK and WPE ports
 	NOTE: https://bugs.webkit.org/show_bug.cgi?id=255350
 	NOTE: https://github.com/WebKit/WebKit/pull/12660


=====================================
data/DSA/list
=====================================
@@ -136,7 +136,7 @@
 	[bullseye] - thunderbird 1:102.14.0-1~deb11u1
 	[bookworm] - thunderbird 1:102.14.0-1~deb12u1
 [05 Aug 2023] DSA-5468-1 webkit2gtk - security update
-	{CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594 CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600 CVE-2023-38611 CVE-2023-40397}
+	{CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594 CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600 CVE-2023-38611 CVE-2023-40397 CVE-2023-40451 CVE-2023-39434}
 	[bullseye] - webkit2gtk 2.40.5-1~deb11u1
 	[bookworm] - webkit2gtk 2.40.5-1~deb12u1
 [04 Aug 2023] DSA-5467-1 chromium - security update
@@ -383,7 +383,7 @@
 	{CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954 CVE-2023-28205}
 	[bullseye] - wpewebkit 2.38.6-1~deb11u1
 [03 May 2023] DSA-5396-1 webkit2gtk - security update
-	{CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954 CVE-2023-28205 CVE-2023-32393 CVE-2023-32435 CVE-2023-28198 CVE-2023-32370}
+	{CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954 CVE-2023-28205 CVE-2023-32393 CVE-2023-32435 CVE-2023-28198 CVE-2023-32370 CVE-2023-35074}
 	[bullseye] - webkit2gtk 2.40.1-1~deb11u1
 [02 May 2023] DSA-5395-1 nodejs - security update
 	{CVE-2023-23920}


=====================================
data/dsa-needed.txt
=====================================
@@ -92,5 +92,7 @@ thunderbird (jmm)
 --
 trafficserver
 --
+webkit2gtk
+--
 wpewebkit/oldstable
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/92650138285a1cedbc364ea121bc8926e0ef66c6...1fa4a8275d94334f4b33763702ba8271d824e65c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/92650138285a1cedbc364ea121bc8926e0ef66c6...1fa4a8275d94334f4b33763702ba8271d824e65c
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230928/72afd7d1/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list