[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2024-0001
Alberto Garcia (@berto)
berto at debian.org
Tue Feb 6 18:16:26 GMT 2024
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker
Commits:
d48bae53 by Alberto Garcia at 2024-02-06T19:14:56+01:00
webkit2gtk / wpewebkit upstream advisory WSA-2024-0001
- - - - -
4 changed files:
- data/CVE/list
- data/DLA/list
- data/DSA/list
- data/dsa-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -2773,7 +2773,12 @@ CVE-2024-23224 (The issue was addressed with improved checks. This issue is fixe
CVE-2024-23223 (A privacy issue was addressed with improved handling of files. This is ...)
NOT-FOR-US: Apple
CVE-2024-23222 (A type confusion issue was addressed with improved checks. This issue ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.42.5-1
+ [buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+ - wpewebkit 2.42.5-1
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+ NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
CVE-2024-23219 (The issue was addressed with improved authentication. This issue is fi ...)
NOT-FOR-US: Apple
CVE-2024-23218 (A timing side-channel issue was addressed with improvements to constan ...)
@@ -2785,7 +2790,12 @@ CVE-2024-23215 (An issue was addressed with improved handling of temporary files
CVE-2024-23214 (Multiple memory corruption issues were addressed with improved memory ...)
NOT-FOR-US: Apple
CVE-2024-23213 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.42.5-1
+ [buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+ - wpewebkit 2.42.5-1
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+ NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
CVE-2024-23212 (The issue was addressed with improved memory handling. This issue is f ...)
NOT-FOR-US: Apple
CVE-2024-23211 (A privacy issue was addressed with improved handling of user preferenc ...)
@@ -2799,7 +2809,12 @@ CVE-2024-23208 (The issue was addressed with improved memory handling. This issu
CVE-2024-23207 (This issue was addressed with improved redaction of sensitive informat ...)
NOT-FOR-US: Apple
CVE-2024-23206 (An access issue was addressed with improved access restrictions. This ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.42.5-1
+ [buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+ - wpewebkit 2.42.5-1
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+ NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
CVE-2024-23204 (The issue was addressed with additional permissions checks. This issue ...)
NOT-FOR-US: Apple
CVE-2024-23203 (The issue was addressed with additional permissions checks. This issue ...)
@@ -5034,7 +5049,9 @@ CVE-2023-42865 (An out-of-bounds read was addressed with improved input validati
CVE-2023-42862 (An out-of-bounds read was addressed with improved input validation. Th ...)
NOT-FOR-US: Apple
CVE-2023-42833 (A correctness issue was addressed with improved checks. This issue is ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.38.0-1
+ - wpewebkit 2.38.0-1
+ NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
CVE-2023-42832 (A race condition was addressed with improved state handling. This issu ...)
NOT-FOR-US: Apple
CVE-2023-42831 (This issue was addressed by removing the vulnerable code. This issue i ...)
@@ -5072,7 +5089,12 @@ CVE-2023-40433 (A logic issue was addressed with improved checks. This issue is
CVE-2023-40430 (A logic issue was addressed with improved checks. This issue is fixed ...)
NOT-FOR-US: Apple
CVE-2023-40414 (A use-after-free issue was addressed with improved memory management. ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.42.1-1
+ [buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+ - wpewebkit 2.42.1-1
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+ NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
CVE-2023-40411 (This issue was addressed with improved data protection. This issue is ...)
NOT-FOR-US: Apple
CVE-2023-40394 (The issue was addressed with improved validation of environment variab ...)
@@ -545421,7 +545443,13 @@ CVE-2014-1746 (The InMemoryUrlProtocol::Read function in media/filters/in_memory
CVE-2014-1745 (Use-after-free vulnerability in the SVG implementation in Blink, as us ...)
{DSA-2939-1}
- chromium-browser 35.0.1916.114-1
+ - webkit2gtk 2.42.0-1
+ - wpewebkit 2.42.0-1
[squeeze] - chromium-browser <end-of-life>
+ [buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+ NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
CVE-2014-1744 (Integer overflow in the AudioInputRendererHost::OnCreateStream functio ...)
{DSA-2939-1}
- chromium-browser 35.0.1916.114-1
=====================================
data/DLA/list
=====================================
@@ -1829,7 +1829,7 @@
{CVE-2020-25708 CVE-2020-29260}
[buster] - libvncserver 0.9.11+dfsg-1.3+deb10u5
[29 Sep 2022] DLA-3124-1 webkit2gtk - security update
- {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+ {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833}
[buster] - webkit2gtk 2.38.0-1~deb10u1
[27 Sep 2022] DLA-3123-1 thunderbird - security update
{CVE-2022-3266 CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 CVE-2022-40960 CVE-2022-40962}
=====================================
data/DSA/list
=====================================
@@ -338,7 +338,7 @@
[12 Oct 2023] DSA-5522-2 tomcat9 - regression update
[bullseye] - tomcat9 9.0.43-2~deb11u8
[12 Oct 2023] DSA-5527-1 webkit2gtk - security update
- {CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890}
+ {CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890 CVE-2023-40414 CVE-2014-1745}
[bullseye] - webkit2gtk 2.42.1-1~deb11u1
[bookworm] - webkit2gtk 2.42.1-1~deb12u1
[12 Oct 2023] DSA-5526-1 chromium - security update
@@ -1276,10 +1276,10 @@
{CVE-2022-29599}
[bullseye] - maven-shared-utils 3.3.0-1+deb11u1
[28 Sep 2022] DSA-5241-1 wpewebkit - security update
- {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+ {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833}
[bullseye] - wpewebkit 2.38.0-1~deb11u1
[28 Sep 2022] DSA-5240-1 webkit2gtk - security update
- {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+ {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833}
[bullseye] - webkit2gtk 2.38.0-1~deb11u1
[27 Sep 2022] DSA-5239-1 gdal - security update
{CVE-2021-45943}
=====================================
data/dsa-needed.txt
=====================================
@@ -82,5 +82,7 @@ squid (apo)
--
varnish
--
+webkit2gtk (berto)
+--
zabbix
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d48bae53486af61c6a26646f0d3b3156f2a8940a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d48bae53486af61c6a26646f0d3b3156f2a8940a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240206/5c46c619/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list