[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2024-0001

Alberto Garcia (@berto) berto at debian.org
Tue Feb 6 18:16:26 GMT 2024



Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker


Commits:
d48bae53 by Alberto Garcia at 2024-02-06T19:14:56+01:00
webkit2gtk / wpewebkit upstream advisory WSA-2024-0001

- - - - -


4 changed files:

- data/CVE/list
- data/DLA/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -2773,7 +2773,12 @@ CVE-2024-23224 (The issue was addressed with improved checks. This issue is fixe
 CVE-2024-23223 (A privacy issue was addressed with improved handling of files. This is ...)
 	NOT-FOR-US: Apple
 CVE-2024-23222 (A type confusion issue was addressed with improved checks. This issue  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.5-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.5-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2024-23219 (The issue was addressed with improved authentication. This issue is fi ...)
 	NOT-FOR-US: Apple
 CVE-2024-23218 (A timing side-channel issue was addressed with improvements to constan ...)
@@ -2785,7 +2790,12 @@ CVE-2024-23215 (An issue was addressed with improved handling of temporary files
 CVE-2024-23214 (Multiple memory corruption issues were addressed with improved memory  ...)
 	NOT-FOR-US: Apple
 CVE-2024-23213 (The issue was addressed with improved memory handling. This issue is f ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.5-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.5-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2024-23212 (The issue was addressed with improved memory handling. This issue is f ...)
 	NOT-FOR-US: Apple
 CVE-2024-23211 (A privacy issue was addressed with improved handling of user preferenc ...)
@@ -2799,7 +2809,12 @@ CVE-2024-23208 (The issue was addressed with improved memory handling. This issu
 CVE-2024-23207 (This issue was addressed with improved redaction of sensitive informat ...)
 	NOT-FOR-US: Apple
 CVE-2024-23206 (An access issue was addressed with improved access restrictions. This  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.5-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.5-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2024-23204 (The issue was addressed with additional permissions checks. This issue ...)
 	NOT-FOR-US: Apple
 CVE-2024-23203 (The issue was addressed with additional permissions checks. This issue ...)
@@ -5034,7 +5049,9 @@ CVE-2023-42865 (An out-of-bounds read was addressed with improved input validati
 CVE-2023-42862 (An out-of-bounds read was addressed with improved input validation. Th ...)
 	NOT-FOR-US: Apple
 CVE-2023-42833 (A correctness issue was addressed with improved checks. This issue is  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.38.0-1
+	- wpewebkit 2.38.0-1
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2023-42832 (A race condition was addressed with improved state handling. This issu ...)
 	NOT-FOR-US: Apple
 CVE-2023-42831 (This issue was addressed by removing the vulnerable code. This issue i ...)
@@ -5072,7 +5089,12 @@ CVE-2023-40433 (A logic issue was addressed with improved checks. This issue is
 CVE-2023-40430 (A logic issue was addressed with improved checks. This issue is fixed  ...)
 	NOT-FOR-US: Apple
 CVE-2023-40414 (A use-after-free issue was addressed with improved memory management.  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.1-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.1-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2023-40411 (This issue was addressed with improved data protection. This issue is  ...)
 	NOT-FOR-US: Apple
 CVE-2023-40394 (The issue was addressed with improved validation of environment variab ...)
@@ -545421,7 +545443,13 @@ CVE-2014-1746 (The InMemoryUrlProtocol::Read function in media/filters/in_memory
 CVE-2014-1745 (Use-after-free vulnerability in the SVG implementation in Blink, as us ...)
 	{DSA-2939-1}
 	- chromium-browser 35.0.1916.114-1
+	- webkit2gtk 2.42.0-1
+	- wpewebkit 2.42.0-1
 	[squeeze] - chromium-browser <end-of-life>
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2014-1744 (Integer overflow in the AudioInputRendererHost::OnCreateStream functio ...)
 	{DSA-2939-1}
 	- chromium-browser 35.0.1916.114-1


=====================================
data/DLA/list
=====================================
@@ -1829,7 +1829,7 @@
 	{CVE-2020-25708 CVE-2020-29260}
 	[buster] - libvncserver 0.9.11+dfsg-1.3+deb10u5
 [29 Sep 2022] DLA-3124-1 webkit2gtk - security update
-	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833}
 	[buster] - webkit2gtk 2.38.0-1~deb10u1
 [27 Sep 2022] DLA-3123-1 thunderbird - security update
 	{CVE-2022-3266 CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 CVE-2022-40960 CVE-2022-40962}


=====================================
data/DSA/list
=====================================
@@ -338,7 +338,7 @@
 [12 Oct 2023] DSA-5522-2 tomcat9 - regression update
 	[bullseye] - tomcat9 9.0.43-2~deb11u8
 [12 Oct 2023] DSA-5527-1 webkit2gtk - security update
-	{CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890}
+	{CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890 CVE-2023-40414 CVE-2014-1745}
 	[bullseye] - webkit2gtk 2.42.1-1~deb11u1
 	[bookworm] - webkit2gtk 2.42.1-1~deb12u1
 [12 Oct 2023] DSA-5526-1 chromium - security update
@@ -1276,10 +1276,10 @@
 	{CVE-2022-29599}
 	[bullseye] - maven-shared-utils 3.3.0-1+deb11u1
 [28 Sep 2022] DSA-5241-1 wpewebkit - security update
-	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833}
 	[bullseye] - wpewebkit 2.38.0-1~deb11u1
 [28 Sep 2022] DSA-5240-1 webkit2gtk - security update
-	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833}
 	[bullseye] - webkit2gtk 2.38.0-1~deb11u1
 [27 Sep 2022] DSA-5239-1 gdal - security update
 	{CVE-2021-45943}


=====================================
data/dsa-needed.txt
=====================================
@@ -82,5 +82,7 @@ squid (apo)
 --
 varnish
 --
+webkit2gtk (berto)
+--
 zabbix
 --



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d48bae53486af61c6a26646f0d3b3156f2a8940a

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/d48bae53486af61c6a26646f0d3b3156f2a8940a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240206/5c46c619/attachment-0001.htm>


More information about the debian-security-tracker-commits mailing list