[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2024-0002

Alberto Garcia (@berto) berto at debian.org
Tue Mar 26 20:57:50 GMT 2024 


Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker


Commits:
bcbc4812 by Alberto Garcia at 2024-03-26T21:57:24+01:00
webkit2gtk / wpewebkit upstream advisory WSA-2024-0002

- - - - -


2 changed files:

- data/CVE/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -964,8 +964,22 @@ CVE-2024-23494 (SQL injection vulnerability exists in GetDIAE_unListParameters.)
 	NOT-FOR-US: Delta Electronics
 CVE-2024-0957 (The WooCommerce PDF Invoices, Packing Slips, Delivery Notes and Shippi ...)
 	NOT-FOR-US: WordPress plugin
+CVE-2023-42956 [Processing web content may lead to a denial-of-service]
+	- webkit2gtk 2.44.0-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit <unfixed>
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0002.html
 CVE-2023-42954 (A privilege escalation issue existed in FileMaker Server, potentially  ...)
 	NOT-FOR-US: Claris FileMaker Server
+CVE-2023-42950 [Processing maliciously crafted web content may lead to arbitrary code execution]
+	- webkit2gtk 2.44.0-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit <unfixed>
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0002.html
 CVE-2024-2742 (Operating system command injection vulnerability in Planet IGS-4215-16 ...)
 	NOT-FOR-US: Planet IGS-4215-16T2S
 CVE-2024-2741 (Cross-Site Request Forgery (CSRF) vulnerability in Planet IGS-4215-16T ...)
@@ -4342,13 +4356,23 @@ CVE-2024-23286 (A buffer overflow issue was addressed with improved memory handl
 CVE-2024-23285 (This issue was addressed with improved handling of symlinks. This issu ...)
 	NOT-FOR-US: Apple
 CVE-2024-23284 (A logic issue was addressed with improved state management. This issue ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.44.0-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit <unfixed>
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0002.html
 CVE-2024-23283 (A privacy issue was addressed with improved private data redaction for ...)
 	NOT-FOR-US: Apple
 CVE-2024-23281 (This issue was addressed with improved state management. This issue is ...)
 	NOT-FOR-US: Apple
 CVE-2024-23280 (An injection issue was addressed with improved validation. This issue  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.44.0-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit <unfixed>
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0002.html
 CVE-2024-23279 (A privacy issue was addressed with improved private data redaction for ...)
 	NOT-FOR-US: Apple
 CVE-2024-23278 (The issue was addressed with improved checks. This issue is fixed in m ...)
@@ -4380,7 +4404,12 @@ CVE-2024-23265 (A memory corruption vulnerability was addressed with improved lo
 CVE-2024-23264 (A validation issue was addressed with improved input sanitization. Thi ...)
 	NOT-FOR-US: Apple
 CVE-2024-23263 (A logic issue was addressed with improved validation. This issue is fi ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.44.0-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit <unfixed>
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0002.html
 CVE-2024-23262 (This issue was addressed with additional entitlement checks. This issu ...)
 	NOT-FOR-US: Apple
 CVE-2024-23260 (This issue was addressed by removing additional entitlements. This iss ...)
@@ -4394,12 +4423,21 @@ CVE-2024-23257 (The issue was addressed with improved memory handling. This issu
 CVE-2024-23255 (An authentication issue was addressed with improved state management.  ...)
 	NOT-FOR-US: Apple
 CVE-2024-23254 (The issue was addressed with improved UI handling. This issue is fixed ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.44.0-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit <unfixed>
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0002.html
 CVE-2024-23253 (A permissions issue was addressed with additional restrictions. This i ...)
 	NOT-FOR-US: Apple
 CVE-2024-23252
-	REJECTED
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.44.0-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit <unfixed>
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0002.html
 CVE-2024-23250 (An access issue was addressed with improved access restrictions. This  ...)
 	NOT-FOR-US: Apple
 CVE-2024-23249 (The issue was addressed with improved memory handling. This issue is f ...)
@@ -9024,7 +9062,12 @@ CVE-2023-42853 (A logic issue was addressed with improved checks. This issue is
 CVE-2023-42848 (The issue was addressed with improved bounds checks. This issue is fix ...)
 	NOT-FOR-US: Apple
 CVE-2023-42843 (An inconsistent user interface issue was addressed with improved state ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.44.0-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit <unfixed>
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0002.html
 CVE-2023-42840 (The issue was addressed with improved checks. This issue is fixed in m ...)
 	NOT-FOR-US: Apple
 CVE-2023-42839 (This issue was addressed with improved state management. This issue is ...)


=====================================
data/dsa-needed.txt
=====================================
@@ -98,6 +98,8 @@ squid
 --
 varnish
 --
+webkit2gtk (berto)
+--
 wpa
 --
 zabbix



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcbc48122cd575b0d938c82183ab1e8b384bf5d1

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/bcbc48122cd575b0d938c82183ab1e8b384bf5d1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20240326/155a4a16/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list