[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2025-0004

Alberto Garcia (@berto) berto at debian.org
Thu May 15 12:34:47 BST 2025 


Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker


Commits:
15dd824f by Alberto Garcia at 2025-05-15T13:34:21+02:00
webkit2gtk / wpewebkit upstream advisory WSA-2025-0004

- - - - -


3 changed files:

- data/CVE/list
- data/DSA/list
- data/dsa-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -918,7 +918,11 @@ CVE-2025-31259 (The issue was addressed with improved input sanitization. This i
 CVE-2025-31258 (This issue was addressed by removing the vulnerable code. This issue i ...)
 	NOT-FOR-US: Apple
 CVE-2025-31257 (This issue was addressed with improved memory handling. This issue is  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.48.2-1
+	- wpewebkit 2.48.2-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0004.html
 CVE-2025-31256 (The issue was addressed with improved handling of caches. This issue i ...)
 	NOT-FOR-US: Apple
 CVE-2025-31253 (This issue was addressed through improved state management. This issue ...)
@@ -984,7 +988,11 @@ CVE-2025-31218 (This issue was addressed by removing the vulnerable code. This i
 CVE-2025-31217 (The issue was addressed with improved input validation. This issue is  ...)
 	NOT-FOR-US: Apple
 CVE-2025-31215 (The issue was addressed with improved checks. This issue is fixed in w ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.48.2-1
+	- wpewebkit 2.48.2-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0004.html
 CVE-2025-31214 (This issue was addressed through improved state management. This issue ...)
 	NOT-FOR-US: Apple
 CVE-2025-31213 (A logging issue was addressed with improved data redaction. This issue ...)
@@ -1000,11 +1008,23 @@ CVE-2025-31208 (The issue was addressed with improved checks. This issue is fixe
 CVE-2025-31207 (A logic issue was addressed with improved checks. This issue is fixed  ...)
 	NOT-FOR-US: Apple
 CVE-2025-31206 (A type confusion issue was addressed with improved state handling. Thi ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.48.2-1
+	- wpewebkit 2.48.2-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0004.html
 CVE-2025-31205 (The issue was addressed with improved checks. This issue is fixed in w ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.48.2-1
+	- wpewebkit 2.48.2-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0004.html
 CVE-2025-31204 (The issue was addressed with improved memory handling. This issue is f ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.48.2-1
+	- wpewebkit 2.48.2-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0004.html
 CVE-2025-31196 (An out-of-bounds read was addressed with improved input validation. Th ...)
 	NOT-FOR-US: Apple
 CVE-2025-31195 (The issue was addressed by adding additional logic. This issue is fixe ...)
@@ -1038,7 +1058,11 @@ CVE-2025-24258 (A permissions issue was addressed with additional restrictions.
 CVE-2025-24225 (An injection issue was addressed with improved input validation. This  ...)
 	NOT-FOR-US: Apple
 CVE-2025-24223 (The issue was addressed with improved memory handling. This issue is f ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.48.2-1
+	- wpewebkit 2.48.2-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0004.html
 CVE-2025-24222 (The issue was addressed with improved memory handling. This issue is f ...)
 	NOT-FOR-US: Apple
 CVE-2025-24220 (A permissions issue was addressed with additional restrictions. This i ...)
@@ -10707,13 +10731,21 @@ CVE-2023-42977 (A path handling issue was addressed with improved validation. Th
 CVE-2023-42973 (Private Browsing tabs may be accessed without authentication. This iss ...)
 	NOT-FOR-US: Apple
 CVE-2023-42970 (A use-after-free issue was addressed with improved memory management.  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.0-1
+	- wpewebkit 2.42.0-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0004.html
 CVE-2023-42969 (An app may be able to break out of its sandbox. This issue is fixed in ...)
 	NOT-FOR-US: Apple
 CVE-2023-42961 (A path handling issue was addressed with improved validation. This iss ...)
 	NOT-FOR-US: Apple
 CVE-2023-42875 (Processing web content may lead to arbitrary code execution. This issu ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.0-1
+	- wpewebkit 2.42.0-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2025-0004.html
 CVE-2023-41076 (An app may be able to elevate privileges. This issue is fixed in macOS ...)
 	NOT-FOR-US: Apple
 CVE-2023-38614 (A permissions issue was addressed with additional restrictions. This i ...)


=====================================
data/DSA/list
=====================================
@@ -1338,7 +1338,7 @@
 [12 Oct 2023] DSA-5522-2 tomcat9 - regression update
 	[bullseye] - tomcat9 9.0.43-2~deb11u8
 [12 Oct 2023] DSA-5527-1 webkit2gtk - security update
-	{CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890 CVE-2023-40414 CVE-2014-1745}
+	{CVE-2023-42875 CVE-2023-42970 CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890 CVE-2023-40414 CVE-2014-1745}
 	[bullseye] - webkit2gtk 2.42.1-1~deb11u1
 	[bookworm] - webkit2gtk 2.42.1-1~deb12u1
 [12 Oct 2023] DSA-5526-1 chromium - security update


=====================================
data/dsa-needed.txt
=====================================
@@ -69,6 +69,8 @@ tcpdf
 --
 thunderbird (jmm)
 --
+webkit2gtk (berto)
+--
 wordpress
 --
 xen



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15dd824f8db73c70affe131693bb5b49b9bdfb9d

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/15dd824f8db73c70affe131693bb5b49b9bdfb9d
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250515/761776ba/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list