[Git][security-tracker-team/security-tracker][master] webkit2gtk / wpewebkit upstream advisory WSA-2026-0001
Alberto Garcia (@berto)
berto at debian.org
Fri Mar 20 22:50:56 GMT 2026
Alberto Garcia pushed to branch master at Debian Security Tracker / security-tracker
Commits:
a9e017fb by Alberto Garcia at 2026-03-20T23:50:27+01:00
webkit2gtk / wpewebkit upstream advisory WSA-2026-0001
- - - - -
2 changed files:
- data/CVE/list
- data/DSA/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -3823,7 +3823,12 @@ CVE-2025-15038 (An Out-of-Bounds Read vulnerability exists in the ASUS Business
CVE-2025-15037 (An Incorrect Permission Assignment vulnerability exists in the ASUS Bu ...)
NOT-FOR-US: ASUS
CVE-2023-43010 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.44.0-1
+ - wpewebkit 2.44.1-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2026-2436
- libsoup3 <unfixed> (bug #1130498)
[trixie] - libsoup3 <no-dsa> (Minor issue)
@@ -15971,7 +15976,12 @@ CVE-2026-20678 (An authorization issue was addressed with improved state managem
CVE-2026-20677 (A race condition was addressed with improved handling of symbolic link ...)
NOT-FOR-US: Apple
CVE-2026-20676 (This issue was addressed through improved state management. This issue ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.6-1
+ - wpewebkit 2.50.6-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2026-20675 (The issue was addressed with improved bounds checks. This issue is fix ...)
NOT-FOR-US: Apple
CVE-2026-20674 (A privacy issue was addressed by removing sensitive data. This issue i ...)
@@ -16005,7 +16015,12 @@ CVE-2026-20654 (The issue was addressed with improved memory handling. This issu
CVE-2026-20653 (A parsing issue in the handling of directory paths was addressed with ...)
NOT-FOR-US: Apple
CVE-2026-20652 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.6-1
+ - wpewebkit 2.50.6-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2026-20650 (A denial-of-service issue was addressed with improved validation. This ...)
NOT-FOR-US: Apple
CVE-2026-20649 (A logging issue was addressed with improved data redaction. This issue ...)
@@ -16019,7 +16034,12 @@ CVE-2026-20646 (A logging issue was addressed with improved data redaction. This
CVE-2026-20645 (An inconsistent user interface issue was addressed with improved state ...)
NOT-FOR-US: Apple
CVE-2026-20644 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.6-1
+ - wpewebkit 2.50.6-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2026-20642 (An input validation issue was addressed. This issue is fixed in iOS 26 ...)
NOT-FOR-US: Apple
CVE-2026-20641 (A privacy issue was addressed with improved checks. This issue is fixe ...)
@@ -16029,9 +16049,19 @@ CVE-2026-20640 (An inconsistent user interface issue was addressed with improved
CVE-2026-20638 (A logic issue was addressed with improved checks. This issue is fixed ...)
NOT-FOR-US: Apple
CVE-2026-20636 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.6-1
+ - wpewebkit 2.50.6-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2026-20635 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.6-1
+ - wpewebkit 2.50.6-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2026-20634 (The issue was addressed with improved memory handling. This issue is f ...)
NOT-FOR-US: Apple
CVE-2026-20630 (A permissions issue was addressed with additional restrictions. This i ...)
@@ -16075,7 +16105,12 @@ CVE-2026-20610 (This issue was addressed with improved handling of symlinks. Thi
CVE-2026-20609 (The issue was addressed with improved memory handling. This issue is f ...)
NOT-FOR-US: Apple
CVE-2026-20608 (This issue was addressed through improved state management. This issue ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.6-1
+ - wpewebkit 2.50.6-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2026-20606 (This issue was addressed by removing the vulnerable code. This issue i ...)
NOT-FOR-US: Apple
CVE-2026-20605 (The issue was addressed with improved memory handling. This issue is f ...)
@@ -29232,7 +29267,12 @@ CVE-2025-59057 (React Router is a router for React. In @remix-run/react versions
CVE-2025-51626 (SQL injection vulnerability in pss.sale.com 1.0 via the id parameter t ...)
NOT-FOR-US: pss.sale.com
CVE-2025-46299 (A memory initialization issue was addressed with improved memory handl ...)
- NOT-FOR-US: Apple
+ - webkit2gtk <unfixed>
+ - wpewebkit <unfixed>
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-46298 (The issue was addressed with improved memory handling. This issue is f ...)
NOT-FOR-US: Apple
CVE-2025-46297 (A permissions issue was addressed with additional restrictions. This i ...)
@@ -41748,7 +41788,12 @@ CVE-2025-43513 (A permissions issue was addressed by removing the vulnerable cod
CVE-2025-43512 (A logic issue was addressed with improved checks. This issue is fixed ...)
NOT-FOR-US: Apple
CVE-2025-43511 (A use-after-free issue was addressed with improved memory management. ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.5-1
+ - wpewebkit 2.50.5-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-43510 (A memory corruption issue was addressed with improved lock state check ...)
NOT-FOR-US: Apple
CVE-2025-43509 (This issue was addressed with improved data protection. This issue is ...)
@@ -55166,7 +55211,12 @@ CVE-2025-43458 (This issue was addressed through improved state management. This
[bullseye] - wpewebkit <end-of-life> (see #1035997)
NOTE: https://webkitgtk.org/security/WSA-2025-0009.html
CVE-2025-43457 (A use-after-free issue was addressed with improved memory management. ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.6-1
+ - wpewebkit 2.50.6-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-43455 (A privacy issue was addressed with improved checks. This issue is fixe ...)
NOT-FOR-US: Apple
CVE-2025-43454 (This issue was addressed through improved state management. This issue ...)
@@ -55198,7 +55248,12 @@ CVE-2025-43443 (This issue was addressed with improved checks. This issue is fix
CVE-2025-43442 (A permissions issue was addressed with additional restrictions. This i ...)
NOT-FOR-US: Apple
CVE-2025-43441 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.2-1
+ - wpewebkit 2.50.2-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-43440 (This issue was addressed with improved checks This issue is fixed in t ...)
{DSA-6070-1 DLA-4394-1}
- webkit2gtk 2.50.2-1
@@ -55210,7 +55265,12 @@ CVE-2025-43440 (This issue was addressed with improved checks This issue is fixe
CVE-2025-43439 (A privacy issue was addressed by removing sensitive data. This issue i ...)
NOT-FOR-US: Apple
CVE-2025-43438 (A use-after-free issue was addressed with improved memory management. ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.2-1
+ - wpewebkit 2.50.2-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-43436 (A permissions issue was addressed with additional restrictions. This i ...)
NOT-FOR-US: Apple
CVE-2025-43435 (The issue was addressed with improved memory handling. This issue is f ...)
@@ -55224,7 +55284,12 @@ CVE-2025-43434 (A use-after-free issue was addressed with improved memory manage
[bullseye] - wpewebkit <end-of-life> (see #1035997)
NOTE: https://webkitgtk.org/security/WSA-2025-0008.html
CVE-2025-43433 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.2-1
+ - wpewebkit 2.50.2-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-43432 (A use-after-free issue was addressed with improved memory management. ...)
{DSA-6070-1 DLA-4394-1}
- webkit2gtk 2.50.2-1
@@ -89011,9 +89076,19 @@ CVE-2025-43216 (A use-after-free issue was addressed with improved memory manage
CVE-2025-43215 (The issue was addressed with improved checks. This issue is fixed in m ...)
NOT-FOR-US: Apple
CVE-2025-43214 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.5-1
+ - wpewebkit 2.50.5-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-43213 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.5-1
+ - wpewebkit 2.50.5-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-43212 (The issue was addressed with improved memory handling. This issue is f ...)
{DSA-5978-1 DLA-4276-1}
- webkit2gtk 2.48.5-1
@@ -89079,7 +89154,12 @@ CVE-2025-31278 (The issue was addressed with improved memory handling. This issu
[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
NOTE: https://webkitgtk.org/security/WSA-2025-0005.html
CVE-2025-31277 (The issue was addressed with improved memory handling. This issue is f ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.0-1
+ - wpewebkit 2.50.0-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-31276 (This issue was addressed through improved state management. This issue ...)
NOT-FOR-US: Apple
CVE-2025-31275 (A permissions issue was addressed with additional restrictions. This i ...)
@@ -113186,7 +113266,12 @@ CVE-2025-31225 (A privacy issue was addressed by removing sensitive data. This i
CVE-2025-31224 (A logic issue was addressed with improved checks. This issue is fixed ...)
NOT-FOR-US: Apple
CVE-2025-31223 (The issue was addressed with improved checks. This issue is fixed in w ...)
- NOT-FOR-US: Apple
+ - webkit2gtk 2.50.0-1
+ - wpewebkit 2.50.0-1
+ [trixie] - wpewebkit <ignored> (wpewebkit not covered by security support in Trixie)
+ [bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+ [bullseye] - wpewebkit <end-of-life> (see #1035997)
+ NOTE: https://webkitgtk.org/security/WSA-2026-0001.html
CVE-2025-31222 (A correctness issue was addressed with improved checks. This issue is ...)
NOT-FOR-US: Apple
CVE-2025-31221 (An integer overflow was addressed with improved input validation. This ...)
=====================================
data/DSA/list
=====================================
@@ -365,7 +365,7 @@
{CVE-2025-11411}
[trixie] - unbound 1.22.0-2+deb13u1
[04 Dec 2025] DSA-6070-1 webkit2gtk - security update
- {CVE-2025-13502 CVE-2025-43392 CVE-2025-43425 CVE-2025-43427 CVE-2025-43429 CVE-2025-43430 CVE-2025-43431 CVE-2025-43432 CVE-2025-43434 CVE-2025-43440 CVE-2025-43443}
+ {CVE-2025-13502 CVE-2025-43392 CVE-2025-43425 CVE-2025-43427 CVE-2025-43429 CVE-2025-43430 CVE-2025-43431 CVE-2025-43432 CVE-2025-43434 CVE-2025-43440 CVE-2025-43443 CVE-2025-43441 CVE-2025-43438 CVE-2025-43433}
[bookworm] - webkit2gtk 2.50.2-1~deb12u1
[trixie] - webkit2gtk 2.50.2-1~deb13u1
[03 Dec 2025] DSA-6069-1 openvpn - security update
@@ -469,7 +469,7 @@
{CVE-2025-2760 CVE-2025-6035 CVE-2025-10922}
[bookworm] - gimp 2.10.34-1+deb12u4
[28 Oct 2025] DSA-6042-1 webkit2gtk - security update
- {CVE-2025-43272 CVE-2025-43342 CVE-2025-43343 CVE-2025-43356 CVE-2025-43368 CVE-2025-43419}
+ {CVE-2025-43272 CVE-2025-43342 CVE-2025-43343 CVE-2025-43356 CVE-2025-43368 CVE-2025-43419 CVE-2025-31277 CVE-2025-31223}
[bookworm] - webkit2gtk 2.50.1-1~deb12u1
[trixie] - webkit2gtk 2.50.1-1~deb13u1
[27 Oct 2025] DSA-6041-1 strongswan - security update
@@ -1648,7 +1648,7 @@
[bullseye] - wordpress 5.7.11+dfsg1-0+deb11u1
[bookworm] - wordpress 6.1.6+dfsg1-0+deb12u1
[09 May 2024] DSA-5684-1 webkit2gtk - security update
- {CVE-2023-42843 CVE-2023-42950 CVE-2023-42956 CVE-2024-23254 CVE-2024-23263 CVE-2024-23280 CVE-2024-23284 CVE-2024-54658}
+ {CVE-2023-42843 CVE-2023-42950 CVE-2023-42956 CVE-2024-23254 CVE-2024-23263 CVE-2024-23280 CVE-2024-23284 CVE-2024-54658 CVE-2023-43010}
[bullseye] - webkit2gtk 2.44.1-1~deb11u1
[bookworm] - webkit2gtk 2.44.1-1~deb12u1
[08 May 2024] DSA-5683-1 chromium - security update
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9e017fb33149febe8ac7c9e1dae80a4571607a8
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/a9e017fb33149febe8ac7c9e1dae80a4571607a8
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260320/cd2c9561/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list