Bug#599830: Multiple security issues

Moritz Muehlenhoff jmm at inutil.org
Thu Oct 28 16:18:29 UTC 2010 

On Mon, Oct 18, 2010 at 11:52:40AM -0200, Gustavo Noronha Silva wrote:
> Version: 1.2.5-1
> 
> Hey,
> 
> On Sun, 2010-10-17 at 22:27 +0200, Moritz Muehlenhoff wrote:
> > On Mon, Oct 11, 2010 at 07:50:48PM +0200, Moritz Muehlenhoff wrote:
> > > Package: webkit
> > > Severity: grave
> > > Tags: security
> > > 
> > > The following security issues need to be fixed in Webkit:
> > > 
> > > http://security-tracker.debian.org/tracker/CVE-2010-1807
> > > http://security-tracker.debian.org/tracker/CVE-2010-2646
> > > http://security-tracker.debian.org/tracker/CVE-2010-2651
> > > http://security-tracker.debian.org/tracker/CVE-2010-3115
> > > 
> > > Also, the status of #532514 should finally be resolved
> > > for Squeeze.
> > 
> > People were claming that Webkit would be more maintainable
> > and supported then the version in Lenny.
> > 
> > Still, there's no followup from the maintainers since a week.
> 
> I'm kinda busy, sorry. This weekend I worked on packaging 1.2.5 after
> having worked on getting many CVEs handled upstream. Michael Gilbert
> also worked on a few more CVEs for the Debian package. The package I
> finished uploading this morning has the following CVEs handled, from
> upstream:

Thanks for the upload.

There's a huge amount of vulnerabilities which need to be checked
for Webkit on top of these. Shall I open a new bug?
CVE-2009-2068 
CVE-2009-3011 
CVE-2010-1131
CVE-2010-1384 
CVE-2010-1403
CVE-2010-1750
CVE-2010-1757
CVE-2010-1769
CVE-2010-1781
CVE-2010-1783
CVE-2010-1805
CVE-2010-1806
CVE-2010-1823
CVE-2010-1824
CVE-2010-1825
CVE-2010-1992
CVE-2010-2120 
CVE-2010-2264
CVE-2010-3246
CVE-2010-3248
CVE-2010-3249
CVE-2010-3252
CVE-2010-3253
CVE-2010-3254
CVE-2010-3255
CVE-2010-3415
CVE-2010-3416
CVE-2010-3730
CVE-2010-4033
CVE-2010-4034
CVE-2010-4035
CVE-2010-4036
CVE-2010-4037
CVE-2010-4038
CVE-2010-4039
CVE-2010-4040
CVE-2010-4041
CVE-2010-4042

It is very important that more people get involved in webkit
maintenance, especially with regard to the backports needed for
Squeeze and given that it represents the web engine for the browser
installed in the standard desktop task. Could you maybe send a RFH
to debian-devel-announce?

How long will the 1.2 branch be supported by upstream?

> About #532514 this is how we generate random numbers (see
> http://trac.webkit.org/browser/trunk/JavaScriptCore/wtf/RandomNumber.cpp#L70):

I will check this in a few days and update the bug accordingly.

Cheers,
        Moritz

More information about the Pkg-webkit-maintainers mailing list