CVE-2009-4976 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4976): Cross-site scripting (XSS) vulnerability in webkitpart.cpp in kwebkitpart allows remote attackers to inject arbitrary web script or HTML via a URL associated with a nonexistent domain name, related to a "universal XSS" issue, a similar vulnerability to CVE-2010-2536.
Not sure if this bug actually applies to the named package kde-misc/kwebkitpart. The kde bug refers to rekonq, which uses webkit via x11-libs/qt-webkit. According to the kde bug report the problem is fully fixed in rekonq git master since 2011-01-24. Maybe someone from the kde team more familiar with rekonq should check this.
I am aware of this bug and I am waiting for a new kwebkitpart version
I emailed the kwebkitpart upstream developer today, below is the answer I got: Hi, That security bug was fixed over two years ago and the patch is present in versions going back as far as 0.9. If you are currently using v0.9 or higher you have nothing to worry about and you can close your bug report.
Thus removing from KDE stable blockers.
(In reply to comment #3) > I emailed the kwebkitpart upstream developer today, below is the answer I got: > > Hi, > > That security bug was fixed over two years ago and the patch is > present in versions going back as far as 0.9. If you are currently > using v0.9 or higher you have nothing to worry about and you can close > your bug report. Great, thanks. Looks like this might be the rekonq commit: https://projects.kde.org/projects/extragear/network/rekonq/repository/revisions/1d83ce109628cf28269a849abec9786b9e920c39 Which is much more current than the 0.7.0 release here: https://projects.kde.org/projects/extragear/network/rekonq/repository/revisions/4ded01a365e72c5a2112c71c451dabd1cf48cd46 Which is also what is in the tree. Close NOGLSA.
