http://webkitgtk.org/security/WSA-2015-0002.html CVE identifiers: CVE-2013-6663, CVE-2014-1748, CVE-2014-3192, CVE-2014-4409, CVE-2014-4410, CVE-2014-4411, CVE-2014-4412, CVE-2014-4413, CVE-2014-4414, CVE-2014-4452, CVE-2014-4459, CVE-2014-4465, CVE-2014-4466, CVE-2014-4468, CVE-2014-4469, CVE-2014-4470, CVE-2014-4471, CVE-2014-4472, CVE-2014-4473, CVE-2014-4474, CVE-2014-4475, CVE-2014-4476, CVE-2014-4477, CVE-2014-4479, CVE-2015-1068, CVE-2015-1069, CVE-2015-1070, CVE-2015-1071, CVE-2015-1072, CVE-2015-1073, CVE-2015-1074, CVE-2015-1075, CVE-2015-1076, CVE-2015-1077, CVE-2015-1080, CVE-2015-1081, CVE-2015-1082, CVE-2015-1083, CVE-2015-1084, CVE-2015-1119, CVE-2015-1120, CVE-2015-1121, CVE-2015-1122, CVE-2015-1124, CVE-2015-1126, CVE-2015-1127, CVE-2015-1152, CVE-2015-1153, CVE-2015-1154, CVE-2015-1155, CVE-2015-1156, CVE-2015-2330, CVE-2015-3658, CVE-2015-3659, CVE-2015-3660, CVE-2015-3727, CVE-2015-3730, CVE-2015-3731, CVE-2015-3732, CVE-2015-3733, CVE-2015-3734, CVE-2015-3735, CVE-2015-3736, CVE-2015-3737, CVE-2015-3738, CVE-2015-3739, CVE-2015-3740, CVE-2015-3741, CVE-2015-3742, CVE-2015-3743, CVE-2015-3744, CVE-2015-3745, CVE-2015-3746, CVE-2015-3747, CVE-2015-3748, CVE-2015-3749, CVE-2015-3750, CVE-2015-3751, CVE-2015-3752, CVE-2015-3753, CVE-2015-3754, CVE-2015-3755, CVE-2015-5788, CVE-2015-5789, CVE-2015-5790, CVE-2015-5791, CVE-2015-5792, CVE-2015-5793, CVE-2015-5794, CVE-2015-5795, CVE-2015-5797, CVE-2015-5798, CVE-2015-5799, CVE-2015-5800, CVE-2015-5801, CVE-2015-5802, CVE-2015-5803, CVE-2015-5804, CVE-2015-5805, CVE-2015-5806, CVE-2015-5807, CVE-2015-5809, CVE-2015-5810, CVE-2015-5811, CVE-2015-5812, CVE-2015-5813, CVE-2015-5814, CVE-2015-5815, CVE-2015-5816, CVE-2015-5817, CVE-2015-5818, CVE-2015-5819, CVE-2015-5822, CVE-2015-5823, CVE-2015-5825, CVE-2015-5826, CVE-2015-5827, CVE-2015-5828, CVE-2015-5928, CVE-2015-5929, CVE-2015-5930, CVE-2015-5931, CVE-2015-7002, CVE-2015-7012, CVE-2015-7013, CVE-2015-7014, CVE-2015-7048, CVE-2015-7095, CVE-2015-7097, CVE-2015-7099, CVE-2015-7100, CVE-2015-7102, CVE-2015-7103, CVE-2015-7104.
From a quick read, looks like 2.8.5 and 2.10.4 is ok.
(In reply to Gilles Dartiguelongue from comment #1) > From a quick read, looks like 2.8.5 and 2.10.4 is ok. Under the release section I don't see anymore the 2.8.x series. So you need to be sure that recent vulnerabilities does not apply to 2.8.x
We can work on stabilizing 2.10 if needed, iirc required libs are ready to be stabilized.
Yeah, I think there shouldn't be problems for stabilizing 2.10.x on amd64/x86 The only issue would come later as we wouldn't be able to easily remove older versions for alpha/ia64 :S (bug 566270) Also, how are old slots affected by this? (-> 2.4.9 version) Per the link, it looks like some are only fixed in newer major versions, but I still see Fedora providing 2.4.9 for the old slots and they are also concerned about the security issues :/
(In reply to Pacho Ramos from comment #4) > Yeah, I think there shouldn't be problems for stabilizing 2.10.x on amd64/x86 > > The only issue would come later as we wouldn't be able to easily remove > older versions for alpha/ia64 :S (bug 566270) > > Also, how are old slots affected by this? (-> 2.4.9 version) Per the link, > it looks like some are only fixed in newer major versions, but I still see > Fedora providing 2.4.9 for the old slots and they are also concerned about > the security issues :/ Better to ask upstream directly.
Looking to: https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/S3VHBCPMPVZ3NBKR7FQZQE6HBUHVEZ3D/ I guess we will need to start "pushing" some reverse deps to move away from old webkit-gtk slots finally.
Also... per that link reports, maybe qtwebkit is also vulnerable (but also ignored by most distributions as it's the case with old webkitgtk)
Part of this (but not all, and not the newest vulnerabilities that landed) were fixed in 2.4.10. Then, we should stabilize that version to enhance the situation over 2.4.9 (even if it's still vulnerable to other bugs) The versions to stabilize would be 2.4.10 and 2.4.10-r200 net-libs/webkit-gtk-2.4.10 amd64 x86 net-libs/webkit-gtk-2.4.10-r200 amd64 x86
amd64 stable
x86 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Added to an existing GLSA Request. Maintainer(s), please drop the vulnerable version(s) once the Dependencies are cleared.
47361 Resolution|--- |WONTFIX
This issue was resolved and addressed in GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41 by GLSA coordinator Aaron Bauman (b-man).
Reopening for cleanup... almost there on the dependencies :)
Cleanup moved to bug 577068
CVE's updated to reflect the actual vulnerable versions of <2.4.0 by CVE and https://webkitgtk.org/security/WSA-2015-0002.html advisories. New GLSA will be released accordingly. The rest of the CVE's will be assigned in a new bug.