Comment 1 Gilles Dartiguelongue (RETIRED) 2015-12-28 21:56:18 UTC

From a quick read, looks like 2.8.5 and 2.10.4 is ok.

Comment 2 Agostino Sarubbo 2015-12-29 07:50:44 UTC

(In reply to Gilles Dartiguelongue from comment #1)
> From a quick read, looks like 2.8.5 and 2.10.4 is ok.

Under the release section I don't see anymore the 2.8.x series.
So you need to be sure that recent vulnerabilities does not apply to 2.8.x

Comment 3 Gilles Dartiguelongue (RETIRED) 2015-12-29 07:59:14 UTC

We can work on stabilizing 2.10 if needed, iirc required libs are ready to be stabilized.

Comment 4 Pacho Ramos 2015-12-29 12:44:07 UTC

Yeah, I think there shouldn't be problems for stabilizing 2.10.x on amd64/x86

The only issue would come later as we wouldn't be able to easily remove older versions for alpha/ia64 :S (bug 566270)

Also, how are old slots affected by this? (-> 2.4.9 version) Per the link, it looks like some are only fixed in newer major versions, but I still see Fedora providing 2.4.9 for the old slots and they are also concerned about the security issues :/

Comment 5 Agostino Sarubbo 2015-12-29 15:38:09 UTC

(In reply to Pacho Ramos from comment #4)
> Yeah, I think there shouldn't be problems for stabilizing 2.10.x on amd64/x86
> 
> The only issue would come later as we wouldn't be able to easily remove
> older versions for alpha/ia64 :S (bug 566270)
> 
> Also, how are old slots affected by this? (-> 2.4.9 version) Per the link,
> it looks like some are only fixed in newer major versions, but I still see
> Fedora providing 2.4.9 for the old slots and they are also concerned about
> the security issues :/

Better to ask upstream directly.

Comment 6 Pacho Ramos 2016-01-26 12:05:19 UTC

Looking to:
https://lists.fedoraproject.org/archives/list/devel%40lists.fedoraproject.org/thread/S3VHBCPMPVZ3NBKR7FQZQE6HBUHVEZ3D/

I guess we will need to start "pushing" some reverse deps to move away from old webkit-gtk slots finally.

Comment 7 Pacho Ramos 2016-01-26 12:06:07 UTC

Also... per that link reports, maybe qtwebkit is also vulnerable (but also ignored by most distributions as it's the case with old webkitgtk)

Comment 8 Pacho Ramos 2016-04-04 19:33:13 UTC

Part of this (but not all, and not the newest vulnerabilities that landed) were fixed in 2.4.10. Then, we should stabilize that version to enhance the situation over 2.4.9 (even if it's still vulnerable to other bugs)

The versions to stabilize would be 2.4.10 and 2.4.10-r200
net-libs/webkit-gtk-2.4.10 amd64 x86
net-libs/webkit-gtk-2.4.10-r200 amd64 x86

Comment 9 Agostino Sarubbo 2016-04-08 12:21:32 UTC

amd64 stable

Comment 10 Agostino Sarubbo 2016-04-11 10:42:16 UTC

x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 11 Yury German 2016-09-16 04:15:14 UTC

Added to an existing GLSA Request.

Maintainer(s), please drop the vulnerable version(s) once the Dependencies are cleared.

Comment 12 Yury German 2016-09-23 05:48:41 UTC

 47361 Resolution|---                         |WONTFIX

Comment 13 GLSAMaker/CVETool Bot 2016-12-13 10:21:39 UTC

This issue was resolved and addressed in
 GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41
by GLSA coordinator Aaron Bauman (b-man).

Comment 14 Aaron Bauman (RETIRED) 2016-12-13 10:23:09 UTC

Reopening for cleanup... almost there on the dependencies :)

Comment 15 Aaron Bauman (RETIRED) 2016-12-13 11:34:43 UTC

Cleanup moved to bug 577068

Comment 16 Aaron Bauman (RETIRED) 2016-12-13 12:56:23 UTC

CVE's updated to reflect the actual vulnerable versions of <2.4.0 by CVE and https://webkitgtk.org/security/WSA-2015-0002.html advisories.  New GLSA will be released accordingly.  The rest of the CVE's will be assigned in a new bug.