From ${URL}: CVE-2016-1726 Versions affected: WebKitGTK+ before 2.10.8. Credit to Apple. WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725. ## From http://webkitgtk.org/2016/03/11/webkitgtk2.10.8-released.html: What’s new in the WebKitGTK+ 2.10.8 release? ... Security fixes: CVE-2016-1726.
CVE-2016-1726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726): WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725.
CVE-2016-1728 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1728): The Cascading Style Sheets (CSS) implementation in Apple iOS before 9.2.1 and Safari before 9.0.3 mishandles the "a:visited button" selector during height processing, which makes it easier for remote attackers to obtain sensitive browser-history information via a crafted web site. CVE-2016-1727 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1727): WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1724. CVE-2016-1726 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1726): WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725. CVE-2016-1725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1725): WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1726. CVE-2016-1724 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1724): WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1727. CVE-2016-1723 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1723): WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1725 and CVE-2016-1726.
commit 4d2854acf1a56d2de76c5cee7d4a13c7bfcf85fa Author: Lars Wendler <polynomial-c@gentoo.org> Date: Tue Mar 15 10:50:45 2016 net-libs/webkit-gtk: Security bump to version 2.10.8 (bug #577068). Package-Manager: portage-2.2.28 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
we would need 2.10.9 instead as 2.10.8 has some regressions per: http://www.webkitgtk.org/2016/03/17/webkitgtk2.10.9-released.html
amd64 stable
x86 stable. Maintainer(s), please cleanup.
@ Maintainer(s): Still waiting for your cleanup. If you want to keep v2.4 for some reason please tell us so we have to check if these versions are affected and need masking.
We can not clean these up without heavily breaking the tree, because many packages in tree still use webkit-gtk SLOT 2 or 3.
This issue was resolved and addressed in GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41 by GLSA coordinator Aaron Bauman (b-man).
Reopening for cleanup.
Moving the cleanup from bug 570034 to here. Please add depends for additional packages which require fixing.
This issue was resolved and addressed in GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15 by GLSA coordinator Thomas Deutschmann (whissi).
Re-opening to track cleanup of older, vulnerable, slots.
