From ${URL} : Date reported : February 01, 2016 Advisory ID : WSA-2016-0001 Advisory URL : http://webkitgtk.org/security/WSA-2016-0001.html CVE identifiers : CVE-2015-7096, CVE-2015-7098. Several vulnerabilities were discovered on WebKitGTK+. CVE-2015-7096 Versions affected: WebKitGTK+ before 2.10.5. Credit to Apple. WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2015-7048, CVE-2015-7095, CVE-2015-7097, CVE-2015-7098, CVE-2015-7099, CVE-2015-7100, CVE-2015-7101, CVE-2015-7102, and CVE-2015-7103. CVE-2015-7098 Versions affected: WebKitGTK+ before 2.10.5. Credit to Apple. WebKit in Apple iOS before 9.2, Safari before 9.0.2, and tvOS before 9.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2015-7048, CVE-2015-7095, CVE-2015-7096, CVE-2015-7097, CVE-2015-7099, CVE-2015-7100, CVE-2015-7101, CVE-2015-7102, and CVE-2015-7103. @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Was fixed upstream in v2.10.5. First fixed version containing was v2.10.7 (via https://gitweb.gentoo.org/repo/gentoo.git/commit/net-libs/webkit-gtk?id=a62079ddda10039b692df7a77fb4ec572027b2e5). Current stable version in tree is =net-libs/webkit-gtk-2.12.5. Added to existing GLSA. @ Maintainer(s): I am unable to determine if v2.4.11 is affected. Can you help? Maybe you know the commits so we can check?
webkit-gtk-2.4 is very likely to be affected by various security bugs that have happened and fixed in 2.10 or 2.12. We need to get webkit-gtk-2.4 out of the tree, but various consumers have still not ported to webkit2gtk (multiprocessing new API). The hope is that these remaining applications only display controlled static HTML, not support browsing the web, but I have not checked.
@ Maintainer(s): Thank you for your response. Could you please create a webkit-gtk-2.4 removal tracking bug and file blocking bugs against remaining consumers? That way we could track progress...
It was being covered in bug 570034
This issue was resolved and addressed in GLSA 201612-41 at https://security.gentoo.org/glsa/201612-41 by GLSA coordinator Aaron Bauman (b-man).
Should not have been addressed via GLSA or closed. Errata published. Reopening.
This issue was resolved and addressed in GLSA 201706-15 at https://security.gentoo.org/glsa/201706-15 by GLSA coordinator Thomas Deutschmann (whissi).
