webkit2gtk / wpewebkit upstream advisory WSA-2024-0001

4 files changed, 39 insertions, 9 deletions

diff --git a/data/CVE/list b/data/CVE/list
index 172558a2ea..c033a72835 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -2773,7 +2773,12 @@ CVE-2024-23224 (The issue was addressed with improved checks. This issue is fixe
 CVE-2024-23223 (A privacy issue was addressed with improved handling of files. This is ...)
 	NOT-FOR-US: Apple
 CVE-2024-23222 (A type confusion issue was addressed with improved checks. This issue  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.5-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.5-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2024-23219 (The issue was addressed with improved authentication. This issue is fi ...)
 	NOT-FOR-US: Apple
 CVE-2024-23218 (A timing side-channel issue was addressed with improvements to constan ...)
@@ -2785,7 +2790,12 @@ CVE-2024-23215 (An issue was addressed with improved handling of temporary files
 CVE-2024-23214 (Multiple memory corruption issues were addressed with improved memory  ...)
 	NOT-FOR-US: Apple
 CVE-2024-23213 (The issue was addressed with improved memory handling. This issue is f ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.5-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.5-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2024-23212 (The issue was addressed with improved memory handling. This issue is f ...)
 	NOT-FOR-US: Apple
 CVE-2024-23211 (A privacy issue was addressed with improved handling of user preferenc ...)
@@ -2799,7 +2809,12 @@ CVE-2024-23208 (The issue was addressed with improved memory handling. This issu
 CVE-2024-23207 (This issue was addressed with improved redaction of sensitive informat ...)
 	NOT-FOR-US: Apple
 CVE-2024-23206 (An access issue was addressed with improved access restrictions. This  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.5-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.5-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2024-23204 (The issue was addressed with additional permissions checks. This issue ...)
 	NOT-FOR-US: Apple
 CVE-2024-23203 (The issue was addressed with additional permissions checks. This issue ...)
@@ -5034,7 +5049,9 @@ CVE-2023-42865 (An out-of-bounds read was addressed with improved input validati
 CVE-2023-42862 (An out-of-bounds read was addressed with improved input validation. Th ...)
 	NOT-FOR-US: Apple
 CVE-2023-42833 (A correctness issue was addressed with improved checks. This issue is  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.38.0-1
+	- wpewebkit 2.38.0-1
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2023-42832 (A race condition was addressed with improved state handling. This issu ...)
 	NOT-FOR-US: Apple
 CVE-2023-42831 (This issue was addressed by removing the vulnerable code. This issue i ...)
@@ -5072,7 +5089,12 @@ CVE-2023-40433 (A logic issue was addressed with improved checks. This issue is
 CVE-2023-40430 (A logic issue was addressed with improved checks. This issue is fixed  ...)
 	NOT-FOR-US: Apple
 CVE-2023-40414 (A use-after-free issue was addressed with improved memory management.  ...)
-	NOT-FOR-US: Apple
+	- webkit2gtk 2.42.1-1
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	- wpewebkit 2.42.1-1
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2023-40411 (This issue was addressed with improved data protection. This issue is  ...)
 	NOT-FOR-US: Apple
 CVE-2023-40394 (The issue was addressed with improved validation of environment variab ...)
@@ -545421,7 +545443,13 @@ CVE-2014-1746 (The InMemoryUrlProtocol::Read function in media/filters/in_memory
 CVE-2014-1745 (Use-after-free vulnerability in the SVG implementation in Blink, as us ...)
 	{DSA-2939-1}
 	- chromium-browser 35.0.1916.114-1
+	- webkit2gtk 2.42.0-1
+	- wpewebkit 2.42.0-1
 	[squeeze] - chromium-browser <end-of-life>
+	[buster] - webkit2gtk <end-of-life> (EOL in buster LTS)
+	[bookworm] - wpewebkit <ignored> (wpewebkit not covered by security support in Bookworm)
+	[bullseye] - wpewebkit <ignored> (wpewebkit >= 2.40 can no longer be sensibly backported)
+	NOTE: https://webkitgtk.org/security/WSA-2024-0001.html
 CVE-2014-1744 (Integer overflow in the AudioInputRendererHost::OnCreateStream functio ...)
 	{DSA-2939-1}
 	- chromium-browser 35.0.1916.114-1
diff --git a/data/DLA/list b/data/DLA/list
index 1c6f182b65..2a9daf38b7 100644
--- a/data/DLA/list
+++ b/data/DLA/list
@@ -1829,7 +1829,7 @@
 	{CVE-2020-25708 CVE-2020-29260}
 	[buster] - libvncserver 0.9.11+dfsg-1.3+deb10u5
 [29 Sep 2022] DLA-3124-1 webkit2gtk - security update
-	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833}
 	[buster] - webkit2gtk 2.38.0-1~deb10u1
 [27 Sep 2022] DLA-3123-1 thunderbird - security update
 	{CVE-2022-3266 CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 CVE-2022-40960 CVE-2022-40962}
diff --git a/data/DSA/list b/data/DSA/list
index 8e1275f4d2..3ab9fa3c37 100644
--- a/data/DSA/list
+++ b/data/DSA/list
@@ -338,7 +338,7 @@
 [12 Oct 2023] DSA-5522-2 tomcat9 - regression update
 	[bullseye] - tomcat9 9.0.43-2~deb11u8
 [12 Oct 2023] DSA-5527-1 webkit2gtk - security update
-	{CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890}
+	{CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890 CVE-2023-40414 CVE-2014-1745}
 	[bullseye] - webkit2gtk 2.42.1-1~deb11u1
 	[bookworm] - webkit2gtk 2.42.1-1~deb12u1
 [12 Oct 2023] DSA-5526-1 chromium - security update
@@ -1276,10 +1276,10 @@
 	{CVE-2022-29599}
 	[bullseye] - maven-shared-utils 3.3.0-1+deb11u1
 [28 Sep 2022] DSA-5241-1 wpewebkit - security update
-	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833}
 	[bullseye] - wpewebkit 2.38.0-1~deb11u1
 [28 Sep 2022] DSA-5240-1 webkit2gtk - security update
-	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363}
+	{CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833}
 	[bullseye] - webkit2gtk 2.38.0-1~deb11u1
 [27 Sep 2022] DSA-5239-1 gdal - security update
 	{CVE-2021-45943}
diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt
index 60596f799d..1d24ad15e5 100644
--- a/data/dsa-needed.txt
+++ b/data/dsa-needed.txt
@@ -82,5 +82,7 @@ squid (apo)
 --
 varnish
 --
+webkit2gtk (berto)
+--
 zabbix
 --