From d48bae53486af61c6a26646f0d3b3156f2a8940a Mon Sep 17 00:00:00 2001 From: Alberto Garcia Date: Tue, 6 Feb 2024 19:14:56 +0100 Subject: webkit2gtk / wpewebkit upstream advisory WSA-2024-0001 --- data/CVE/list | 38 +++++++++++++++++++++++++++++++++----- data/DLA/list | 2 +- data/DSA/list | 6 +++--- data/dsa-needed.txt | 2 ++ 4 files changed, 39 insertions(+), 9 deletions(-) diff --git a/data/CVE/list b/data/CVE/list index 172558a2ea..c033a72835 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -2773,7 +2773,12 @@ CVE-2024-23224 (The issue was addressed with improved checks. This issue is fixe CVE-2024-23223 (A privacy issue was addressed with improved handling of files. This is ...) NOT-FOR-US: Apple CVE-2024-23222 (A type confusion issue was addressed with improved checks. This issue ...) - NOT-FOR-US: Apple + - webkit2gtk 2.42.5-1 + [buster] - webkit2gtk (EOL in buster LTS) + - wpewebkit 2.42.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) + NOTE: https://webkitgtk.org/security/WSA-2024-0001.html CVE-2024-23219 (The issue was addressed with improved authentication. This issue is fi ...) NOT-FOR-US: Apple CVE-2024-23218 (A timing side-channel issue was addressed with improvements to constan ...) @@ -2785,7 +2790,12 @@ CVE-2024-23215 (An issue was addressed with improved handling of temporary files CVE-2024-23214 (Multiple memory corruption issues were addressed with improved memory ...) NOT-FOR-US: Apple CVE-2024-23213 (The issue was addressed with improved memory handling. This issue is f ...) - NOT-FOR-US: Apple + - webkit2gtk 2.42.5-1 + [buster] - webkit2gtk (EOL in buster LTS) + - wpewebkit 2.42.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) + NOTE: https://webkitgtk.org/security/WSA-2024-0001.html CVE-2024-23212 (The issue was addressed with improved memory handling. This issue is f ...) NOT-FOR-US: Apple CVE-2024-23211 (A privacy issue was addressed with improved handling of user preferenc ...) @@ -2799,7 +2809,12 @@ CVE-2024-23208 (The issue was addressed with improved memory handling. This issu CVE-2024-23207 (This issue was addressed with improved redaction of sensitive informat ...) NOT-FOR-US: Apple CVE-2024-23206 (An access issue was addressed with improved access restrictions. This ...) - NOT-FOR-US: Apple + - webkit2gtk 2.42.5-1 + [buster] - webkit2gtk (EOL in buster LTS) + - wpewebkit 2.42.5-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) + NOTE: https://webkitgtk.org/security/WSA-2024-0001.html CVE-2024-23204 (The issue was addressed with additional permissions checks. This issue ...) NOT-FOR-US: Apple CVE-2024-23203 (The issue was addressed with additional permissions checks. This issue ...) @@ -5034,7 +5049,9 @@ CVE-2023-42865 (An out-of-bounds read was addressed with improved input validati CVE-2023-42862 (An out-of-bounds read was addressed with improved input validation. Th ...) NOT-FOR-US: Apple CVE-2023-42833 (A correctness issue was addressed with improved checks. This issue is ...) - NOT-FOR-US: Apple + - webkit2gtk 2.38.0-1 + - wpewebkit 2.38.0-1 + NOTE: https://webkitgtk.org/security/WSA-2024-0001.html CVE-2023-42832 (A race condition was addressed with improved state handling. This issu ...) NOT-FOR-US: Apple CVE-2023-42831 (This issue was addressed by removing the vulnerable code. This issue i ...) @@ -5072,7 +5089,12 @@ CVE-2023-40433 (A logic issue was addressed with improved checks. This issue is CVE-2023-40430 (A logic issue was addressed with improved checks. This issue is fixed ...) NOT-FOR-US: Apple CVE-2023-40414 (A use-after-free issue was addressed with improved memory management. ...) - NOT-FOR-US: Apple + - webkit2gtk 2.42.1-1 + [buster] - webkit2gtk (EOL in buster LTS) + - wpewebkit 2.42.1-1 + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) + NOTE: https://webkitgtk.org/security/WSA-2024-0001.html CVE-2023-40411 (This issue was addressed with improved data protection. This issue is ...) NOT-FOR-US: Apple CVE-2023-40394 (The issue was addressed with improved validation of environment variab ...) @@ -545421,7 +545443,13 @@ CVE-2014-1746 (The InMemoryUrlProtocol::Read function in media/filters/in_memory CVE-2014-1745 (Use-after-free vulnerability in the SVG implementation in Blink, as us ...) {DSA-2939-1} - chromium-browser 35.0.1916.114-1 + - webkit2gtk 2.42.0-1 + - wpewebkit 2.42.0-1 [squeeze] - chromium-browser + [buster] - webkit2gtk (EOL in buster LTS) + [bookworm] - wpewebkit (wpewebkit not covered by security support in Bookworm) + [bullseye] - wpewebkit (wpewebkit >= 2.40 can no longer be sensibly backported) + NOTE: https://webkitgtk.org/security/WSA-2024-0001.html CVE-2014-1744 (Integer overflow in the AudioInputRendererHost::OnCreateStream functio ...) {DSA-2939-1} - chromium-browser 35.0.1916.114-1 diff --git a/data/DLA/list b/data/DLA/list index 1c6f182b65..2a9daf38b7 100644 --- a/data/DLA/list +++ b/data/DLA/list @@ -1829,7 +1829,7 @@ {CVE-2020-25708 CVE-2020-29260} [buster] - libvncserver 0.9.11+dfsg-1.3+deb10u5 [29 Sep 2022] DLA-3124-1 webkit2gtk - security update - {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363} + {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-42863 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833} [buster] - webkit2gtk 2.38.0-1~deb10u1 [27 Sep 2022] DLA-3123-1 thunderbird - security update {CVE-2022-3266 CVE-2022-40956 CVE-2022-40957 CVE-2022-40958 CVE-2022-40959 CVE-2022-40960 CVE-2022-40962} diff --git a/data/DSA/list b/data/DSA/list index 8e1275f4d2..3ab9fa3c37 100644 --- a/data/DSA/list +++ b/data/DSA/list @@ -338,7 +338,7 @@ [12 Oct 2023] DSA-5522-2 tomcat9 - regression update [bullseye] - tomcat9 9.0.43-2~deb11u8 [12 Oct 2023] DSA-5527-1 webkit2gtk - security update - {CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890} + {CVE-2023-32359 CVE-2023-39928 CVE-2023-41074 CVE-2023-41993 CVE-2023-42890 CVE-2023-40414 CVE-2014-1745} [bullseye] - webkit2gtk 2.42.1-1~deb11u1 [bookworm] - webkit2gtk 2.42.1-1~deb12u1 [12 Oct 2023] DSA-5526-1 chromium - security update @@ -1276,10 +1276,10 @@ {CVE-2022-29599} [bullseye] - maven-shared-utils 3.3.0-1+deb11u1 [28 Sep 2022] DSA-5241-1 wpewebkit - security update - {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363} + {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833} [bullseye] - wpewebkit 2.38.0-1~deb11u1 [28 Sep 2022] DSA-5240-1 webkit2gtk - security update - {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363} + {CVE-2022-32886 CVE-2022-32888 CVE-2022-32923 CVE-2022-32933 CVE-2022-42863 CVE-2022-48503 CVE-2023-25358 CVE-2023-25360 CVE-2023-25361 CVE-2023-25362 CVE-2023-25363 CVE-2023-42833} [bullseye] - webkit2gtk 2.38.0-1~deb11u1 [27 Sep 2022] DSA-5239-1 gdal - security update {CVE-2021-45943} diff --git a/data/dsa-needed.txt b/data/dsa-needed.txt index 60596f799d..1d24ad15e5 100644 --- a/data/dsa-needed.txt +++ b/data/dsa-needed.txt @@ -82,5 +82,7 @@ squid (apo) -- varnish -- +webkit2gtk (berto) +-- zabbix -- -- cgit v1.2.3