Opened 5 weeks ago

Closed 4 weeks ago

Last modified 4 weeks ago

#15560 closed enhancement (fixed)

webkitgtk-2.34.0

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: high Milestone: 11.1
Component: BOOK Version: git
Severity: critical Keywords:
Cc:

Description

New point version.

Change History (7)

comment:1 by Xi Ruoyao, 5 weeks ago

If there is no security issue we can just wait for 2.34.0, as epiphany-41 needs >= 2.33.2.

comment:2 by Douglas R. Reno, 4 weeks ago

Owner: changed from blfs-book to Douglas R. Reno
Priority: normalhigh
Severity: normalcritical
Status: newassigned

This needs to go to high severity. It has a fix for CVE-2021-30858, which is the critical security vulnerability that Apple fixed last Monday that allows for remote attackers to silently compromise devices that use WebKit, including Macs/iPhones/iPads.

I will get this done before I turn in for the day, and will send an email once it is complete.

https://webkitgtk.org/security/WSA-2021-0005.html

https://us-cert.cisa.gov/ncas/current-activity/2021/09/13/apple-releases-security-updates-address-cve-2021-30858-and-cve

https://www.helpnetsecurity.com/2021/09/14/cve-2021-30860/

https://wgntv.com/news/why-apple-users-should-update-their-phones-computers-and-watches-immediately/

comment:3 by Douglas R. Reno, 4 weeks ago

------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory                 WSA-2021-0005
------------------------------------------------------------------------

Date reported           : September 20, 2021
Advisory ID             : WSA-2021-0005
WebKitGTK Advisory URL  : https://webkitgtk.org/security/WSA-2021-0005.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2021-0005.html
CVE identifiers         : CVE-2021-30858.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

CVE-2021-30858
    Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
    Credit to an anonymous researcher.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Apple is aware of a report that this issue
    may have been actively exploited. Description: A use after free
    issue was addressed with improved memory management.


We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.

Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.

The WebKitGTK and WPE WebKit team,
September 20, 2021

comment:4 by Douglas R. Reno, 4 weeks ago

Summary: webkitgtk-2.32.4webkitgtk-2.34.0

Now 2.34.0

Highlights of the WebKitGTK 2.34.0 release
==========================================

 - Add support for HTTP/2 when building with libsoup3.
 - Add support for CSS Scroll Snap.
 - Add support for date and datetime-local input elements.
 - Add support for display capture.
 - Add support for ICC color management.
 - Add support color-schemes CSS property.
 - Add support for link preconnect when building with libsoup3.
 - Add support for client side certificates when building with libsoup3.
 - Add multi-track support to MSE media backend.
 - Add new API to handle web process unresponsiveness.
 - Add API to disable CORS on a web view for particular domains.
 - Add new API to access/modify capture devices states.
 - Add new API to configure the memory pressure handler.

comment:5 by Douglas R. Reno, 4 weeks ago

We need to add -DUSE_SOUP2=ON to the CMake options in order to prevent a dependency on libsoup3 (which makes sense, the same developer of WebKit is the developer of libsoup!)

comment:6 by Douglas R. Reno, 4 weeks ago

Resolution: fixed
Status: assignedclosed

in reply to:  5 comment:7 by Xi Ruoyao, 4 weeks ago

Replying to Douglas R. Reno:

We need to add -DUSE_SOUP2=ON to the CMake options in order to prevent a dependency on libsoup3 (which makes sense, the same developer of WebKit is the developer of libsoup!)

I'd really like to have HTTP/2 support by using libsoup3. But I don't want to build webkitgtk twice! So all I can do is waiting them to get things settled down.

Note: See TracTickets for help on using tickets.