#15560 closed enhancement (fixed)
webkitgtk-2.34.0
| Reported by: | Bruce Dubbs | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | critical | Keywords: | |
| Cc: |
Description
New point version.
Change History (7)
comment:1 by , 3 years ago
comment:2 by , 3 years ago
| Owner: | changed from to |
|---|---|
| Priority: | normal → high |
| Severity: | normal → critical |
| Status: | new → assigned |
This needs to go to high severity. It has a fix for CVE-2021-30858, which is the critical security vulnerability that Apple fixed last Monday that allows for remote attackers to silently compromise devices that use WebKit, including Macs/iPhones/iPads.
I will get this done before I turn in for the day, and will send an email once it is complete.
https://webkitgtk.org/security/WSA-2021-0005.html
comment:3 by , 3 years ago
------------------------------------------------------------------------
WebKitGTK and WPE WebKit Security Advisory WSA-2021-0005
------------------------------------------------------------------------
Date reported : September 20, 2021
Advisory ID : WSA-2021-0005
WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2021-0005.html
WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2021-0005.html
CVE identifiers : CVE-2021-30858.
Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.
CVE-2021-30858
Versions affected: WebKitGTK and WPE WebKit before 2.32.4.
Credit to an anonymous researcher.
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this issue
may have been actively exploited. Description: A use after free
issue was addressed with improved memory management.
We recommend updating to the latest stable versions of WebKitGTK and WPE
WebKit. It is the best way to ensure that you are running safe versions
of WebKit. Please check our websites for information about the latest
stable releases.
Further information about WebKitGTK and WPE WebKit security advisories
can be found at: https://webkitgtk.org/security.html or
https://wpewebkit.org/security/.
The WebKitGTK and WPE WebKit team,
September 20, 2021
comment:4 by , 3 years ago
| Summary: | webkitgtk-2.32.4 → webkitgtk-2.34.0 |
|---|
Now 2.34.0
Highlights of the WebKitGTK 2.34.0 release ========================================== - Add support for HTTP/2 when building with libsoup3. - Add support for CSS Scroll Snap. - Add support for date and datetime-local input elements. - Add support for display capture. - Add support for ICC color management. - Add support color-schemes CSS property. - Add support for link preconnect when building with libsoup3. - Add support for client side certificates when building with libsoup3. - Add multi-track support to MSE media backend. - Add new API to handle web process unresponsiveness. - Add API to disable CORS on a web view for particular domains. - Add new API to access/modify capture devices states. - Add new API to configure the memory pressure handler.
follow-up: 7 comment:5 by , 3 years ago
We need to add -DUSE_SOUP2=ON to the CMake options in order to prevent a dependency on libsoup3 (which makes sense, the same developer of WebKit is the developer of libsoup!)
comment:6 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
comment:7 by , 3 years ago
Replying to Douglas R. Reno:
We need to add -DUSE_SOUP2=ON to the CMake options in order to prevent a dependency on libsoup3 (which makes sense, the same developer of WebKit is the developer of libsoup!)
I'd really like to have HTTP/2 support by using libsoup3. But I don't want to build webkitgtk twice! So all I can do is waiting them to get things settled down.
If there is no security issue we can just wait for 2.34.0, as epiphany-41 needs >= 2.33.2.