webkitgtk-2.38.5

[Douglas R. Reno]

Critical security update.

It contains a fix for a vulnerability which is being utilized on Apple devices as part of an exploit. It's not known how it impacts Linux machines, but it does allow for a sandbox bypass and remote code execution. Apple rates it as Critical, and they did emergency updates for all of their devices yesterday for iOS, macOS, tvOS, watchOS, Safari, and iTunes. ​https://www.securityweek.com/apple-patches-actively-exploited-webkit-zero-day-vulnerability/ has some more details.

Because of the severity of this vulnerability and the fact that it's being actively exploited, promoting to High severity.

[Douglas R. Reno]

Retitle for currency script

[Douglas R. Reno]

Release Notes

What’s new in the WebKitGTK 2.38.5 release?

    Fix large memory allocation when uploading content.
    Fix scrolling after a history navigation with PSON enabled.
    Always update the active uri of WebKitFrame.
    Fix the build on Ubuntu 20.04.
    Fix several crashes and rendering issues.

Security Advisory

WebKitGTK and WPE WebKit Security Advisory WSA-2023-0002

    Date Reported: February 15, 2023

    Advisory ID: WSA-2023-0002

    CVE identifiers: CVE-2023-23529.

Several vulnerabilities were discovered in WebKitGTK and WPE WebKit.

    CVE-2023-23529
        Versions affected: WebKitGTK and WPE WebKit before 2.38.5.
        Credit to an anonymous researcher.
        Impact: Processing maliciously crafted web content may lead to arbitrary code 
        execution. Apple is aware of a report that this issue may have been actively 
        exploited. 
        Description: A type confusion issue was addressed with improved checks.

[Douglas R. Reno]

Fixed at 74b918b73eb0c410a4b7ed0398e88fdf6bf755c2

[Douglas R. Reno]

Issued SA-11.2-100