Ubuntu
webkit2gtk package

WSA-2018-0003 security update

Bug #1761289 reported by Marc Deslauriers
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webkit2gtk (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Released
Medium
Unassigned
Artful
Fix Released
Medium
Unassigned
Bionic
Fix Released
Undecided
Unassigned

Bug Description

https://webkitgtk.org/security/WSA-2018-0003.html

We need to update webkit2gtk to 2.20.

1. We need to do a deja dup update (to -security probably) LP: #1751460

2. Once the brotli (LP: #1737053) and woff2 (LP: #1742743) MIRs are approved, let's backport those to xenial-security and artful-security. Until that's done we'll have a regression in supporting that font.

3. Update the useragent configure flag (this time it should work!) (LP: #1751484)

https://anonscm.debian.org/git/pkg-webkit/webkit.git/tree/debian/rules#n57

See original description
Tags: artful xenial
Marc Deslauriers (mdeslaur)
Changed in webkit2gtk (Ubuntu Bionic):
status: New → Fix Released
Changed in webkit2gtk (Ubuntu Artful):
status: New → Confirmed
Changed in webkit2gtk (Ubuntu Xenial):
status: New → Confirmed
importance: Undecided → Medium
Changed in webkit2gtk (Ubuntu Artful):
importance: Undecided → Medium
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

From irc discussion:

<jbicha> 1. we need to do a deja dup update (so -security I believe) LP: #1751460
<jbicha> 2. once the brotli and woff2 MIRs are approved, I'd like to backport those to xenial. Until that's done we'll have a regression in supporting that font format
<jbicha> 3. I finally got the useragent hack working correctly so you'll need to update your branch for that
<jbicha> https://anonscm.debian.org/git/pkg-webkit/webkit.git/tree/debian/rules#n57
<jbicha> not really a big issue, but bionic's webkit will be built with gstreamergl support but because that requires gstreamer 1.14, we can't do that on xenial
<jbicha> (gstreamergl was in the universe package until upstream moved it in 1.14)

Jeremy Bícha (jbicha)
description: updated
description: updated
description: updated
tags: added: artful xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webkit2gtk - 2.20.1-0ubuntu0.16.04.1

---------------
webkit2gtk (2.20.1-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * Updated to 2.20.1 to fix multiple security issues. (LP: #1761289)
    - CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4117,
      CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4122,
      CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129,
      CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162,
      CVE-2018-4163, CVE-2018-4165
  * debian/patches/*.patch: refreshed.
  * debian/rules: disable WOFF2, disabe GEOLOCATION.
  * debian/libwebkit2gtk-4.0-37.symbols: updated for new version.

 -- Marc Deslauriers <email address hidden> Fri, 27 Apr 2018 12:29:15 -0400

Changed in webkit2gtk (Ubuntu Xenial):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webkit2gtk - 2.20.1-0ubuntu0.17.10.1

---------------
webkit2gtk (2.20.1-0ubuntu0.17.10.1) artful-security; urgency=medium

  * Updated to 2.20.1 to fix multiple security issues. (LP: #1761289)
    - CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4117,
      CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4122,
      CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129,
      CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162,
      CVE-2018-4163, CVE-2018-4165
  * debian/patches/*.patch: refreshed.
  * debian/rules: disable WOFF2, fix useragent.
  * debian/libwebkit2gtk-4.0-37.symbols: updated for new version.

 -- Marc Deslauriers <email address hidden> Fri, 27 Apr 2018 07:40:48 -0400

Changed in webkit2gtk (Ubuntu Artful):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.