WSA-2018-0003 security update

Bug #1761289 reported by Marc Deslauriers on 2018-04-04
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
webkit2gtk (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Unassigned
Artful
Medium
Unassigned
Bionic
Undecided
Unassigned

Bug Description

https://webkitgtk.org/security/WSA-2018-0003.html

We need to update webkit2gtk to 2.20.

1. We need to do a deja dup update (to -security probably) LP: #1751460

2. Once the brotli (LP: #1737053) and woff2 (LP: #1742743) MIRs are approved, let's backport those to xenial-security and artful-security. Until that's done we'll have a regression in supporting that font.

3. Update the useragent configure flag (this time it should work!) (LP: #1751484)

https://anonscm.debian.org/git/pkg-webkit/webkit.git/tree/debian/rules#n57

Changed in webkit2gtk (Ubuntu Bionic):
status: New → Fix Released
Changed in webkit2gtk (Ubuntu Artful):
status: New → Confirmed
Changed in webkit2gtk (Ubuntu Xenial):
status: New → Confirmed
importance: Undecided → Medium
Changed in webkit2gtk (Ubuntu Artful):
importance: Undecided → Medium
Marc Deslauriers (mdeslaur) wrote :

From irc discussion:

<jbicha> 1. we need to do a deja dup update (so -security I believe) LP: #1751460
<jbicha> 2. once the brotli and woff2 MIRs are approved, I'd like to backport those to xenial. Until that's done we'll have a regression in supporting that font format
<jbicha> 3. I finally got the useragent hack working correctly so you'll need to update your branch for that
<jbicha> https://anonscm.debian.org/git/pkg-webkit/webkit.git/tree/debian/rules#n57
<jbicha> not really a big issue, but bionic's webkit will be built with gstreamergl support but because that requires gstreamer 1.14, we can't do that on xenial
<jbicha> (gstreamergl was in the universe package until upstream moved it in 1.14)

Jeremy Bicha (jbicha) on 2018-04-04
description: updated
description: updated
description: updated
tags: added: artful xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webkit2gtk - 2.20.1-0ubuntu0.16.04.1

---------------
webkit2gtk (2.20.1-0ubuntu0.16.04.1) xenial-security; urgency=medium

  * Updated to 2.20.1 to fix multiple security issues. (LP: #1761289)
    - CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4117,
      CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4122,
      CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129,
      CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162,
      CVE-2018-4163, CVE-2018-4165
  * debian/patches/*.patch: refreshed.
  * debian/rules: disable WOFF2, disabe GEOLOCATION.
  * debian/libwebkit2gtk-4.0-37.symbols: updated for new version.

 -- Marc Deslauriers <email address hidden> Fri, 27 Apr 2018 12:29:15 -0400

Changed in webkit2gtk (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package webkit2gtk - 2.20.1-0ubuntu0.17.10.1

---------------
webkit2gtk (2.20.1-0ubuntu0.17.10.1) artful-security; urgency=medium

  * Updated to 2.20.1 to fix multiple security issues. (LP: #1761289)
    - CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4117,
      CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4122,
      CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129,
      CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162,
      CVE-2018-4163, CVE-2018-4165
  * debian/patches/*.patch: refreshed.
  * debian/rules: disable WOFF2, fix useragent.
  * debian/libwebkit2gtk-4.0-37.symbols: updated for new version.

 -- Marc Deslauriers <email address hidden> Fri, 27 Apr 2018 07:40:48 -0400

Changed in webkit2gtk (Ubuntu Artful):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers