epiphany December 2021 XSS issues
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
epiphany-browser (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
Impact
------
Multiple cross-site scripting (XSS) vulnerabilities were fixed in December 2021. (Sorry for the delay.)
Testing Done
------------
I completed a build and install test.
After installing, I was able to watch a video on YouTube (I needed to install gstreamer1.
I was able to use Reader Mode on a blog site.
And I was able to load https:/
I was unable to get the POC at https:/
to work for me on Ubuntu 20.04 LTS.
Other Info
----------
I cherry-picked the December 2021 commits from
https:/
I skipped the "Disable Reader Mode" and "Revert Disable Reader Mode" commits since they cancel each other out.
There are some interesting translation and bugfix commits after 3.36.4 before the December commits. I didn't initially include them since they aren't needed for this security fix. But I can include them if you want.
I also cherry-picked the (required) February 2022 build fix commit.
Official backports were not provided for anything older than Epiphany 3.36 so I was unable to prepare a fix for Ubuntu 18.04 LTS ("Bionic"). That release isn't getting webkit2gtk security fixes either.
I'm also including the fix for LP: #1969851
Sponsoring
----------
I am attaching a debdiff. Alternatively you could build from our VCS:
gbp clone https:/
git checkout ubuntu/focal
gbp buildpackage --git-builder=
That will create the source package you can upload to your PPA
CVE References
Changed in epiphany-browser (Ubuntu): | |
status: | New → Confirmed |
Changed in epiphany-browser (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in epiphany-browser (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in epiphany-browser (Ubuntu Hirsute): | |
status: | New → Confirmed |
Changed in epiphany-browser (Ubuntu Impish): | |
status: | New → Confirmed |
information type: | Public → Public Security |
no longer affects: | epiphany-browser (Ubuntu Jammy) |
Changed in epiphany-browser (Ubuntu): | |
status: | Fix Released → Confirmed |
no longer affects: | epiphany-browser (Ubuntu Hirsute) |
no longer affects: | epiphany-browser (Ubuntu Bionic) |
This bug was fixed in the package epiphany-browser - 41.2-1
---------------
epiphany-browser (41.2-1) unstable; urgency=high
* New upstream release
- Includes fixes for CVE-2021-45085, CVE-2021-45086, CVE-2021-45087,
CVE-2021-4508 (LP: #1955362)
* debian/copyright: minor update
-- Jeremy Bicha <email address hidden> Sun, 19 Dec 2021 20:27:53 -0500