2021-12-20 01:15:12 |
Jeremy Bícha |
bug |
|
|
added bug |
2021-12-20 01:15:41 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Hirsute |
|
2021-12-20 01:15:41 |
Jeremy Bícha |
bug task added |
|
epiphany-browser (Ubuntu Hirsute) |
|
2021-12-20 01:15:41 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Focal |
|
2021-12-20 01:15:41 |
Jeremy Bícha |
bug task added |
|
epiphany-browser (Ubuntu Focal) |
|
2021-12-20 01:15:41 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Impish |
|
2021-12-20 01:15:41 |
Jeremy Bícha |
bug task added |
|
epiphany-browser (Ubuntu Impish) |
|
2021-12-20 01:15:41 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Bionic |
|
2021-12-20 01:15:41 |
Jeremy Bícha |
bug task added |
|
epiphany-browser (Ubuntu Bionic) |
|
2021-12-20 01:16:05 |
Jeremy Bícha |
cve linked |
|
2021-45085 |
|
2021-12-20 01:16:25 |
Jeremy Bícha |
cve linked |
|
2021-45086 |
|
2021-12-20 01:16:36 |
Jeremy Bícha |
cve linked |
|
2021-45087 |
|
2021-12-20 01:16:47 |
Jeremy Bícha |
cve linked |
|
2021-45088 |
|
2021-12-20 01:17:08 |
Jeremy Bícha |
epiphany-browser (Ubuntu): status |
New |
Confirmed |
|
2021-12-20 01:17:12 |
Jeremy Bícha |
epiphany-browser (Ubuntu Bionic): status |
New |
Confirmed |
|
2021-12-20 01:17:14 |
Jeremy Bícha |
epiphany-browser (Ubuntu Focal): status |
New |
Confirmed |
|
2021-12-20 01:17:16 |
Jeremy Bícha |
epiphany-browser (Ubuntu Hirsute): status |
New |
Confirmed |
|
2021-12-20 01:17:19 |
Jeremy Bícha |
epiphany-browser (Ubuntu Impish): status |
New |
Confirmed |
|
2021-12-20 01:17:22 |
Jeremy Bícha |
information type |
Public |
Public Security |
|
2021-12-20 08:40:39 |
Launchpad Janitor |
epiphany-browser (Ubuntu): status |
Confirmed |
Fix Released |
|
2021-12-20 08:40:39 |
Launchpad Janitor |
cve linked |
|
2021-4508 |
|
2021-12-20 11:06:29 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Jammy |
|
2021-12-20 11:06:29 |
Jeremy Bícha |
bug task added |
|
epiphany-browser (Ubuntu Jammy) |
|
2021-12-20 11:06:43 |
Jeremy Bícha |
bug task deleted |
epiphany-browser (Ubuntu Jammy) |
|
|
2021-12-20 11:06:56 |
Jeremy Bícha |
epiphany-browser (Ubuntu): status |
Fix Released |
Confirmed |
|
2022-02-03 01:28:58 |
Jeremy Bícha |
bug task deleted |
epiphany-browser (Ubuntu Hirsute) |
|
|
2022-07-18 23:03:02 |
Brian Murray |
epiphany-browser (Ubuntu Impish): status |
Confirmed |
Won't Fix |
|
2022-07-31 20:48:37 |
Jeremy Bícha |
bug task deleted |
epiphany-browser (Ubuntu Bionic) |
|
|
2022-07-31 21:21:06 |
Jeremy Bícha |
description |
I'm filing this placeholder bug for the epiphany security issues. I am not currently working on this bug.
https://discourse.gnome.org/t/epiphany-cve-2021-45085-cve-2021-45086-cve-2021-45087-cve-2021-45088/8367 |
Impact
------
Multiple cross-site scripting (XSS) vulnerabilities were fixed in December 2021. (Sorry for the delay.)
https://discourse.gnome.org/t/epiphany-cve-2021-45085-cve-2021-45086-cve-2021-45087-cve-2021-45088/8367
Testing Done
------------
I completed a build and install test.
After installing, I was able to watch a video on YouTube (I needed to install gstreamer1.0-plugins-bad first).
I was able to use Reader Mode on a blog site.
And I was able to load https://ubuntu.com/ normally.
I was unable to get the POC at https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612
to work for me on Ubuntu 20.04 LTS.
Other Info
----------
I cherry-picked the December 2021 commits from
https://gitlab.gnome.org/GNOME/epiphany/-/commits/gnome-3-36
I skipped the "Disable Reader Mode" and "Revert Disable Reader Mode" commits since they cancel each other out.
There are some interesting translation and bugfix commits after 3.36.4 before the December commits. I didn't initially include them since they aren't needed for this security fix. But I can include them if you want.
I also cherry-picked the (required) February 2022 build fix commit.
Official backports were not provided for anything older than Epiphany 3.36 so I was unable to prepare a fix for Ubuntu 18.04 LTS ("Bionic"). That release isn't getting webkit2gtk security fixes either.
I'm also including the fix for LP: #1969851
Sponsoring
----------
I am attaching a debdiff. Alternatively you could build from our VCS:
gbp clone https://salsa.debian.org/gnome-team/epiphany-browser
git checkout ubuntu/focal
gbp buildpackage --git-builder="debuild -S -nc"
That will create the source package you can upload to your PPA |
|
2022-07-31 21:21:35 |
Jeremy Bícha |
attachment added |
|
epiphany-focal-lp1969851.debdiff https://bugs.launchpad.net/ubuntu/+source/epiphany-browser/+bug/1955362/+attachment/5606171/+files/epiphany-focal-lp1969851.debdiff |
|
2022-07-31 21:25:43 |
Jeremy Bícha |
epiphany-browser (Ubuntu): status |
Confirmed |
Fix Released |
|
2022-07-31 21:25:55 |
Jeremy Bícha |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2022-08-09 15:41:13 |
Jeremy Bícha |
bug watch added |
|
https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612 |
|
2022-08-10 12:07:28 |
Launchpad Janitor |
epiphany-browser (Ubuntu Focal): status |
Confirmed |
Fix Released |
|
2022-08-10 12:07:28 |
Launchpad Janitor |
cve linked |
|
2022-29536 |
|