Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.1398 WebKitGTK+ security updates 8 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WebKitGTK+ Publisher: WebKitGTK+ Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2018-4204 CVE-2018-4200 CVE-2018-4121 Reference: ESB-2018.1294 ESB-2018.0968 ESB-2018.0963 Original Bulletin: https://webkitgtk.org/security/WSA-2018-0004.html - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------ WebKitGTK+ Security Advisory WSA-2018-0004 - ------------------------------------------------------------------------ Date reported : May 07, 2018 Advisory ID : WSA-2018-0004 Advisory URL : https://webkitgtk.org/security/WSA-2018-0004.html CVE identifiers : CVE-2018-4121, CVE-2018-4200, CVE-2018-4204. Several vulnerabilities were discovered in WebKitGTK+. CVE-2018-4121 Versions affected: WebKitGTK+ before 2.20.0. Credit to Natalie Silvanovich of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4200 Versions affected: WebKitGTK+ before 2.20.2. Credit to Ivan Fratric of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management. CVE-2018-4204 Versions affected: WebKitGTK+ before 2.20.1. Credit to Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative, found by OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved memory handling. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html The WebKitGTK+ team, May 07, 2018 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWvDoYIx+lLeg9Ub1AQiY1hAAj+zwnlhlbDEqgYRl5042UTb8FYrmsGRS 193d2NrQMRjLPcvdTv1styLfzGtR7X+9UvoqYCFBYYDW7v+GwAKrCkJzDurupJMu iSxKCbhlzAGrLCJoYnSKmF3lMghoHLQ+MonawcKGqjZAgDfPg9ocyWD1/WtxJY6k y8QLoKJlZM/ss399zdgcCP6VZlpBLa4b2+J30MIzZw5KiZMpgR5iEv6Bf+q6ZS5q V2P4xR/o/pwD5nP3CbxKoVFC6Rv5JNu3M9DumvZDW2/bO3R+blxYUJDtOYv9vV30 g0Qu8cXPVWChnzQzx0am78P0AungoZjTP5gqZyWmqTve7VWeDQ0osXKgFIUJGYjt o4om0J1NTTIN79BlGPx1uT386Ezwv23Cogj5ByC/agNOEauTGTnXbCIkpFcmmA6s AFVhbavjMsAUmNXZbl7/Jw3TpJJeISVSrnZD63Q0A5aeF8861SNP6j20ts2Jn9uE ethVkX7xrb/U054nwdeMnYwMPgem2BjtDaAXfByz8YigwXzzHar9BpUagOQmnXoB jIAz8TdpmJeM+Fwr1KfTbsBJTb1lEoLRkZTURBYtnjc2GdzMLfFWn42xLpuFXpzD Z/EMaMn/euO44KikzVAmwggO3k5aQxw7fgUVSn0DUMpZ2w+MDLIG/490Crk5q3dB 7PYiN0K9vHM= =q9/o -----END PGP SIGNATURE-----