-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.4087
                        webkit2gtk security update
                              5 November 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           webkit2gtk
Publisher:         Debian
Operating System:  Debian GNU/Linux 10
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Cross-site Scripting            -- Remote with User Interaction
                   Access Confidential Data        -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-8771 CVE-2019-8769 CVE-2019-8720
                   CVE-2019-8625  

Reference:         ESB-2019.3760
                   ESB-2019.3759
                   ESB-2019.3758

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4558

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4558-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
November 04, 2019                     https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2019-8625 CVE-2019-8720 CVE-2019-8769 CVE-2019-8771

Several vulnerabilities have been discovered in the webkit2gtk web engine:

CVE-2019-8625

    Sergei Glazunov discovered that maliciously crafted web content
    may lead to universal cross site scripting.

CVE-2019-8720

    Wen Xu discovered that maliciously crafted web content may lead to
    arbitrary code execution.

CVE-2019-8769

    Pierre Reimertz discovered that visiting a maliciously crafted
    website may reveal browsing history.

CVE-2019-8771

    Eliya Stein discovered that maliciously crafted web content may
    violate iframe sandboxing policy.

For the stable distribution (buster), these problems have been fixed in
version 2.26.1-3~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3An/sACgkQEMKTtsN8
TjZv3A//UJcdspSRw9nCLFFf4Sj13DrXJoNcmLKkSh+5fTlIlYBdc8E2PT0coGtb
DIdgCoSBd3QwWbAgthkDYxtSTwgbudmDrc59UgY3aHCuvsiDRN6A53C7NMI0eWkW
DftztJ/TVVm9Ym9sNyEMve1sO5JwpPmvMA7Byxfn7+666nZX9gt5C2W2l/vsmxch
Yy7X1Eb56NPoJX66nuznb2Ak435DXRVDiP3dj05rTqdix1ok4Rh5+uho8Kzp/DXs
qAsAbAdcm+5Kk2n313+Vp2jsDOAYWesdyo2JoMw215p/qPk+AoYs91VKDa3Hr9+2
8SRZ3rny514QDFdQZ6ihGIr+eO1xS5zl184LM4bKBb0zWDdTPRP3YIuJ3GSBr5xP
oCuvZ0N4boZRwQvdO/E6wkl2ZUZJVBKH3/aIyZ0rC9JDTejMIlcCryhqjccCnHKZ
2jmuk1RrR/0emLiGGa60GV1F0gimw+5tpFyPAQHxILqSNgMhT21ak/kxTcCn3Tq8
eZi/UnwCDKOsubQlxI8Kjm+ymhVnBzRbcG5pUHzeuSIYHNnRyhN9FMfAyJbtPnVV
9Zr44CfZpqTsoMSBVlNXdMaVbSRazC7LX94TZM3gUrLMjXq8Iyy7No52sh72Exhw
H0jDUqa9sB1fXuiZYEQolUxcvuJggolnGKII1YrdOkqJfVmzCSs=
=HGVt
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXcDCvWaOgq3Tt24GAQgqIg/9FYHgIrZCbwtMXiuOgu4ZRPWBFiS25vGy
JhCi+sQ/NRdnqLXUWKs0sB81CkvmbLzF8a9ZUUxnxykkCzDHuDWrtpt55xC/S15F
DTLjoMuSe9RgKkvR2rBWXUQ5ACK0fXxrTINaYrYRdL0mPDHnjHFmLsgJ0iVDiPcb
smr9I+dwzR6wYQOpVwg5N2hWTg9iFEttBeV6xjuWrZQ+zRMXKHLUsRxdKHn/4YJH
ZBun0Mi8dUC+vKmSbf57jgCt58KmRSpLQNL9vYbRJusV29YZzjBEmT9BUKvdY9mk
teXrh0yE6V8SE4oa4amwM0UOnAWktLejyFszA6UPRKZ5mdHM2en7dCId9UhpbV9v
5fuf25tTOL6bkUEe1KgfYmdaBDQI4p6WIE0vKbw6TI1/e8BXEEZUk3TrICvCIf+C
Kn9A5W2an/IzbvKiwUzohhWa1dKP1A24ybFl9fK1SkJqB36BVLv3iEJOp9fbbWBB
rStRvdptZitbS7Hli5tLjeg7VcVCL6lvJjeMgqcXl2cLkLpgcPSA6yYdp6wLuO3e
ne2SnRJgYwMPj0irYJXqmiKmoMcqqRi6q6my4o5aHntb/jbsMXgFp54hEPwdhrgf
rv4zXJQDSXX5k4XI+eAv4ILDtZIOgVj9g7uqHei7UxatTPh0AncuoWIr3Jg7sY88
jctE4+i7GyE=
=PWnp
-----END PGP SIGNATURE-----