Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.4087 webkit2gtk security update 5 November 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: webkit2gtk Publisher: Debian Operating System: Debian GNU/Linux 10 Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-8771 CVE-2019-8769 CVE-2019-8720 CVE-2019-8625 Reference: ESB-2019.3760 ESB-2019.3759 ESB-2019.3758 Original Bulletin: http://www.debian.org/security/2019/dsa-4558 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4558-1 security@debian.org https://www.debian.org/security/ Alberto Garcia November 04, 2019 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2019-8625 CVE-2019-8720 CVE-2019-8769 CVE-2019-8771 Several vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2019-8625 Sergei Glazunov discovered that maliciously crafted web content may lead to universal cross site scripting. CVE-2019-8720 Wen Xu discovered that maliciously crafted web content may lead to arbitrary code execution. CVE-2019-8769 Pierre Reimertz discovered that visiting a maliciously crafted website may reveal browsing history. CVE-2019-8771 Eliya Stein discovered that maliciously crafted web content may violate iframe sandboxing policy. For the stable distribution (buster), these problems have been fixed in version 2.26.1-3~deb10u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl3An/sACgkQEMKTtsN8 TjZv3A//UJcdspSRw9nCLFFf4Sj13DrXJoNcmLKkSh+5fTlIlYBdc8E2PT0coGtb DIdgCoSBd3QwWbAgthkDYxtSTwgbudmDrc59UgY3aHCuvsiDRN6A53C7NMI0eWkW DftztJ/TVVm9Ym9sNyEMve1sO5JwpPmvMA7Byxfn7+666nZX9gt5C2W2l/vsmxch Yy7X1Eb56NPoJX66nuznb2Ak435DXRVDiP3dj05rTqdix1ok4Rh5+uho8Kzp/DXs qAsAbAdcm+5Kk2n313+Vp2jsDOAYWesdyo2JoMw215p/qPk+AoYs91VKDa3Hr9+2 8SRZ3rny514QDFdQZ6ihGIr+eO1xS5zl184LM4bKBb0zWDdTPRP3YIuJ3GSBr5xP oCuvZ0N4boZRwQvdO/E6wkl2ZUZJVBKH3/aIyZ0rC9JDTejMIlcCryhqjccCnHKZ 2jmuk1RrR/0emLiGGa60GV1F0gimw+5tpFyPAQHxILqSNgMhT21ak/kxTcCn3Tq8 eZi/UnwCDKOsubQlxI8Kjm+ymhVnBzRbcG5pUHzeuSIYHNnRyhN9FMfAyJbtPnVV 9Zr44CfZpqTsoMSBVlNXdMaVbSRazC7LX94TZM3gUrLMjXq8Iyy7No52sh72Exhw H0jDUqa9sB1fXuiZYEQolUxcvuJggolnGKII1YrdOkqJfVmzCSs= =HGVt - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXcDCvWaOgq3Tt24GAQgqIg/9FYHgIrZCbwtMXiuOgu4ZRPWBFiS25vGy JhCi+sQ/NRdnqLXUWKs0sB81CkvmbLzF8a9ZUUxnxykkCzDHuDWrtpt55xC/S15F DTLjoMuSe9RgKkvR2rBWXUQ5ACK0fXxrTINaYrYRdL0mPDHnjHFmLsgJ0iVDiPcb smr9I+dwzR6wYQOpVwg5N2hWTg9iFEttBeV6xjuWrZQ+zRMXKHLUsRxdKHn/4YJH ZBun0Mi8dUC+vKmSbf57jgCt58KmRSpLQNL9vYbRJusV29YZzjBEmT9BUKvdY9mk teXrh0yE6V8SE4oa4amwM0UOnAWktLejyFszA6UPRKZ5mdHM2en7dCId9UhpbV9v 5fuf25tTOL6bkUEe1KgfYmdaBDQI4p6WIE0vKbw6TI1/e8BXEEZUk3TrICvCIf+C Kn9A5W2an/IzbvKiwUzohhWa1dKP1A24ybFl9fK1SkJqB36BVLv3iEJOp9fbbWBB rStRvdptZitbS7Hli5tLjeg7VcVCL6lvJjeMgqcXl2cLkLpgcPSA6yYdp6wLuO3e ne2SnRJgYwMPj0irYJXqmiKmoMcqqRi6q6my4o5aHntb/jbsMXgFp54hEPwdhrgf rv4zXJQDSXX5k4XI+eAv4ILDtZIOgVj9g7uqHei7UxatTPh0AncuoWIr3Jg7sY88 jctE4+i7GyE= =PWnp -----END PGP SIGNATURE-----