Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2659 webkit2gtk security update 4 August 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: webkit2gtk Publisher: Debian Operating System: Debian GNU/Linux 10 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-9925 CVE-2020-9915 CVE-2020-9895 CVE-2020-9894 CVE-2020-9893 CVE-2020-9862 Reference: ESB-2020.2652 Original Bulletin: http://www.debian.org/security/2020/dsa-4739 https://webkitgtk.org/security/WSA-2020-0007.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4739-1 security@debian.org https://www.debian.org/security/ Alberto Garcia August 03, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-9862 CVE-2020-9893 CVE-2020-9894 CVE-2020-9895 CVE-2020-9915 CVE-2020-9925 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-9862 Ophir Lojkine discovered that copying a URL from the Web Inspector may lead to command injection. CVE-2020-9893 0011 discovered that a remote attacker may be able to cause unexpected application termination or arbitrary code execution. CVE-2020-9894 0011 discovered that a remote attacker may be able to cause unexpected application termination or arbitrary code execution. CVE-2020-9895 Wen Xu discovered that a remote attacker may be able to cause unexpected application termination or arbitrary code execution. CVE-2020-9915 Ayoub Ait Elmokhtar discovered that processing maliciously crafted web content may prevent Content Security Policy from being enforced. CVE-2020-9925 An anonymous researcher discovered that processing maliciously crafted web content may lead to universal cross site scripting. For the stable distribution (buster), these problems have been fixed in version 2.28.4-1~deb10u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl8oKD5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0SagQ//ZltrMBv+gUHbNMk4foYl7hv9PmHRd0U+KR4sdAPvhF+UWYSTJbAbwH1b PKTByJixoZfCntg/KMd9f16EHX13TbBw5M4rnZ7/4oM5AZfUifGwEwAOH5jK1/IS 1p/CnGlfTc3i5tZhI0xKkSLruSSVswzuikRUQ/4DaC/tRUbzGs67U2iuQ8Z4e8A3 vIe6/P+y6svAsbaSbCBKi72IKzLzkqraBUVXjSgs17xnzkuaqeCBFBQRYDII6gm1 cY0mZd5MknDjc3BrNBhpGA0VJ3SI+6RhM7k7oUKcCCoL2Q6c/PPipSqcLZYita+u csmvikeusNMOv8Z6JKwvvbjWv6A199x8ddZgjIuQIIWJA4xHbOqJCyzwn9YBEdpS 7DG/VGFRAJW2O7FHBTE04wSjOwxHuRcXra6Yc9Ty80BaWuPOJ/FlfD2X+ojub+i5 L6FHBhR0eQ2e7zW5xd6GnF/WbNYHF09K2qblCRw/DdyL2TLAtVS02JAriUUK0Bwl 3HAtF8a1EjIudabf/uENDq+ZHzd5zbl6maSOKH9e8ajaFFk4wAcRsHbs13v4nnqK cYuD+n7WHv3uU6VTfRh2nLkyIbR3udoDq1MpJsatuWHNRwnYVI82c/EjsBDkznG6 yYy3d+RnnexDgF4rZ7XuOFK52JEpr5whTGg/Nn7wVw8YQUXXGO0= =ANGc - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXyjyauNLKJtyKPYoAQhStw//enUFjpI9gdPu5A1J60TxEhBLakKFF8x5 qnaGU+UB2Rf4mNMbmf5GK2ohwt0+3ZjeXzO7LaeiHQmTobKiQ3o6Bjh+hYvbzgSH Y74JMdOhkzve69+UETEzpwYfJvyNzUEll91CMUk8jfU3oy0FRLNOEO70K/287z+N cCc65zw88LGgVRQPooM2Nw07/2JSA+m3LZm9F5SnhUR6tb54QPyoTYifv50QZjWw pD8zRtHBt4+4yTo/taiLEN95zpEwVjqDT/pKF1WBQSAJ+lFDvCdO9Dwx6yOOZzGN B2SvcwIdT+8DKJ9NZfMb3iIQoRXRyDOkKYZ8oDqS1d5MDUijyogqiITwa7zvpNpU mTgfvIq8wU+MVFWLsMyZaRt1kY1Qf7+ct6JcgrXrFdao0mLDMRJjINpprvves65N mXJ0M20K6ScDq2ECI/iQhbeyAX4IOOPqzlgPx9Tf5DgnXHeZj2krBSStljho7m4R onBVz+Skjo2o2h2x5eo1MRWmrzXzNyCtBJJEtazDsOlf+dUkVvQKfEOX3mu3lu8K t2Ng3LR2jVuo+k4+iAu2TdHYwCIHsPPzR7+szD0eJrt3f5diHt2ZHJsedxBRTj3E ewoMpR5YtV6ShTlZnXBtbrc5ihlOKNyocYw0HE3PY3narTW4ndMkHOXiMUaVPzkE RrUur1OT/KM= =OgYZ -----END PGP SIGNATURE-----