Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.4175.2
webkit2gtk security update
23 December 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: webkit2gtk
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2020-13584 CVE-2020-9983 CVE-2020-9951
CVE-2020-9948
Reference: ESB-2020.3185.2
ESB-2020.3184.2
Original Bulletin:
http://www.debian.org/security/2020/dsa-4797
https://lists.debian.org/debian-security-announce/2020/msg00226.html
Comment: This bulletin contains two (2) Debian security advisories.
Revision History: December 23 2020: Vendor issued webkit2gtk regression update
November 25 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4797-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
November 23, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : webkit2gtk
CVE ID : CVE-2020-9948 CVE-2020-9951 CVE-2020-9983 CVE-2020-13584
The following vulnerabilities have been discovered in the webkit2gtk
web engine:
CVE-2020-9948
Brendan Draper discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2020-9951
Marcin Noga discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2020-9983
zhunki discovered that processing maliciously crafted web content
may lead to code execution.
CVE-2020-13584
Cisco discovered that processing maliciously crafted web content
may lead to arbitrary code execution.
For the stable distribution (buster), these problems have been fixed in
version 2.30.3-1~deb10u1.
We recommend that you upgrade your webkit2gtk packages.
For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl+9VFEACgkQEMKTtsN8
TjYEjxAAqmkeiTdQiA8yAT5zv5oSuYbpbfmrUdifh2QJLw9cRpaXvjfd9NcbigtZ
z+sLX0xSk5m2vMHQksP60fh9jyMrFbrOnEqBYBkBEuEdh6RZ8td6S9UCRlXlJg/M
6ztH38LMwAmF7MEltU1xLpZbN++Lrd6D+rr6qFuCxs62jM0Ly4DQe9LUpRtq5gS1
S9V4dwlbay012NEP4v0Fdh2+EdlKzzNAcc7SNsj2Are3uBpQ3YuN3ROCO3GSmHzR
tXQfW8zKWs7dVRiHVAdGiIFatYIhrl/Ra5R4HN2YWDIRis17FHLUxacK34EKjqcl
boV9GCf/zSA2mvccUri0qJoqUpLivXGqRsuheItrZlwZ6ncmdHE+MWXCr7ClSGjc
gzwL4w/kf7MxVXvmNJCZTBnc1Has143lYWuVGKavURJ7KM2zwP/e5UcNJ+T7xYdF
YHTOHZCCBaQjZwz6nwKMq5WK/RM4HlvBxaFJYE9NDrODE4TWmIkTI7bCMRRq0jo1
uN2dYEf/8WnfyR4dOTFjfUl+Ervt0/Hi098vHPb7X/4Xx9heNecw2xun0bsL5BU1
rpuJdsclVt3rFvGGBU2IorIUSMlUZtRz9OQnysRjUyKJM6L7hWIdTKJ5rDWGVZdj
dNOqEC6cb1fFEK7ttYgQHu8wcOyK1LpjrTwc5y/tEr8jysWHOro=
=x9Ca
- -----END PGP SIGNATURE-----
- ------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4797-2 security@debian.org
https://www.debian.org/security/ Alberto Garcia
December 22, 2020 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : webkit2gtk
Debian Bug : 976437
The update for webkit2gtk released as 4797-1 introduced a regression
with the WebSockets functionality. Updated webkit2gtk packages are now
available to correct this issue.
For the stable distribution (buster), this problem has been fixed in
version 2.30.4-1~deb10u1.
We recommend that you upgrade your webkit2gtk packages.
For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl/hhhBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0Q3YQ//WI+cFTwvRuXM4gNcgZympWzRcY2OcVOuqIKS+V+CM1KV0YfAz1PYjS6S
H/dIOAJg+P9WpbO+rD4qnkL5tJhHyiC2o+hPLJV+39AGhEITRw9S2Z5AhDdBOwzb
eOy8XO7YKz0VXk2mSkBbVNP9EkU/+ZgCVInWykL+ZOqpw9iagz7rJ34nRFBxuO9o
kOoQ+LyYivp93+s4/CRd6OrLsV5ZenVbZzXJTKZt+LzB8FG9+ecljfil49WtvfiM
9RX4kudvwrpLrRCK5PGcNkI7pISUYpn7Xd7HONOF10zZYqGuhJ3Qw2Xxn/lYaYqf
JaETR9IKvDD53ez66lXeGOxWMBDwBHTzX0Z80AgJh4vuIYW/h4A5D4YK3pbW00Po
E3V6PfxO4EaUilQFHumo2SxjMdxuK9GuawaUEPcTHG9ktl7Vx74bo+Tkk5Xssg2a
jI8GYIHApNweP0uvvJ7dICtVz/WxDIrJECIebODMG4cdK/oemnpOnJoF3Tz270if
6Q2b7l9C73+FjuisxlATVeGoiJL/E7d9YAniivRzyxjC+GhEJbTOW8DNRXD96Mc2
1NNYrGuMbC5eo3FDCjP1e1tpc5+u3ugDwAcQZFbXerw6JB/4dvL/nMocGxeUMxFL
AarwHYXfAgMqNw40rItNQh9C8M3o4I3oyS9t83J6vJrzadbRGns=
=vory
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBX+KZ0+NLKJtyKPYoAQggSRAApfmu3DEv7/fsXaJg9wrAuE//POZvJPLk
F9Y4V0wRLBb945F1e+cN+gBmlKoQzqnUm8l3efRvkxU3nBtSgUDWViZX0D5fdODg
X20aU6C8xrPnF/Vb63FyynVjv66E9AHDHkY7qwSvd3b4CNEmA91kCazGH1PW/9JG
aby2ugDQGgYYb29yU9VXvTlRjHICeOXcW5YjswlBNIcCd5nyHmHgBlZsyeAXqNEA
D3Zb295iEeDSWtMlRZlr3nnW5QCiUMXz6iwaUu8DbVjcxRTFHtihBwN8aJbUjrm0
nBg8mgfLysl6TWMgbFxRzMi7wLbtYfeIhtleKwr0QHpHkwCWuglUh/1k+vQNJvpD
SgaEK3zOG8zaNBRIq6SCVC2QA8k6lKQfIdmwXfCtSKtkRORg6vxYRmcZwzC0nSxp
H3zcAEwi5Kdeu+jJikL/RQVREiV9Oqih/8uME4UV/noXHY7VIu7HXyL9U73OwEJX
EDn90iC/vlzEkqiZdG433ExBKkrQd41HnO6r5iav+gUtU2BIsxAI/nHIkvNXVTqE
8XnZcNWYb2gg3tjp8X9TLiRXGnCrY4hQcYwTXoSojsgz2IVXmy+SUK25Mzsp+Kfg
GVmNNWHRfBhHqUBzrqSPQhgLJh+t0zNFkjmr2gaaE0yu0UsRy0UXU0R3knvVtpNQ
bbvMPmPbGlc=
=HrRT
-----END PGP SIGNATURE-----