Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.4175.2 webkit2gtk security update 23 December 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: webkit2gtk Publisher: Debian Operating System: Debian GNU/Linux Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2020-13584 CVE-2020-9983 CVE-2020-9951 CVE-2020-9948 Reference: ESB-2020.3185.2 ESB-2020.3184.2 Original Bulletin: http://www.debian.org/security/2020/dsa-4797 https://lists.debian.org/debian-security-announce/2020/msg00226.html Comment: This bulletin contains two (2) Debian security advisories. Revision History: December 23 2020: Vendor issued webkit2gtk regression update November 25 2020: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4797-1 security@debian.org https://www.debian.org/security/ Alberto Garcia November 23, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2020-9948 CVE-2020-9951 CVE-2020-9983 CVE-2020-13584 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2020-9948 Brendan Draper discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9951 Marcin Noga discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2020-9983 zhunki discovered that processing maliciously crafted web content may lead to code execution. CVE-2020-13584 Cisco discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (buster), these problems have been fixed in version 2.30.3-1~deb10u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAl+9VFEACgkQEMKTtsN8 TjYEjxAAqmkeiTdQiA8yAT5zv5oSuYbpbfmrUdifh2QJLw9cRpaXvjfd9NcbigtZ z+sLX0xSk5m2vMHQksP60fh9jyMrFbrOnEqBYBkBEuEdh6RZ8td6S9UCRlXlJg/M 6ztH38LMwAmF7MEltU1xLpZbN++Lrd6D+rr6qFuCxs62jM0Ly4DQe9LUpRtq5gS1 S9V4dwlbay012NEP4v0Fdh2+EdlKzzNAcc7SNsj2Are3uBpQ3YuN3ROCO3GSmHzR tXQfW8zKWs7dVRiHVAdGiIFatYIhrl/Ra5R4HN2YWDIRis17FHLUxacK34EKjqcl boV9GCf/zSA2mvccUri0qJoqUpLivXGqRsuheItrZlwZ6ncmdHE+MWXCr7ClSGjc gzwL4w/kf7MxVXvmNJCZTBnc1Has143lYWuVGKavURJ7KM2zwP/e5UcNJ+T7xYdF YHTOHZCCBaQjZwz6nwKMq5WK/RM4HlvBxaFJYE9NDrODE4TWmIkTI7bCMRRq0jo1 uN2dYEf/8WnfyR4dOTFjfUl+Ervt0/Hi098vHPb7X/4Xx9heNecw2xun0bsL5BU1 rpuJdsclVt3rFvGGBU2IorIUSMlUZtRz9OQnysRjUyKJM6L7hWIdTKJ5rDWGVZdj dNOqEC6cb1fFEK7ttYgQHu8wcOyK1LpjrTwc5y/tEr8jysWHOro= =x9Ca - -----END PGP SIGNATURE----- - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-4797-2 security@debian.org https://www.debian.org/security/ Alberto Garcia December 22, 2020 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : webkit2gtk Debian Bug : 976437 The update for webkit2gtk released as 4797-1 introduced a regression with the WebSockets functionality. Updated webkit2gtk packages are now available to correct this issue. For the stable distribution (buster), this problem has been fixed in version 2.30.4-1~deb10u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAl/hhhBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Q3YQ//WI+cFTwvRuXM4gNcgZympWzRcY2OcVOuqIKS+V+CM1KV0YfAz1PYjS6S H/dIOAJg+P9WpbO+rD4qnkL5tJhHyiC2o+hPLJV+39AGhEITRw9S2Z5AhDdBOwzb eOy8XO7YKz0VXk2mSkBbVNP9EkU/+ZgCVInWykL+ZOqpw9iagz7rJ34nRFBxuO9o kOoQ+LyYivp93+s4/CRd6OrLsV5ZenVbZzXJTKZt+LzB8FG9+ecljfil49WtvfiM 9RX4kudvwrpLrRCK5PGcNkI7pISUYpn7Xd7HONOF10zZYqGuhJ3Qw2Xxn/lYaYqf JaETR9IKvDD53ez66lXeGOxWMBDwBHTzX0Z80AgJh4vuIYW/h4A5D4YK3pbW00Po E3V6PfxO4EaUilQFHumo2SxjMdxuK9GuawaUEPcTHG9ktl7Vx74bo+Tkk5Xssg2a jI8GYIHApNweP0uvvJ7dICtVz/WxDIrJECIebODMG4cdK/oemnpOnJoF3Tz270if 6Q2b7l9C73+FjuisxlATVeGoiJL/E7d9YAniivRzyxjC+GhEJbTOW8DNRXD96Mc2 1NNYrGuMbC5eo3FDCjP1e1tpc5+u3ugDwAcQZFbXerw6JB/4dvL/nMocGxeUMxFL AarwHYXfAgMqNw40rItNQh9C8M3o4I3oyS9t83J6vJrzadbRGns= =vory - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBX+KZ0+NLKJtyKPYoAQggSRAApfmu3DEv7/fsXaJg9wrAuE//POZvJPLk F9Y4V0wRLBb945F1e+cN+gBmlKoQzqnUm8l3efRvkxU3nBtSgUDWViZX0D5fdODg X20aU6C8xrPnF/Vb63FyynVjv66E9AHDHkY7qwSvd3b4CNEmA91kCazGH1PW/9JG aby2ugDQGgYYb29yU9VXvTlRjHICeOXcW5YjswlBNIcCd5nyHmHgBlZsyeAXqNEA D3Zb295iEeDSWtMlRZlr3nnW5QCiUMXz6iwaUu8DbVjcxRTFHtihBwN8aJbUjrm0 nBg8mgfLysl6TWMgbFxRzMi7wLbtYfeIhtleKwr0QHpHkwCWuglUh/1k+vQNJvpD SgaEK3zOG8zaNBRIq6SCVC2QA8k6lKQfIdmwXfCtSKtkRORg6vxYRmcZwzC0nSxp H3zcAEwi5Kdeu+jJikL/RQVREiV9Oqih/8uME4UV/noXHY7VIu7HXyL9U73OwEJX EDn90iC/vlzEkqiZdG433ExBKkrQd41HnO6r5iav+gUtU2BIsxAI/nHIkvNXVTqE 8XnZcNWYb2gg3tjp8X9TLiRXGnCrY4hQcYwTXoSojsgz2IVXmy+SUK25Mzsp+Kfg GVmNNWHRfBhHqUBzrqSPQhgLJh+t0zNFkjmr2gaaE0yu0UsRy0UXU0R3knvVtpNQ bbvMPmPbGlc= =HrRT -----END PGP SIGNATURE-----