Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.2563
webkit2gtk security update
29 July 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: webkit2gtk
Publisher: Debian
Operating System: Debian GNU/Linux
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-30799 CVE-2021-30797 CVE-2021-30795
CVE-2021-30758 CVE-2021-30749 CVE-2021-30744
CVE-2021-30734 CVE-2021-30720 CVE-2021-30689
CVE-2021-30665 CVE-2021-30663 CVE-2021-21779
CVE-2021-21775
Reference: ESB-2021.2492
ESB-2021.2491
Original Bulletin:
http://www.debian.org/security/2021/dsa-4945
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4945-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
July 28, 2021 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : webkit2gtk
CVE ID : CVE-2021-21775 CVE-2021-21779 CVE-2021-30663 CVE-2021-30665
CVE-2021-30689 CVE-2021-30720 CVE-2021-30734 CVE-2021-30744
CVE-2021-30749 CVE-2021-30758 CVE-2021-30795 CVE-2021-30797
CVE-2021-30799
The following vulnerabilities have been discovered in the webkit2gtk
web engine:
CVE-2021-21775
Marcin Towalski discovered that a specially crafted web page can
lead to a potential information leak and further memory
corruption. In order to trigger the vulnerability, a victim must
be tricked into visiting a malicious webpage.
CVE-2021-21779
Marcin Towalski discovered that a specially crafted web page can
lead to a potential information leak and further memory
corruption. In order to trigger the vulnerability, a victim must
be tricked into visiting a malicious webpage.
CVE-2021-30663
An anonymous researcher discovered that processing maliciously
crafted web content may lead to arbitrary code execution.
CVE-2021-30665
yangkang discovered that processing maliciously crafted web
content may lead to arbitrary code execution. Apple is aware of a
report that this issue may have been actively exploited.
CVE-2021-30689
An anonymous researcher discovered that processing maliciously
crafted web content may lead to universal cross site scripting.
CVE-2021-30720
David Schutz discovered that a malicious website may be able to
access restricted ports on arbitrary servers.
CVE-2021-30734
Jack Dates discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2021-30744
Dan Hite discovered that processing maliciously crafted web
content may lead to universal cross site scripting.
CVE-2021-30749
An anonymous researcher discovered that processing maliciously
crafted web content may lead to arbitrary code execution.
CVE-2021-30758
Christoph Guttandin discovered that processing maliciously crafted
web content may lead to arbitrary code execution.
CVE-2021-30795
Sergei Glazunov discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2021-30797
Ivan Fratric discovered that processing maliciously crafted web
content may lead to code execution.
CVE-2021-30799
Sergei Glazunov discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
For the stable distribution (buster), these problems have been fixed in
version 2.32.3-1~deb10u1.
We recommend that you upgrade your webkit2gtk packages.
For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmEBqAcACgkQEMKTtsN8
Tjb82w//b5cKE8AxDi2ZheBPHJEpSYen+zf2i55ccltRuZ/Pd8bWY6ZVq/TdqikB
uR+/+XdTUiTmoheAQj17sPV9+hpmqmcRg/asrn3Y7MRmsb07M8jYghKENvpn5bxm
DUhnWTDt3zs1sFlC76FfIueF+jcFVJKbGvI9N8kfzNHrZLrWN183qSAQXdaHsQNw
/zVFu3ZzUcI5T8hJvO0f4nlJV/Ng9nTF5GTspzQrQf6v1B5QW3m3bAG+K5BLwqhf
mA0l8YFeq1q1K1IELpIEPRoDWCgovXlbwBicTbL+m3R3g+FptUNglfAUd5NjPiwe
PGdEfiCZG+4Poe1l9QEab4KAk96XBEd7wVxrC9yvfOBrGuSK3KD165iWqrn+ondj
ZVglWjbYNuhYR7PVonpu6MdyarEVUV+hjB9Xo+FQeXXz9AO37ZpYlbQVZS4dGb7L
i9Jqr4iSdrMeazFV3QpWsJV/xf29WxXXh4aD3VImluNerr0ldhrmY+dkGqEB8180
R8YC9tK0ElMoVedTp+5M2GvY5NJkx28smdy/nXthNIIgAvou+8X9vJ/NQWdUL1So
P986U6sHhHtA+8OBCTPKj9FD4GDQL39db08H/zROFdZcRbf0q1KHUKYXgeoJpmDV
JxetZlYBcy/SSf5+SdCbXmGFInF/B/2l+g7GtW4c5GiOqBKShqY=
=aW3w
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYQH8xuNLKJtyKPYoAQgWtA//axllYBPn7ePRJUnL+BL21awG04pAaOPy
rRp7Kc+yGhljKycRPkH2PwtJOZH/MrCrfpWy7aQRXe6VLX/uRA5BCtG7MpX3hgnU
fpqJ+r5fbj3qqQ4Ei+HY0NXjObmxjRfj2OupLEg9RnfvjENlCR5M0nk98pUflXDR
iqbWk1epKe9r1Ky0zC2e2McpHksYTd36EpJWrpnOziP2QudRMexd+lJg/eq6Zceu
/biJp8m9pdlrf+04dtub5JYDjujnCx8Osih/WdY1KIcXxp/9vXher6avDJq5Q4Mp
Wsmi8QSHwvcwoWaJDAEizW43YxgPjm5QWuVibP6X5DeR5eqUOpo0mV5mUwL6aLM6
zoGsd1i+wIQl3lfyZbuOr13cDqYkdaWsKi+3BAIAbEyU6Ro/ddOhUM5SrFlJFDrc
6mHUaz8rpi4bPrVpqDQXqqytghsCTNQrK0xmzeC09OG4Enn8LqGZaKiEKNiRKcld
o44VMVhIk4Gcq5VD0pCpduy6pUAYUjlMRV3brCjpS5PmIhb9L95ZUDCgw8O5BpZz
jM5Cx/1vuLCxQbvAn+SE7izPNui4Kyc/01FSpGuBlEO/2SnV0GV/Nm39tC5OLyvQ
h/l/eJh/NyoJ3vVJkBjldSOCxgDxRghNepItlP+D0jXKta4+0CmVueaOC7ZGS8HV
KTaObv+V7zk=
=Rfgc
-----END PGP SIGNATURE-----