Lucene search

DebianDEBIAN:DLA-3419-1:8716D

HistoryMay 12, 2023 - 9:29 a.m.

[SECURITY] [DLA 3419-1] webkit2gtk security update

2023-05-1209:29:09

lists.debian.org

cve-2023-27932

version 2.38.6-0+deb10u1

html document

unix

arbitrary code execution

debian

sensitive user information

security tracker

vulnerabilities

same origin policy

lts

cve-2023-28205

cve-2022-0108

cve-2023-27954

advisory

debian 10 buster

security update

cve-2022-32885

webkit2gtk

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

80.2%

JSON

Debian LTS Advisory DLA-3419-1 [email protected]
https://www.debian.org/lts/security/ Emilio Pozuelo Monfort
May 12, 2023 https://wiki.debian.org/LTS

Package : webkit2gtk
Version : 2.38.6-0+deb10u1
CVE ID : CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954
CVE-2023-28205

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2022-0108

Luan Herrera discovered that an HTML document may be able to
render iframes with sensitive user information.

CVE-2022-32885

P1umer and Q1IQ discovered that processing maliciously crafted web
content may lead to arbitrary code execution.

CVE-2023-27932

An anonymous researcher discovered that processing maliciously
crafted web content may bypass Same Origin Policy.

CVE-2023-27954

An anonymous researcher discovered that a website may be able to
track sensitive user information.

CVE-2023-28205

Clement Lecigne and Donncha O Cearbhaill discovered that
processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may
have been actively exploited.

For Debian 10 buster, these problems have been fixed in version
2.38.6-0+deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian10amd64libjavascriptcoregtk-4.0-bin< 2.38.6-0+deb10u1libjavascriptcoregtk-4.0-bin_2.38.6-0+deb10u1_amd64.deb
Debian10i386webkit2gtk-driver< 2.38.6-0+deb10u1webkit2gtk-driver_2.38.6-0+deb10u1_i386.deb
Debian11armhfwebkit2gtk-driver< 2.40.1-1~deb11u1webkit2gtk-driver_2.40.1-1~deb11u1_armhf.deb
Debian11mipsellibwpewebkit-1.0-3-dbgsym< 2.38.6-1~deb11u1libwpewebkit-1.0-3-dbgsym_2.38.6-1~deb11u1_mipsel.deb
Debian11mipsellibjavascriptcoregtk-4.0-bin< 2.40.1-1~deb11u1libjavascriptcoregtk-4.0-bin_2.40.1-1~deb11u1_mipsel.deb
Debian11i386libwebkit2gtk-4.0-37-dbgsym< 2.40.1-1~deb11u1libwebkit2gtk-4.0-37-dbgsym_2.40.1-1~deb11u1_i386.deb
Debian11mipsellibwebkit2gtk-4.0-37-dbgsym< 2.40.1-1~deb11u1libwebkit2gtk-4.0-37-dbgsym_2.40.1-1~deb11u1_mipsel.deb
Debian11amd64gir1.2-webkit2-4.0< 2.40.1-1~deb11u1gir1.2-webkit2-4.0_2.40.1-1~deb11u1_amd64.deb
Debian10alllibwebkit2gtk-4.0-doc< 2.38.6-0+deb10u1libwebkit2gtk-4.0-doc_2.38.6-0+deb10u1_all.deb
Debian11mipselwpewebkit-driver-dbgsym< 2.38.6-1~deb11u1wpewebkit-driver-dbgsym_2.38.6-1~deb11u1_mipsel.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	amd64	libjavascriptcoregtk-4.0-bin	< 2.38.6-0+deb10u1	libjavascriptcoregtk-4.0-bin_2.38.6-0+deb10u1_amd64.deb
Debian	10	i386	webkit2gtk-driver	< 2.38.6-0+deb10u1	webkit2gtk-driver_2.38.6-0+deb10u1_i386.deb
Debian	11	armhf	webkit2gtk-driver	< 2.40.1-1~deb11u1	webkit2gtk-driver_2.40.1-1~deb11u1_armhf.deb
Debian	11	mipsel	libwpewebkit-1.0-3-dbgsym	< 2.38.6-1~deb11u1	libwpewebkit-1.0-3-dbgsym_2.38.6-1~deb11u1_mipsel.deb
Debian	11	mipsel	libjavascriptcoregtk-4.0-bin	< 2.40.1-1~deb11u1	libjavascriptcoregtk-4.0-bin_2.40.1-1~deb11u1_mipsel.deb
Debian	11	i386	libwebkit2gtk-4.0-37-dbgsym	< 2.40.1-1~deb11u1	libwebkit2gtk-4.0-37-dbgsym_2.40.1-1~deb11u1_i386.deb
Debian	11	mipsel	libwebkit2gtk-4.0-37-dbgsym	< 2.40.1-1~deb11u1	libwebkit2gtk-4.0-37-dbgsym_2.40.1-1~deb11u1_mipsel.deb
Debian	11	amd64	gir1.2-webkit2-4.0	< 2.40.1-1~deb11u1	gir1.2-webkit2-4.0_2.40.1-1~deb11u1_amd64.deb
Debian	10	all	libwebkit2gtk-4.0-doc	< 2.38.6-0+deb10u1	libwebkit2gtk-4.0-doc_2.38.6-0+deb10u1_all.deb
Debian	11	mipsel	wpewebkit-driver-dbgsym	< 2.38.6-1~deb11u1	wpewebkit-driver-dbgsym_2.38.6-1~deb11u1_mipsel.deb