Headline
Debian Security Advisory 5468-1
Debian Linux Security Advisory 5468-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. YeongHyeon Choi discovered that processing web content may disclose sensitive information. Narendra Bhati discovered that a website may be able to bypass the Same Origin Policy. Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco Squarcina, and Lorenzo Veronese discovered that processing web content may lead to arbitrary code execution. Various other issues were also addressed.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Debian Security Advisory DSA-5468-1 [email protected]
https://www.debian.org/security/ Alberto Garcia
August 05, 2023 https://www.debian.org/security/faq
Package : webkit2gtk
CVE ID : CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594
CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600
CVE-2023-38611
The following vulnerabilities have been discovered in the WebKitGTK
web engine:
CVE-2023-38133
YeongHyeon Choi discovered that processing web content may
disclose sensitive information.
CVE-2023-38572
Narendra Bhati discovered that a website may be able to bypass the
Same Origin Policy.
CVE-2023-38592
Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco
Squarcina, and Lorenzo Veronese discovered that processing web
content may lead to arbitrary code execution.
CVE-2023-38594
Yuhao Hu discovered that processing web content may lead to
arbitrary code execution.
CVE-2023-38595
An anonymous researcher, Jiming Wang, and Jikai Ren discovered
that processing web content may lead to arbitrary code execution.
CVE-2023-38597
Junsung Lee discovered that processing web content may lead to
arbitrary code execution.
CVE-2023-38599
Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel
Genkin, and Yuval Yarom discovered that a website may be able to
track sensitive user information.
CVE-2023-38600
An anonymous researcher discovered that processing web content may
lead to arbitrary code execution.
CVE-2023-38611
Francisco Alonso discovered that processing web content may lead
to arbitrary code execution.
For the oldstable distribution (bullseye), these problems have been fixed
in version 2.40.5-1~deb11u1.
For the stable distribution (bookworm), these problems have been fixed in
version 2.40.5-1~deb12u1.
We recommend that you upgrade your webkit2gtk packages.
For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmTOj+AACgkQAAyEYu0C
2AK4hw/+IqYa65blruup8jZigzY38U60+U+yzSa1MTtV04Nfv5UUMHw/AuSDi/ap
U5Vcee/oAb8pFeaZFODPY4k6vHUSjc4iL21zG4X0nYvNL7S9KZOS8TlxLVbbDElu
VLv3La7yB++vzv64DdU/ZuRkbuqowImesSxV8PFMaeJCWzMGX1Ck4jqqOPewmOAl
EEc9sFQHavZIdsC7kYGYcJi5UDgHUdG7K1JwKmDyQ+cW4CiTHIpGshpBnOyz7Kx9
AxTMscAqkigJznjY5kzWe5koFzZY7WTGmxmy7fjepEzB/Zdbl2+FRgFl3UHrd6kj
90blbnyTT6C+/PXkMR8dbeC2y7yTWZoeyyedRu2m700IdZVR19DKCwNj2TaFXD28
GKLe7fYKusyvPx63JVmHk6p9wokInOyimn+4Ldwv6q2CUAMXOLpia9hEjljrE1nj
CNbgyJFsgJTbW069GhkABySNKeQbFd4OCZxemb6jcJsXn3pRWoK/32B8tu/srzJo
OtdcuHC2TEyQS1EzgzJ25WrvcGkgTaz0eoemcXMdvp31xqWpmJEJoQ95Q/lwskq3
5e0mOH3AabSDVioImrBNtjnDcPP7Sy8Mq70pv+qx6fQZZnnFUD7YLr8D4KcayUSP
8M6hBjOj1qAJnXb2N2Cw2YRwYhcsFXQ9d7qbC7C03bEFIsSIx0A=VbdY
-----END PGP SIGNATURE-----
Related news
Gentoo Linux Security Advisory 202401-4 - Several vulnerabilities have been found in WebKitGTK+, the worst of which can lead to remote code execution. Versions greater than or equal to 2.42.3:4 are affected.
Ubuntu Security Notice 6289-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.
The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.
The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.
This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.
This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.
This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.
The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.
The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.
This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-1 - Safari 16.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2023-07-24-1 - Safari 16.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2023-07-24-1 - Safari 16.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2023-07-24-1 - Safari 16.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2023-07-24-1 - Safari 16.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2023-07-24-1 - Safari 16.6 addresses bypass and code execution vulnerabilities.
Apple Security Advisory 2023-07-24-1 - Safari 16.6 addresses bypass and code execution vulnerabilities.