Headline
Red Hat Security Advisory 2023-4202-01
Red Hat Security Advisory 2023-4202-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: webkit2gtk3 security update
Advisory ID: RHSA-2023:4202-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4202
Issue date: 2023-07-18
CVE Names: CVE-2023-32435 CVE-2023-32439
=====================================================================
- Summary:
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64
- Description:
WebKitGTK is the port of the portable web rendering engine WebKit to the
GTK platform.
Security Fix(es):
webkitgtk: memory corruption issue leading to arbitrary code execution
(CVE-2023-32435)webkitgtk: type confusion issue leading to arbitrary code execution
(CVE-2023-32439)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2218626 - CVE-2023-32435 webkitgtk: memory corruption issue leading to arbitrary code execution
2218640 - CVE-2023-32439 webkitgtk: type confusion issue leading to arbitrary code execution
- Package List:
Red Hat Enterprise Linux AppStream (v. 8):
Source:
webkit2gtk3-2.38.5-1.el8_8.5.src.rpm
aarch64:
webkit2gtk3-2.38.5-1.el8_8.5.aarch64.rpm
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.aarch64.rpm
webkit2gtk3-devel-2.38.5-1.el8_8.5.aarch64.rpm
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm
webkit2gtk3-jsc-2.38.5-1.el8_8.5.aarch64.rpm
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.aarch64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.aarch64.rpm
ppc64le:
webkit2gtk3-2.38.5-1.el8_8.5.ppc64le.rpm
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.ppc64le.rpm
webkit2gtk3-devel-2.38.5-1.el8_8.5.ppc64le.rpm
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm
webkit2gtk3-jsc-2.38.5-1.el8_8.5.ppc64le.rpm
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.ppc64le.rpm
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.ppc64le.rpm
s390x:
webkit2gtk3-2.38.5-1.el8_8.5.s390x.rpm
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.s390x.rpm
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.s390x.rpm
webkit2gtk3-devel-2.38.5-1.el8_8.5.s390x.rpm
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.s390x.rpm
webkit2gtk3-jsc-2.38.5-1.el8_8.5.s390x.rpm
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.s390x.rpm
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.s390x.rpm
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.s390x.rpm
x86_64:
webkit2gtk3-2.38.5-1.el8_8.5.i686.rpm
webkit2gtk3-2.38.5-1.el8_8.5.x86_64.rpm
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.i686.rpm
webkit2gtk3-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.i686.rpm
webkit2gtk3-debugsource-2.38.5-1.el8_8.5.x86_64.rpm
webkit2gtk3-devel-2.38.5-1.el8_8.5.i686.rpm
webkit2gtk3-devel-2.38.5-1.el8_8.5.x86_64.rpm
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.i686.rpm
webkit2gtk3-devel-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm
webkit2gtk3-jsc-2.38.5-1.el8_8.5.i686.rpm
webkit2gtk3-jsc-2.38.5-1.el8_8.5.x86_64.rpm
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.i686.rpm
webkit2gtk3-jsc-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.i686.rpm
webkit2gtk3-jsc-devel-2.38.5-1.el8_8.5.x86_64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.i686.rpm
webkit2gtk3-jsc-devel-debuginfo-2.38.5-1.el8_8.5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2023-32435
https://access.redhat.com/security/cve/CVE-2023-32439
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCAAGBQJktsBfAAoJENzjgjWX9erEVxoP/36PunYG/abTGPhTbzDfc4Gr
TWe+1YZ0Bumn74sUuOk8Fk//CMm1W5NXMCZFK+grCQ5wNvJbQEpYQMU9Xz8kcpju
Gv64wyRnXbYPCK2EgHKKHzMTNO0dK5rG1EQAQDZ/B+rdR9eX+7+oq+Mk4PsluHjc
lmlixilcWV1j1GX3LqebpK3bT9kyGUdIzJ0M1r3Om9jPiyzbXQF508IPX/ZDJRzr
AhMQ0dbMEgI7tLrXa+1il0VAlO47wpowlptaQafUXdZq1CqROOUaZDyTfP/8EoaJ
Vmb6+FWx80cr+TNz644yAu4UpGnU4ajFWGrmQ7KCl9yTEVlEosGFtMpeeg0hCMvx
VVki9nOPCtWsFKjuGmoLWVnUoeArkC4jkBw625Vp3JbgYhDyAtu2vnUig2gEXr5z
pHgYxJz685dxo6y7Np+qxIozEuQxn1WlzBoUA+bha5GpgLuj8SHrMLsEqq3bnDbI
5HMxutilgJIBHepvCUHsF6hn/MiSzhe0xKa7Vr6iJ58tBAW9thmKtLEV00rbXA+t
5wMnEZkqEO/ACBuAgXiIllPgY58BXMnX7g4Ua9QwXLGVuRog3UrsBkuKUtAegUoS
eTqth5pj2G+f1GeEAeUhN75o7xfdnCcyfdOXNWlnrJkMje7YWo3ApGBCQrRMHs28
o5CVaCkiRISWgqNqTP2a
=C5ZF
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Gentoo Linux Security Advisory 202401-4 - Several vulnerabilities have been found in WebKitGTK+, the worst of which can lead to remote code execution. Versions greater than or equal to 2.42.3:4 are affected.
By Deeba Ahmed Triangulation of Terror: Inside the Most Sophisticated iPhone Spyware Campaign Ever Seen. This is a post from HackRead.com Read the original post: iPhone Spyware Exploits Obscure Chip Feature, Targets Researchers
The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company. Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as
The TriangleDB implant used to target Apple iOS devices packs in at least four different modules to record microphone, extract iCloud Keychain, steal data from SQLite databases used by various apps, and estimate the victim's location. The findings come from Kaspersky, which detailed the great lengths the adversary behind the campaign, dubbed Operation Triangulation, went to conceal and cover up
Ubuntu Security Notice 6264-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
Apple has rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and Safari to address several security vulnerabilities, including one actively exploited zero-day bug in the wild. Tracked as CVE-2023-38606, the shortcoming resides in the kernel and permits a malicious app to modify sensitive kernel state potentially. The company said it was addressed with improved state management. "
Red Hat Security Advisory 2023-4201-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2023-4201-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32435: A vulnerability was found in webkitgtk. This issue occurs when processing web content, which may lead to arbitrary code execution. * CVE-2023-32439: A vulnerability was found in webkitgtk. This issue occurs when processing maliciously crafted web content, which may lead to arbitrary code execution.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-32435: A vulnerability was found in webkitgtk. This issue occurs when processing web content, which may lead to arbitrary code execution. * CVE-2023-32439: A vulnerability was found in webkitgtk. This issue occurs when processing maliciously crafted web content, which may lead to arbitrary code execution.
Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.
Plus: Microsoft fixes 78 vulnerabilities, VMWare plugs a flaw already used in attacks, and more critical updates from June.
Apple's emergency patch, AI-generated art and more security headlines from the past week.
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel
The U.S. Cybersecurity and Infrastructure Security Agency has added a batch of six flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This comprises three vulnerabilities that Apple patched this week (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439), two flaws in VMware (CVE-2023-20867 and CVE-2023-20887), and one shortcoming impacting Zyxel
A type confusion issue was addressed with improved checks. This issue is fixed in iOS 16.5.1 and iPadOS 16.5.1, Safari 16.5.1, macOS Ventura 13.4.1, iOS 15.7.7 and iPadOS 15.7.7. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
The zero-day security bugs are being used to deploy the sophisticated but "odd" TriangleDB spying implant on targeted iOS devices.
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: kernel webkit Tags: CVE-2023-32434 Tags: CVE-2023-32435 Tags: CVE-2023-32439 Tags: type confusion Tags: integer overflow Tags: operation triangulation Apple has released security updates for several products to address a set of flaws it said were being actively exploited. (Read more...) The post Update now! Apple fixes three actively exploited vulnerabilities appeared first on Malwarebytes Labs.
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: kernel webkit Tags: CVE-2023-32434 Tags: CVE-2023-32435 Tags: CVE-2023-32439 Tags: type confusion Tags: integer overflow Tags: operation triangulation Apple has released security updates for several products to address a set of flaws it said were being actively exploited. (Read more...) The post Update now! Apple fixes three actively exploited vulnerabilities appeared first on Malwarebytes Labs.