Headline
Debian Security Advisory 5397-1
Debian Linux Security Advisory 5397-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. An anonymous researcher discovered that a website may be able to track sensitive user information. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Debian Security Advisory DSA-5397-1 [email protected]
https://www.debian.org/security/ Alberto Garcia
May 03, 2023 https://www.debian.org/security/faq
Package : wpewebkit
CVE ID : CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954
CVE-2023-28205
The following vulnerabilities have been discovered in the WebKitGTK
web engine:
CVE-2022-0108
Luan Herrera discovered that an HTML document may be able to
render iframes with sensitive user information.
CVE-2022-32885
P1umer and Q1IQ discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2023-27932
An anonymous researcher discovered that processing maliciously
crafted web content may bypass Same Origin Policy.
CVE-2023-27954
An anonymous researcher discovered that a website may be able to
track sensitive user information.
CVE-2023-28205
Clement Lecigne and Donncha O Cearbhaill discovered that
processing maliciously crafted web content may lead to arbitrary
code execution. Apple is aware of a report that this issue may
have been actively exploited.
For the stable distribution (bullseye), these problems have been fixed in
version 2.38.6-1~deb11u1.
We recommend that you upgrade your wpewebkit packages.
For the detailed security status of wpewebkit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wpewebkit
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmRSI8AACgkQAAyEYu0C
2AIt9A/+MrTb+Oah+n+lUC3vRyDCvuXqHCxmtmCNKPqBSghIYFyfszRk4IsQd43s
1iEHpShpn6mj2gKn7yZ/Qpyd7KKkMBHp2HFiAYlNRH6c7oD5kVY9IvW1Rb3kqcm2
fYT/kvBxCSCEkhQiLIhG4ojr36eq9GwRtGZh/OnlCx9ds0WXwukC8Y1EdhsFi0N3
v/SiEw6eciN320RvEVpvNV35ecz2DvptZYl9RcIa0CPK+az4cNgceXT78oQq5Kzi
0bkIfXoaxrxVeqvqpYxPEqX7iXoLkJCRY3em1QU9VQmoTt5N93PMduBnMQOXHnjP
MB48I6lBY2iqOvfDAdi7zbwfkcCNL7EpOy6tKMw3s0E65Fwe4bedBG/EcDsYNdih
mOcdEuoNigrXPA705x2+Aqtg/2MzB03FOVGP9SkYesJOV8hNSDW02oJ/KYxf3yw7
IufammTBTTRZ/k+udpAUA4PQI1SH6Luj+jL5Rtr2BykDZ9KfnrpCqE4wlsqsuVeP
mMFLQL4E025D0dWVxpL+tapa7e9G+SggFRv1P+F+RaP2FGcsuE0QoRLEuBV0ARds
AiQlzMibbErRJtVYAJwSPZW0I2RutA5WkJI7wQAtSWWbTbVOODe2djR84yFe42X9
Xuj7ZeffUlgril/G+goFZh/CBMXWkwzf0iw7CXF8BP5i11FKekU=
=Od4H
-----END PGP SIGNATURE-----
Related news
Red Hat Security Advisory 2024-9679-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include code execution, out of bounds read, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-9680-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include code execution, out of bounds read, and use-after-free vulnerabilities.
Red Hat Security Advisory 2024-9653-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include code execution, out of bounds read, and use-after-free vulnerabilities.
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
Red Hat Security Advisory 2023-2653-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
The issue was addressed with improved checks. This issue is fixed in iOS 16.4 and iPadOS 16.4. An app may be able to unexpectedly create a bookmark on the Home Screen
This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, Safari 16.4, iOS 16.4 and iPadOS 16.4. A remote user may be able to cause unexpected app termination or arbitrary code execution
A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in macOS Ventura 13.3. An app may be able to access user-sensitive data
The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.3, tvOS 16.4, watchOS 9.4, iOS 16.4 and iPadOS 16.4. An app may be able to execute arbitrary code with kernel privileges
Ubuntu Security Notice 6061-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
Debian Linux Security Advisory 5396-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Red Hat Security Advisory 2023-1919-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include code execution and use-after-free vulnerabilities.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.
Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2023-04-07-3 - Safari 16.4.1 addresses code execution and use-after-free vulnerabilities.
Apple Security Advisory 2023-04-07-2 - macOS Ventura 13.3.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.
Unpatched Macs, iPhones, and iPads open to browser takeover and system kernel-level malicious code execution, Apple warns.
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands
Apple Security Advisory 2023-03-27-8 - Safari 16.4 addresses bypass vulnerabilities.
Apple Security Advisory 2023-03-27-8 - Safari 16.4 addresses bypass vulnerabilities.
Apple Security Advisory 2023-03-27-7 - watchOS 9.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-03-27-7 - watchOS 9.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-03-27-6 - tvOS 16.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-03-27-6 - tvOS 16.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.
Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.