Security
Headlines
HeadlinesLatestCVEs

Headline

Debian Security Advisory 5397-1

Debian Linux Security Advisory 5397-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. An anonymous researcher discovered that a website may be able to track sensitive user information. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Packet Storm
#vulnerability#web#apple#linux#debian#webkit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


Debian Security Advisory DSA-5397-1 [email protected]
https://www.debian.org/security/ Alberto Garcia
May 03, 2023 https://www.debian.org/security/faq


Package : wpewebkit
CVE ID : CVE-2022-0108 CVE-2022-32885 CVE-2023-27932 CVE-2023-27954
CVE-2023-28205

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2022-0108

Luan Herrera discovered that an HTML document may be able to  
render iframes with sensitive user information.

CVE-2022-32885

P1umer and Q1IQ discovered that processing maliciously crafted web  
content may lead to arbitrary code execution.

CVE-2023-27932

An anonymous researcher discovered that processing maliciously  
crafted web content may bypass Same Origin Policy.

CVE-2023-27954

An anonymous researcher discovered that a website may be able to  
track sensitive user information.

CVE-2023-28205

Clement Lecigne and Donncha O Cearbhaill discovered that  
processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may  
have been actively exploited.

For the stable distribution (bullseye), these problems have been fixed in
version 2.38.6-1~deb11u1.

We recommend that you upgrade your wpewebkit packages.

For the detailed security status of wpewebkit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wpewebkit

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: [email protected]
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmRSI8AACgkQAAyEYu0C
2AIt9A/+MrTb+Oah+n+lUC3vRyDCvuXqHCxmtmCNKPqBSghIYFyfszRk4IsQd43s
1iEHpShpn6mj2gKn7yZ/Qpyd7KKkMBHp2HFiAYlNRH6c7oD5kVY9IvW1Rb3kqcm2
fYT/kvBxCSCEkhQiLIhG4ojr36eq9GwRtGZh/OnlCx9ds0WXwukC8Y1EdhsFi0N3
v/SiEw6eciN320RvEVpvNV35ecz2DvptZYl9RcIa0CPK+az4cNgceXT78oQq5Kzi
0bkIfXoaxrxVeqvqpYxPEqX7iXoLkJCRY3em1QU9VQmoTt5N93PMduBnMQOXHnjP
MB48I6lBY2iqOvfDAdi7zbwfkcCNL7EpOy6tKMw3s0E65Fwe4bedBG/EcDsYNdih
mOcdEuoNigrXPA705x2+Aqtg/2MzB03FOVGP9SkYesJOV8hNSDW02oJ/KYxf3yw7
IufammTBTTRZ/k+udpAUA4PQI1SH6Luj+jL5Rtr2BykDZ9KfnrpCqE4wlsqsuVeP
mMFLQL4E025D0dWVxpL+tapa7e9G+SggFRv1P+F+RaP2FGcsuE0QoRLEuBV0ARds
AiQlzMibbErRJtVYAJwSPZW0I2RutA5WkJI7wQAtSWWbTbVOODe2djR84yFe42X9
Xuj7ZeffUlgril/G+goFZh/CBMXWkwzf0iw7CXF8BP5i11FKekU=
=Od4H
-----END PGP SIGNATURE-----

Related news

Red Hat Security Advisory 2024-9680-03

Red Hat Security Advisory 2024-9680-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include code execution, out of bounds read, and use-after-free vulnerabilities.

Red Hat Security Advisory 2024-9653-03

Red Hat Security Advisory 2024-9653-03 - An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include code execution, out of bounds read, and use-after-free vulnerabilities.

Global Coalition and Tech Giants Unite Against Commercial Spyware Abuse

A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by

Google Patches Another Chrome Zero-Day as Browser Attacks Mount

The vulnerability is among a rapidly growing number of zero-day bugs that major browser vendors have reported recently.

Gentoo Linux Security Advisory 202305-32

Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.

Red Hat Security Advisory 2023-2653-01

Red Hat Security Advisory 2023-2653-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

CVE-2023-28181: About the security content of tvOS 16.4

The issue was addressed with improved memory handling. This issue is fixed in macOS Ventura 13.3, tvOS 16.4, watchOS 9.4, iOS 16.4 and iPadOS 16.4. An app may be able to execute arbitrary code with kernel privileges

CVE-2023-28190: About the security content of macOS Ventura 13.3

A privacy issue was addressed by moving sensitive data to a more secure location. This issue is fixed in macOS Ventura 13.3. An app may be able to access user-sensitive data

CVE-2023-28194: About the security content of iOS 16.4 and iPadOS 16.4

The issue was addressed with improved checks. This issue is fixed in iOS 16.4 and iPadOS 16.4. An app may be able to unexpectedly create a bookmark on the Home Screen

CVE-2023-28201: About the security content of iOS 15.7.4 and iPadOS 15.7.4

This issue was addressed with improved state management. This issue is fixed in macOS Ventura 13.3, iOS 15.7.4 and iPadOS 15.7.4, Safari 16.4, iOS 16.4 and iPadOS 16.4. A remote user may be able to cause unexpected app termination or arbitrary code execution

Ubuntu Security Notice USN-6061-1

Ubuntu Security Notice 6061-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.

Debian Security Advisory 5396-1

Debian Linux Security Advisory 5396-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Red Hat Security Advisory 2023-1919-01

Red Hat Security Advisory 2023-1919-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include code execution and use-after-free vulnerabilities.

RHSA-2023:1919: Red Hat Security Advisory: webkit2gtk3 security update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.

RHSA-2023:1918: Red Hat Security Advisory: webkit2gtk3 security update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.

Apple Security Advisory 2023-04-10-1

Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

Apple Security Advisory 2023-04-07-3

Apple Security Advisory 2023-04-07-3 - Safari 16.4.1 addresses code execution and use-after-free vulnerabilities.

Apple Security Advisory 2023-04-07-2

Apple Security Advisory 2023-04-07-2 - macOS Ventura 13.3.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

Apple Security Advisory 2023-04-07-1

Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

Pair of Apple Zero-Days Under Active Exploit; Patch & Update Accordingly

Unpatched Macs, iPhones, and iPads open to browser takeover and system kernel-level malicious code execution, Apple warns.

CVE-2023-28205: About the security content of Safari 16.4.1

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands

Apple Security Advisory 2023-03-27-8

Apple Security Advisory 2023-03-27-8 - Safari 16.4 addresses bypass vulnerabilities.

Apple Security Advisory 2023-03-27-8

Apple Security Advisory 2023-03-27-8 - Safari 16.4 addresses bypass vulnerabilities.

Apple Security Advisory 2023-03-27-7

Apple Security Advisory 2023-03-27-7 - watchOS 9.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.

Apple Security Advisory 2023-03-27-7

Apple Security Advisory 2023-03-27-7 - watchOS 9.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.

Apple Security Advisory 2023-03-27-6

Apple Security Advisory 2023-03-27-6 - tvOS 16.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.

Apple Security Advisory 2023-03-27-6

Apple Security Advisory 2023-03-27-6 - tvOS 16.4 addresses bypass, code execution, integer overflow, out of bounds read, and use-after-free vulnerabilities.

CVE-2022-0108

Inappropriate implementation in Navigation in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

Packet Storm: Latest News

Zeek 6.0.9