Headline
Red Hat Security Advisory 2023-0021-01
Red Hat Security Advisory 2023-0021-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: webkit2gtk3 security update
Advisory ID: RHSA-2023:0021-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:0021
Issue date: 2023-01-04
CVE Names: CVE-2022-42856
=====================================================================
- Summary:
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Enterprise Linux AppStream (v. 9) - aarch64, ppc64le, s390x, x86_64
- Description:
WebKitGTK is the port of the portable web rendering engine WebKit to the
GTK platform.
Security Fix(es):
- webkitgtk: processing maliciously crafted web content may lead to an
arbitrary code execution (CVE-2022-42856)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2153683 - CVE-2022-42856 webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source:
webkit2gtk3-2.36.7-1.el9_1.1.src.rpm
aarch64:
webkit2gtk3-2.36.7-1.el9_1.1.aarch64.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.aarch64.rpm
webkit2gtk3-devel-2.36.7-1.el9_1.1.aarch64.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm
webkit2gtk3-jsc-2.36.7-1.el9_1.1.aarch64.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.aarch64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.aarch64.rpm
ppc64le:
webkit2gtk3-2.36.7-1.el9_1.1.ppc64le.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.ppc64le.rpm
webkit2gtk3-devel-2.36.7-1.el9_1.1.ppc64le.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm
webkit2gtk3-jsc-2.36.7-1.el9_1.1.ppc64le.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.ppc64le.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.ppc64le.rpm
s390x:
webkit2gtk3-2.36.7-1.el9_1.1.s390x.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.s390x.rpm
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.s390x.rpm
webkit2gtk3-devel-2.36.7-1.el9_1.1.s390x.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.s390x.rpm
webkit2gtk3-jsc-2.36.7-1.el9_1.1.s390x.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.s390x.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.s390x.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.s390x.rpm
x86_64:
webkit2gtk3-2.36.7-1.el9_1.1.i686.rpm
webkit2gtk3-2.36.7-1.el9_1.1.x86_64.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.i686.rpm
webkit2gtk3-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.i686.rpm
webkit2gtk3-debugsource-2.36.7-1.el9_1.1.x86_64.rpm
webkit2gtk3-devel-2.36.7-1.el9_1.1.i686.rpm
webkit2gtk3-devel-2.36.7-1.el9_1.1.x86_64.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.i686.rpm
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm
webkit2gtk3-jsc-2.36.7-1.el9_1.1.i686.rpm
webkit2gtk3-jsc-2.36.7-1.el9_1.1.x86_64.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.i686.rpm
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.i686.rpm
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.1.x86_64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.i686.rpm
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.1.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-42856
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBY7Wqj9zjgjWX9erEAQg9lg/+MOfUiSATG58e1aJdZzVtFA5hv1x1PWC3
/F+rP2/89vYYk/PLOSjySGdelAEYgw7Uq8UW6sPMkleTRvyakUaYhE9joubGcYNM
XKAtZDbLVGVzQxEggI7VxHRaFZvyMNWItb8SKloiD14EPuuI/W32g9Seep3L6xZ3
ufdqgmCyVLILPRMREXYZgfYo0PsJqLL0qOwfL4KWhh6BDQpgdLvndjWzbfZiVKzO
Rnr/x7o62SiEtgcSCCowoR35/NEJkzoCnbrD91UlgFUKby1siTbSr1KItPbP1y7L
QiWSOBWph5pVZHKAiThYFHmGNbL04s10D3gVhB+MKZ+6AO/NjdmlU27Rg49ps9GV
yLam6qcuWhNKbMafeOHleBeTRizSWmnKVefOWil/2FnNnzFhcEKJ3dILzjXIQSB/
WyFAUqYG8qkha2buYpx4zEjq20jLngQQ/s00fDAnJlsjasMhyBLSGy+fvgmaQ6wN
xs7gYg9+ouhnA3qJytkcQXj9Qaryvf9YmmY6uBLa7F5BUwtJ/w3E9n4pVFNmqEFq
GD1SabvR9BfwO/7wQgyIBKSFMSRUtXpGV1MZp+FaQFKgJ/7Bgh0wNOy2t5MstPEf
jvzsYdVUFZRfYwUNMNyA7Vsm6E2cnE52cLNEKuBxRdESAO11qrNzPIkYaF9DTmW3
jFzs9D1IFKw=
=FE4s
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
Google TAG researchers reveal two campaigns against iOS, Android, and Chrome users that demonstrate how the commercial surveillance market is thriving despite government-imposed limits.
A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group (TAG) has revealed. The two distinct campaigns were both limited and highly targeted, taking advantage of the patch gap between the release of a fix and when it was actually deployed on the targeted devices. "These
Apple on Monday rolled out security updates for iOS, iPadOS, macOS, and Safari to address a zero-day flaw that it said has been actively exploited in the wild. Tracked as CVE-2023-23529, the issue relates to a type confusion bug in the WebKit browser engine that could be activated when processing maliciously crafted web content, culminating in arbitrary code execution. The iPhone maker said the
Apple has backported fixes for a recently disclosed critical security flaw affecting older devices, citing evidence of active exploitation. The issue, tracked as CVE-2022-42856, is a type confusion vulnerability in the WebKit browser engine that could result in arbitrary code execution when processing maliciously crafted web content. While it was originally addressed by the company on November
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: iOS 12.5.7 Tags: CVE-2022-42856 Tags: type confusion Tags: WebKit Apple has now released security content for iOS 12.5.7 which includes a patch for an actively exploited vulnerability in WebKit and many other updates. (Read more...) The post Own an older iPhone? Check you're on the latest version to avoid this bug appeared first on Malwarebytes Labs.
Ubuntu Security Notice 5797-1 - Several security issues were discovered in the WebKitGTK Web and JavaScript engines. If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution.
Red Hat Security Advisory 2023-0016-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include a code execution vulnerability.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-42856: webkitgtk: processing maliciously crafted web content may lead to an arbitrary code execution
Debian Linux Security Advisory 5309-1 - Vulnerabilities have been discovered in the WPE WebKit web engine. hazbinhotel discovered that processing maliciously crafted web content may result in the disclosure of process memory. KirtiKumar Anandrao Ramchandani discovered that processing maliciously crafted web content may bypass Same Origin Policy. Dohyun Lee and Ryan Shin discovered that processing maliciously crafted web content may disclose sensitive user information. Various other issues have also been addressed.
Debian Linux Security Advisory 5308-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. hazbinhotel discovered that processing maliciously crafted web content may result in the disclosure of process memory. Maddie Stone discovered that processing maliciously crafted web content may lead to arbitrary code execution. KirtiKumar Anandrao Ramchandani discovered that processing maliciously crafted web content may bypass Same Origin Policy. Multiple other issues were also addressed.
Plus: Patches for Apple iOS 16, Google Chrome, Windows 10, and more.
Apple Security Advisory 2022-12-13-9 - Safari 16.2 addresses bypass, code execution, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-7 - tvOS 16.2 addresses bypass, code execution, integer overflow, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-4 - macOS Ventura 13.1 addresses bypass, code execution, out of bounds access, out of bounds write, spoofing, and use-after-free vulnerabilities.
Apple Security Advisory 2022-12-13-3 - iOS 16.1.2 addresses a code execution vulnerability.
Categories: Exploits and vulnerabilities Categories: News Tags: Apple Tags: iOS 16.1.2 Tags: Safari 16.2 Tags: CVE-2022-42856 Tags: type confusion Apple has released new security content for iOS 16.1.2 and Safari 16.2. to fix a zero-day security vulnerability that was actively exploited (Read more...) The post Update now! Apple patches active exploit vulnerability for iPhones appeared first on Malwarebytes Labs.