Headline
RHSA-2023:1918: Red Hat Security Advisory: webkit2gtk3 security update
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-04-20
Updated:
2023-04-20
RHSA-2023:1918 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: webkit2gtk3 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
Security Fix(es):
- WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 9 x86_64
- Red Hat Enterprise Linux for IBM z Systems 9 s390x
- Red Hat Enterprise Linux for Power, little endian 9 ppc64le
- Red Hat Enterprise Linux for ARM 64 9 aarch64
Fixes
- BZ - 2185724 - CVE-2023-28205 WebKitGTK: use-after-free leads to arbitrary code execution
Red Hat Enterprise Linux for x86_64 9
SRPM
webkit2gtk3-2.36.7-1.el9_1.3.src.rpm
SHA-256: 317d3e2aeb2b0ca7f8c6932cb488129bf554ddef5771e263eecde7015de9825f
x86_64
webkit2gtk3-2.36.7-1.el9_1.3.i686.rpm
SHA-256: 982f40be5ffc3eba7a86db14b4a05ec6beb53bec0798bc8af672de2346ae6d32
webkit2gtk3-2.36.7-1.el9_1.3.x86_64.rpm
SHA-256: 9c06f8b929408fe1fe1a89f71cedf9df3f08240dbd72a0bd34c8f56830ddab0f
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.i686.rpm
SHA-256: 47eb688cddbaf2905ff70781d9d520d4520d1d6c55e06a9f3ac3efa25fb9c301
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.x86_64.rpm
SHA-256: 226e695f6c966e7242689460a2ae3fa56a4f75317409a1062c95c8ce31ea96cb
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.i686.rpm
SHA-256: f8086987b1d6b06f53a157e0592c0b12965f0cef7c812f2375609a1a1e2e47b6
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.x86_64.rpm
SHA-256: 9e14270ff49e31068bc1c941036de2668c4583b632841861eaf0d0d33e80524a
webkit2gtk3-devel-2.36.7-1.el9_1.3.i686.rpm
SHA-256: d4bdfbffeab3f617ca8e3d30664eb112bd6b0fad14502c066a249bddd9ea458e
webkit2gtk3-devel-2.36.7-1.el9_1.3.x86_64.rpm
SHA-256: 9b8642e9bb71d579e950bda2e41a20ffc7c09734c5c154f00dc04014b8c949b9
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.i686.rpm
SHA-256: 0f120a09785905797cc4f85c56bf66aca771c7ff99b827c676e8ca3ee67b9eec
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.x86_64.rpm
SHA-256: bb6b5aa5a13b837a73c359aa7e13b927795fc1ca5951fcd70fbffbbe6ab2d304
webkit2gtk3-jsc-2.36.7-1.el9_1.3.i686.rpm
SHA-256: 934a3604fa3040c33bf2ff7c10fa537db790c4103806b9947e3d0b530be3c55b
webkit2gtk3-jsc-2.36.7-1.el9_1.3.x86_64.rpm
SHA-256: 8aea826dab2f9c8a38a8cb098e7fb8835f9012ff8d728696c8bbe441e172f26d
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.i686.rpm
SHA-256: b0a7e4b22fea882b9a0f6b34b0f8d426cc5be7ed345134ed13dad08311c7ec07
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.x86_64.rpm
SHA-256: 2db43a9940b7504bbe7965278576e78598c91cc63a8b0c053819d8860a08e1ca
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.i686.rpm
SHA-256: be25ad07416755a9d63b6af5419a3227a1e9e64daa5137df26c8fc62eae87a81
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.x86_64.rpm
SHA-256: cc04bacdfebbe24f12323c4dc8a41833515ecfbd0624c4a695e4a2321f4c142e
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.i686.rpm
SHA-256: 48cc605eabc14eecdf2e3d59485f5cb60d6730af6da17ed67c325eab52f803ba
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.x86_64.rpm
SHA-256: ec7979eb2343d6c4c04153b88f00a14b048fb36ed379409215d29df625bd13b7
Red Hat Enterprise Linux for IBM z Systems 9
SRPM
webkit2gtk3-2.36.7-1.el9_1.3.src.rpm
SHA-256: 317d3e2aeb2b0ca7f8c6932cb488129bf554ddef5771e263eecde7015de9825f
s390x
webkit2gtk3-2.36.7-1.el9_1.3.s390x.rpm
SHA-256: 99f999497d67685aabe5e44805d04a79926c12e92b1230a406675ca92dc01b16
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.s390x.rpm
SHA-256: 4c22480db6668876fba182b3be5e59d9058c9736a979de1ede76b74c1afdc142
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.s390x.rpm
SHA-256: 2375475b9eca0fe150275887a55bf01debcd2fb4103a7c2f9fb8b3b2d8dbdf11
webkit2gtk3-devel-2.36.7-1.el9_1.3.s390x.rpm
SHA-256: 8319a1ed92c7a6825ad6ca606c1aa097043e524a94496b4dc7459ca01451db37
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.s390x.rpm
SHA-256: 6afdd34ca078534c4ca47621953d54f81e7cf67e493045a0cdafa65e76e07d5b
webkit2gtk3-jsc-2.36.7-1.el9_1.3.s390x.rpm
SHA-256: f46d4f2c60e75ca15b974049cdd6b1b92e9b20fe79f12fd41af5cf536e49f8f3
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.s390x.rpm
SHA-256: ffd977a56c73740f843e1ace901fb2f2c9909eef694f56edaa8fde0d8160d4ff
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.s390x.rpm
SHA-256: e063e141c20a4dea1b7d141375b6dd2356e1b3a4bffe85e6ce8d7c27d99535f7
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.s390x.rpm
SHA-256: 41fed731e756c028aca979ccada7d0a0a49174415496dc694ec8d3fdf827448e
Red Hat Enterprise Linux for Power, little endian 9
SRPM
webkit2gtk3-2.36.7-1.el9_1.3.src.rpm
SHA-256: 317d3e2aeb2b0ca7f8c6932cb488129bf554ddef5771e263eecde7015de9825f
ppc64le
webkit2gtk3-2.36.7-1.el9_1.3.ppc64le.rpm
SHA-256: bcc61c4d06639126ff8ca6fd53739700ce836019b841a8b33b2cf93323afeb13
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.ppc64le.rpm
SHA-256: 41a881d1b0d3ee6ab2c0bf814544bc934b397c531a2ac688070a1a550882b993
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.ppc64le.rpm
SHA-256: 031c84d272bda406e95f936cc56e74b1450b7e0801dc1b908e4c27330780062e
webkit2gtk3-devel-2.36.7-1.el9_1.3.ppc64le.rpm
SHA-256: 120ad683a51fcea0d3e296baa967cf0572155eff2a0044e07113fd669670f423
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.ppc64le.rpm
SHA-256: 9f747de90636b32dcb429b5c6d3945dcdb435c20a448fbd983cd96b5c6057da7
webkit2gtk3-jsc-2.36.7-1.el9_1.3.ppc64le.rpm
SHA-256: 7f16ab72190c1d6ebf42a68010d0ed8b54191776877127cef433e8115a0bef41
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.ppc64le.rpm
SHA-256: 91c970b3de16ef51de23a4d46149836d9614935c0477d49544508c7ee5372820
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.ppc64le.rpm
SHA-256: ca0f1184ae66707d23c02c6453c6cb9c2e0f357a3f4784f34633af05e9bdc89d
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.ppc64le.rpm
SHA-256: 90bb67672cfa85e6d868b624fd67560d23cd366bd6307cba6dfd3020582a9ac3
Red Hat Enterprise Linux for ARM 64 9
SRPM
webkit2gtk3-2.36.7-1.el9_1.3.src.rpm
SHA-256: 317d3e2aeb2b0ca7f8c6932cb488129bf554ddef5771e263eecde7015de9825f
aarch64
webkit2gtk3-2.36.7-1.el9_1.3.aarch64.rpm
SHA-256: 312ccb075bea39b0a50ec0f170fca055266854b43e82f857033dffa303bb896c
webkit2gtk3-debuginfo-2.36.7-1.el9_1.3.aarch64.rpm
SHA-256: baf590184b892415f37b59b56fe9f2abe6c70ff0e69b0c51a6ef181bbe0904da
webkit2gtk3-debugsource-2.36.7-1.el9_1.3.aarch64.rpm
SHA-256: b0015f134f04ee996e16ae9d34be443becbaa6bfbe8c8da40a21fd9d7f071d40
webkit2gtk3-devel-2.36.7-1.el9_1.3.aarch64.rpm
SHA-256: 15b433543cdb6ac8d9427fba50a71aad929041ecf08ec1d4cb14d705fee7bc8a
webkit2gtk3-devel-debuginfo-2.36.7-1.el9_1.3.aarch64.rpm
SHA-256: 28d742689328e404dc4bc76221adcd2b69d353ae23b009ee4bcbe700ee39dbb6
webkit2gtk3-jsc-2.36.7-1.el9_1.3.aarch64.rpm
SHA-256: ff15e3947e574bf15e9c61781f341d525a3939787a5dadaaaef52c49258fdfed
webkit2gtk3-jsc-debuginfo-2.36.7-1.el9_1.3.aarch64.rpm
SHA-256: 96b54fa48fe3ef72cb4af94718b97071f176b613ec52fe0d9633fed81d9e1e7c
webkit2gtk3-jsc-devel-2.36.7-1.el9_1.3.aarch64.rpm
SHA-256: 299cbcdef1641d90f6082a739781594997f7264b14bda23aad7221ee47dfef5b
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el9_1.3.aarch64.rpm
SHA-256: 8316973353ceb5b331c4e67c2048aa4dd904ca5caeae594a7cbac893ab8258c2
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild. The three security shortcomings are listed below - CVE-2023-32409 - A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with
Red Hat Security Advisory 2023-2653-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
Debian Linux Security Advisory 5397-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. An anonymous researcher discovered that a website may be able to track sensitive user information. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Debian Linux Security Advisory 5396-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Red Hat Security Advisory 2023-1919-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include code execution and use-after-free vulnerabilities.
Red Hat Security Advisory 2023-1918-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include code execution and use-after-free vulnerabilities.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.
Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.
Microsoft today released software updates to plug 100 security holes in its Windows operating systems and other software, including a zero-day vulnerability that is already being used in active attacks. Not to be outdone, Apple has released a set of important updates addressing two zero-day vulnerabilities that are being used to attack iPhones, iPads and Macs.
Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2023-04-07-3 - Safari 16.4.1 addresses code execution and use-after-free vulnerabilities.
Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: iOS 16.4.1 Tags: iPadOS 16.4.1 Tags: macOS 13.3.1 Tags: CVE-2023-28206 Tags: CVE-2023-28205 Tags: use-after-free Tags: out-of-bounds write Tags: IOSurfaceAccelerator Apple has released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible. (Read more...) The post Apple releases emergency updates for two known-to-be-exploited vulnerabilities appeared first on Malwarebytes Labs.
Unpatched Macs, iPhones, and iPads open to browser takeover and system kernel-level malicious code execution, Apple warns.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands
Apple on Friday released security updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws that are being exploited in the wild. The two vulnerabilities are as follows - CVE-2023-28205 - A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content. CVE-2023-28206 - An out-of-bounds write issue in