Security
Headlines
HeadlinesLatestCVEs

Headline

RHSA-2023:1919: Red Hat Security Advisory: webkit2gtk3 security update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:

  • CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.
Red Hat Security Data
#vulnerability#web#linux#red_hat#dos#nodejs#js#java#kubernetes#aws#ibm#webkit

Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager

All Products

Issued:

2023-04-20

Updated:

2023-04-20

RHSA-2023:1919 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: webkit2gtk3 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

  • WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Affected Products

  • Red Hat Enterprise Linux for x86_64 8 x86_64
  • Red Hat Enterprise Linux for IBM z Systems 8 s390x
  • Red Hat Enterprise Linux for Power, little endian 8 ppc64le
  • Red Hat Enterprise Linux for ARM 64 8 aarch64

Fixes

  • BZ - 2185724 - CVE-2023-28205 WebKitGTK: use-after-free leads to arbitrary code execution

Red Hat Enterprise Linux for x86_64 8

SRPM

webkit2gtk3-2.36.7-1.el8_7.3.src.rpm

SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596

x86_64

webkit2gtk3-2.36.7-1.el8_7.3.i686.rpm

SHA-256: 2a63d88b18d85a96408c539faa99eb6abb562188816c97ce09c28c6654bf3497

webkit2gtk3-2.36.7-1.el8_7.3.x86_64.rpm

SHA-256: ee31113ea620e3a6e526d42fa0b42b1463846747fc46b1d6a5c640a821682c7e

webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.i686.rpm

SHA-256: 763b0f35556d4e01d0e0cb810c9d2f090d116c734fccb48ba445538b3563c34a

webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm

SHA-256: da35913e258c85220ac856a356e0ebf820605eee2e96c1672cd2260767c3c12c

webkit2gtk3-debugsource-2.36.7-1.el8_7.3.i686.rpm

SHA-256: 2bfa5383dc6b686738d2b59704339d94af511fde2c666b1fc924e47dba5f9b13

webkit2gtk3-debugsource-2.36.7-1.el8_7.3.x86_64.rpm

SHA-256: 878db4e94441e4b78689ecd09f30adae86baef92b29d87e6dcf12cf67470b6ce

webkit2gtk3-devel-2.36.7-1.el8_7.3.i686.rpm

SHA-256: bc1a09df61f1a75735bccb79d99bfde615e923c779652230b15af0cbdb921044

webkit2gtk3-devel-2.36.7-1.el8_7.3.x86_64.rpm

SHA-256: 29484afa85f5de5503a9c0964d7c237b689a4b4dcd33e1cdeaa7eb50eac297c1

webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.i686.rpm

SHA-256: cd30805a6ef21d042968922c71b1d3255b44244bcae96836eeaa030d5c53ff73

webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm

SHA-256: 3dac9c6ce4a3481f1405450c498c4b0c454c989305e1bfabf56ec3c0f855325d

webkit2gtk3-jsc-2.36.7-1.el8_7.3.i686.rpm

SHA-256: a96eecac0a9b7248b795868c69cceff35576055f058a70517c76b5322d194a64

webkit2gtk3-jsc-2.36.7-1.el8_7.3.x86_64.rpm

SHA-256: 63b46c69340d6b7ca014866498d0f50f583ebfc84ef8367ee943c1f478b17b71

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.i686.rpm

SHA-256: 71f382e304ec9f7c5b0dd89730933c96a65c44a839efdb6c6f2591d30e8c6746

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm

SHA-256: 91b67c03787d809a8212f6a60cfb7d74df9a62a0fa9995447ca6d80c41e6ac7a

webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.i686.rpm

SHA-256: 30293ef8c719ad06891c2107005305f3033fa32575734f414ebdd676ecc78a61

webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.x86_64.rpm

SHA-256: 2e3bb87fe9a1480d925ed8072932f9fce5564a45f3d0a4cea8b9a71e29e9ac76

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.i686.rpm

SHA-256: 1d3455d21e5697e1da9cf5f0e17a95a049c62d8a68406008db14d1b9ceb44fd0

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm

SHA-256: c39613a4d1359f137635193194bc254dbe38907949733e9b412c1a0ec26a718a

Red Hat Enterprise Linux for IBM z Systems 8

SRPM

webkit2gtk3-2.36.7-1.el8_7.3.src.rpm

SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596

s390x

webkit2gtk3-2.36.7-1.el8_7.3.s390x.rpm

SHA-256: 649540e7eaf18131859bda93bbbd4fbc61dde96fd421b4bc907c5bc44bf86d1b

webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.s390x.rpm

SHA-256: 4d409cea2edc72ea95a92f2ecf2148810180d71bebf85c30f31528d909b6581d

webkit2gtk3-debugsource-2.36.7-1.el8_7.3.s390x.rpm

SHA-256: fdcd5e846f5dd770a674ab2a196c4b798290a9077ad85267d24d974667ed133e

webkit2gtk3-devel-2.36.7-1.el8_7.3.s390x.rpm

SHA-256: 3d8df1a310b9e5bf5c1ce5409e9d294445ef0d54ee56fbacab1e71bef268bdb4

webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.s390x.rpm

SHA-256: 9944e142a72aad94ad5e841be7809f984a121ac9c9205b596b55627c819c20ed

webkit2gtk3-jsc-2.36.7-1.el8_7.3.s390x.rpm

SHA-256: 79f4e474405167f8e5072065aaaf04377b8e7845ca8a71cce459bf8026f90b95

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.s390x.rpm

SHA-256: cb00694a00066f3dabe5139a9034b12e4515f9420b6d4996514216e24ec7bd17

webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.s390x.rpm

SHA-256: c5b10bec6290ce9b78ffaa3015dbea109826e8dbfeb65e0c881729a20937690b

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.s390x.rpm

SHA-256: 63c622b2c20e39c704174c59e3a4fe89481a6fe2039c55c43d6ce6c33411e09c

Red Hat Enterprise Linux for Power, little endian 8

SRPM

webkit2gtk3-2.36.7-1.el8_7.3.src.rpm

SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596

ppc64le

webkit2gtk3-2.36.7-1.el8_7.3.ppc64le.rpm

SHA-256: d832500e8cbea4c5e38ee3496d51a19bbc69f1662af91ed8931409d6e322d916

webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm

SHA-256: ec56c707dabaf1a472ea02e11dd7058fcc9ab4f57a49bb0aff9df026fafe57cb

webkit2gtk3-debugsource-2.36.7-1.el8_7.3.ppc64le.rpm

SHA-256: 26eb7f3c61e85347e10241852f81fc482c2580ea0af2f9027e878c23c6e91c24

webkit2gtk3-devel-2.36.7-1.el8_7.3.ppc64le.rpm

SHA-256: 2d9bdbcb713352a90c4738241cb769c32146f0c90736d0435250b1df503095b7

webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm

SHA-256: 1d5fb14580b09e29678683ce44d9f47e18043982afb81d25fdc78274c956f835

webkit2gtk3-jsc-2.36.7-1.el8_7.3.ppc64le.rpm

SHA-256: 8e15fae766cc96ddb26fb8383bfecd6d21ca7828a8df7a95faa0fef689fcb9e9

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm

SHA-256: 910db545809db4e9414271b182ef3ed99c7c68844c7b20729da5f49c946968f0

webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.ppc64le.rpm

SHA-256: b610ad0aa1711cb58c8455dc3636c613e6d2afa730a423ce261e6dcd6d334426

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm

SHA-256: 13733668602cfe7ad709fb70e08d4f53c603bdf2c6ec3add207814a949920d53

Red Hat Enterprise Linux for ARM 64 8

SRPM

webkit2gtk3-2.36.7-1.el8_7.3.src.rpm

SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596

aarch64

webkit2gtk3-2.36.7-1.el8_7.3.aarch64.rpm

SHA-256: bcc9d4de6e1aa93ac2ff48e56b323bedcef5d8efa61022df12ea430c26c18320

webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm

SHA-256: 844fe681b52c5127e747665a6cc2ce59a7a0a766ba7e815aec348c84cd78dd6a

webkit2gtk3-debugsource-2.36.7-1.el8_7.3.aarch64.rpm

SHA-256: 89cbdb429c7eb4b6630faa189d2282ba074b4554cf3fede012725c76e4f890d1

webkit2gtk3-devel-2.36.7-1.el8_7.3.aarch64.rpm

SHA-256: ab7d5c8ad16446b97b4a6bad65286ab5aa30fb4ef5038a8ec2dfc4d54f876305

webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm

SHA-256: 980035255756f46185f97248d50dbc3e596fe4d6b873aa244a6c69d54b9954c3

webkit2gtk3-jsc-2.36.7-1.el8_7.3.aarch64.rpm

SHA-256: 83dcbd7c3f635b7f8b647914421c88fa6e009f23c8e1964be8cdf2672db66137

webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm

SHA-256: 258009268a7d864d0d400da79e76dca30e2769f954c685cc77d39a98cc1b70e5

webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.aarch64.rpm

SHA-256: 6a3a7bf139d281323bd487d669756d2f73f353879f67658db1c588fca3175132

webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm

SHA-256: 42cfa7b6c067ffbeb61b7e0cbffa3e1c1e460b5d178554030d9b67aa875a49c3

The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.

Related news

Global Coalition and Tech Giants Unite Against Commercial Spyware Abuse

A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by

Zero-Day Alert: Apple Releases Patches for Actively Exploited Flaws in iOS, macOS, and Safari

Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.

Gentoo Linux Security Advisory 202305-32

Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.

WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day Vulnerabilities

Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild. The three security shortcomings are listed below - CVE-2023-32409 - A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with

Red Hat Security Advisory 2023-2653-01

Red Hat Security Advisory 2023-2653-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Debian Security Advisory 5397-1

Debian Linux Security Advisory 5397-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. An anonymous researcher discovered that a website may be able to track sensitive user information. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Debian Security Advisory 5396-1

Debian Linux Security Advisory 5396-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Red Hat Security Advisory 2023-1919-01

Red Hat Security Advisory 2023-1919-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include code execution and use-after-free vulnerabilities.

RHSA-2023:1918: Red Hat Security Advisory: webkit2gtk3 security update

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.

Apple Security Advisory 2023-04-10-1

Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

Apple Security Advisory 2023-04-07-3

Apple Security Advisory 2023-04-07-3 - Safari 16.4.1 addresses code execution and use-after-free vulnerabilities.

Apple Security Advisory 2023-04-07-2

Apple Security Advisory 2023-04-07-2 - macOS Ventura 13.3.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

Apple Security Advisory 2023-04-07-1

Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

Apple releases emergency updates for two known-to-be-exploited vulnerabilities

Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: iOS 16.4.1 Tags: iPadOS 16.4.1 Tags: macOS 13.3.1 Tags: CVE-2023-28206 Tags: CVE-2023-28205 Tags: use-after-free Tags: out-of-bounds write Tags: IOSurfaceAccelerator Apple has released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible. (Read more...) The post Apple releases emergency updates for two known-to-be-exploited vulnerabilities appeared first on Malwarebytes Labs.

Pair of Apple Zero-Days Under Active Exploit; Patch & Update Accordingly

Unpatched Macs, iPhones, and iPads open to browser takeover and system kernel-level malicious code execution, Apple warns.

CVE-2023-28205: About the security content of Safari 16.4.1

A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

CISA Warns of 5 Actively Exploited Security Flaws: Urgent Action Required

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands

Apple Releases Updates to Address Zero-Day Flaws in iOS, iPadOS, macOS, and Safari

Apple on Friday released security updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws that are being exploited in the wild. The two vulnerabilities are as follows - CVE-2023-28205 - A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content. CVE-2023-28206 - An out-of-bounds write issue in