Headline
RHSA-2023:1919: Red Hat Security Advisory: webkit2gtk3 security update
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
Related CVEs:
- CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.
Skip to navigation Skip to main content
Utilities
- Subscriptions
- Downloads
- Containers
- Support Cases
Infrastructure and Management
- Red Hat Enterprise Linux
- Red Hat Virtualization
- Red Hat Identity Management
- Red Hat Directory Server
- Red Hat Certificate System
- Red Hat Satellite
- Red Hat Subscription Management
- Red Hat Update Infrastructure
- Red Hat Insights
- Red Hat Ansible Automation Platform
Cloud Computing
- Red Hat OpenShift
- Red Hat CloudForms
- Red Hat OpenStack Platform
- Red Hat OpenShift Container Platform
- Red Hat OpenShift Data Science
- Red Hat OpenShift Online
- Red Hat OpenShift Dedicated
- Red Hat Advanced Cluster Security for Kubernetes
- Red Hat Advanced Cluster Management for Kubernetes
- Red Hat Quay
- Red Hat CodeReady Workspaces
- Red Hat OpenShift Service on AWS
Storage
- Red Hat Gluster Storage
- Red Hat Hyperconverged Infrastructure
- Red Hat Ceph Storage
- Red Hat OpenShift Data Foundation
Runtimes
- Red Hat Runtimes
- Red Hat JBoss Enterprise Application Platform
- Red Hat Data Grid
- Red Hat JBoss Web Server
- Red Hat Single Sign On
- Red Hat support for Spring Boot
- Red Hat build of Node.js
- Red Hat build of Thorntail
- Red Hat build of Eclipse Vert.x
- Red Hat build of OpenJDK
- Red Hat build of Quarkus
Integration and Automation
- Red Hat Process Automation
- Red Hat Process Automation Manager
- Red Hat Decision Manager
All Products
Issued:
2023-04-20
Updated:
2023-04-20
RHSA-2023:1919 - Security Advisory
- Overview
- Updated Packages
Synopsis
Important: webkit2gtk3 security update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
View affected systems
Topic
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
Security Fix(es):
- WebKitGTK: use-after-free leads to arbitrary code execution (CVE-2023-28205)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2185724 - CVE-2023-28205 WebKitGTK: use-after-free leads to arbitrary code execution
Red Hat Enterprise Linux for x86_64 8
SRPM
webkit2gtk3-2.36.7-1.el8_7.3.src.rpm
SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596
x86_64
webkit2gtk3-2.36.7-1.el8_7.3.i686.rpm
SHA-256: 2a63d88b18d85a96408c539faa99eb6abb562188816c97ce09c28c6654bf3497
webkit2gtk3-2.36.7-1.el8_7.3.x86_64.rpm
SHA-256: ee31113ea620e3a6e526d42fa0b42b1463846747fc46b1d6a5c640a821682c7e
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.i686.rpm
SHA-256: 763b0f35556d4e01d0e0cb810c9d2f090d116c734fccb48ba445538b3563c34a
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm
SHA-256: da35913e258c85220ac856a356e0ebf820605eee2e96c1672cd2260767c3c12c
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.i686.rpm
SHA-256: 2bfa5383dc6b686738d2b59704339d94af511fde2c666b1fc924e47dba5f9b13
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.x86_64.rpm
SHA-256: 878db4e94441e4b78689ecd09f30adae86baef92b29d87e6dcf12cf67470b6ce
webkit2gtk3-devel-2.36.7-1.el8_7.3.i686.rpm
SHA-256: bc1a09df61f1a75735bccb79d99bfde615e923c779652230b15af0cbdb921044
webkit2gtk3-devel-2.36.7-1.el8_7.3.x86_64.rpm
SHA-256: 29484afa85f5de5503a9c0964d7c237b689a4b4dcd33e1cdeaa7eb50eac297c1
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.i686.rpm
SHA-256: cd30805a6ef21d042968922c71b1d3255b44244bcae96836eeaa030d5c53ff73
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm
SHA-256: 3dac9c6ce4a3481f1405450c498c4b0c454c989305e1bfabf56ec3c0f855325d
webkit2gtk3-jsc-2.36.7-1.el8_7.3.i686.rpm
SHA-256: a96eecac0a9b7248b795868c69cceff35576055f058a70517c76b5322d194a64
webkit2gtk3-jsc-2.36.7-1.el8_7.3.x86_64.rpm
SHA-256: 63b46c69340d6b7ca014866498d0f50f583ebfc84ef8367ee943c1f478b17b71
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.i686.rpm
SHA-256: 71f382e304ec9f7c5b0dd89730933c96a65c44a839efdb6c6f2591d30e8c6746
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm
SHA-256: 91b67c03787d809a8212f6a60cfb7d74df9a62a0fa9995447ca6d80c41e6ac7a
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.i686.rpm
SHA-256: 30293ef8c719ad06891c2107005305f3033fa32575734f414ebdd676ecc78a61
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.x86_64.rpm
SHA-256: 2e3bb87fe9a1480d925ed8072932f9fce5564a45f3d0a4cea8b9a71e29e9ac76
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.i686.rpm
SHA-256: 1d3455d21e5697e1da9cf5f0e17a95a049c62d8a68406008db14d1b9ceb44fd0
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.x86_64.rpm
SHA-256: c39613a4d1359f137635193194bc254dbe38907949733e9b412c1a0ec26a718a
Red Hat Enterprise Linux for IBM z Systems 8
SRPM
webkit2gtk3-2.36.7-1.el8_7.3.src.rpm
SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596
s390x
webkit2gtk3-2.36.7-1.el8_7.3.s390x.rpm
SHA-256: 649540e7eaf18131859bda93bbbd4fbc61dde96fd421b4bc907c5bc44bf86d1b
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.s390x.rpm
SHA-256: 4d409cea2edc72ea95a92f2ecf2148810180d71bebf85c30f31528d909b6581d
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.s390x.rpm
SHA-256: fdcd5e846f5dd770a674ab2a196c4b798290a9077ad85267d24d974667ed133e
webkit2gtk3-devel-2.36.7-1.el8_7.3.s390x.rpm
SHA-256: 3d8df1a310b9e5bf5c1ce5409e9d294445ef0d54ee56fbacab1e71bef268bdb4
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.s390x.rpm
SHA-256: 9944e142a72aad94ad5e841be7809f984a121ac9c9205b596b55627c819c20ed
webkit2gtk3-jsc-2.36.7-1.el8_7.3.s390x.rpm
SHA-256: 79f4e474405167f8e5072065aaaf04377b8e7845ca8a71cce459bf8026f90b95
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.s390x.rpm
SHA-256: cb00694a00066f3dabe5139a9034b12e4515f9420b6d4996514216e24ec7bd17
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.s390x.rpm
SHA-256: c5b10bec6290ce9b78ffaa3015dbea109826e8dbfeb65e0c881729a20937690b
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.s390x.rpm
SHA-256: 63c622b2c20e39c704174c59e3a4fe89481a6fe2039c55c43d6ce6c33411e09c
Red Hat Enterprise Linux for Power, little endian 8
SRPM
webkit2gtk3-2.36.7-1.el8_7.3.src.rpm
SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596
ppc64le
webkit2gtk3-2.36.7-1.el8_7.3.ppc64le.rpm
SHA-256: d832500e8cbea4c5e38ee3496d51a19bbc69f1662af91ed8931409d6e322d916
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm
SHA-256: ec56c707dabaf1a472ea02e11dd7058fcc9ab4f57a49bb0aff9df026fafe57cb
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.ppc64le.rpm
SHA-256: 26eb7f3c61e85347e10241852f81fc482c2580ea0af2f9027e878c23c6e91c24
webkit2gtk3-devel-2.36.7-1.el8_7.3.ppc64le.rpm
SHA-256: 2d9bdbcb713352a90c4738241cb769c32146f0c90736d0435250b1df503095b7
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm
SHA-256: 1d5fb14580b09e29678683ce44d9f47e18043982afb81d25fdc78274c956f835
webkit2gtk3-jsc-2.36.7-1.el8_7.3.ppc64le.rpm
SHA-256: 8e15fae766cc96ddb26fb8383bfecd6d21ca7828a8df7a95faa0fef689fcb9e9
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm
SHA-256: 910db545809db4e9414271b182ef3ed99c7c68844c7b20729da5f49c946968f0
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.ppc64le.rpm
SHA-256: b610ad0aa1711cb58c8455dc3636c613e6d2afa730a423ce261e6dcd6d334426
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.ppc64le.rpm
SHA-256: 13733668602cfe7ad709fb70e08d4f53c603bdf2c6ec3add207814a949920d53
Red Hat Enterprise Linux for ARM 64 8
SRPM
webkit2gtk3-2.36.7-1.el8_7.3.src.rpm
SHA-256: 24f66426606c1364370266a871e91e458ff21022e2614f7cde3727b19ebf9596
aarch64
webkit2gtk3-2.36.7-1.el8_7.3.aarch64.rpm
SHA-256: bcc9d4de6e1aa93ac2ff48e56b323bedcef5d8efa61022df12ea430c26c18320
webkit2gtk3-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm
SHA-256: 844fe681b52c5127e747665a6cc2ce59a7a0a766ba7e815aec348c84cd78dd6a
webkit2gtk3-debugsource-2.36.7-1.el8_7.3.aarch64.rpm
SHA-256: 89cbdb429c7eb4b6630faa189d2282ba074b4554cf3fede012725c76e4f890d1
webkit2gtk3-devel-2.36.7-1.el8_7.3.aarch64.rpm
SHA-256: ab7d5c8ad16446b97b4a6bad65286ab5aa30fb4ef5038a8ec2dfc4d54f876305
webkit2gtk3-devel-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm
SHA-256: 980035255756f46185f97248d50dbc3e596fe4d6b873aa244a6c69d54b9954c3
webkit2gtk3-jsc-2.36.7-1.el8_7.3.aarch64.rpm
SHA-256: 83dcbd7c3f635b7f8b647914421c88fa6e009f23c8e1964be8cdf2672db66137
webkit2gtk3-jsc-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm
SHA-256: 258009268a7d864d0d400da79e76dca30e2769f954c685cc77d39a98cc1b70e5
webkit2gtk3-jsc-devel-2.36.7-1.el8_7.3.aarch64.rpm
SHA-256: 6a3a7bf139d281323bd487d669756d2f73f353879f67658db1c588fca3175132
webkit2gtk3-jsc-devel-debuginfo-2.36.7-1.el8_7.3.aarch64.rpm
SHA-256: 42cfa7b6c067ffbeb61b7e0cbffa3e1c1e460b5d178554030d9b67aa875a49c3
The Red Hat security contact is [email protected]. More contact details at https://access.redhat.com/security/team/contact/.
Related news
A coalition of dozens of countries, including France, the U.K., and the U.S., along with tech companies such as Google, MDSec, Meta, and Microsoft, have signed a joint agreement to curb the abuse of commercial spyware to commit human rights abuses. The initiative, dubbed the Pall Mall Process, aims to tackle the proliferation and irresponsible use of commercial cyber intrusion tools by
Apple on Wednesday released a slew of updates for iOS, iPadOS, macOS, watchOS, and Safari browser to address a set of flaws it said were actively exploited in the wild. This includes a pair of zero-days that have been weaponized in a mobile surveillance campaign called Operation Triangulation that has been active since 2019. The exact threat actor behind the campaign is not known.
Gentoo Linux Security Advisory 202305-32 - Multiple vulnerabilities have been found in WebkitGTK+, the worst of which could result in arbitrary code execution. Versions greater than or equal to 2.40.1 are affected.
Apple on Thursday rolled out security updates to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws that it said are being actively exploited in the wild. The three security shortcomings are listed below - CVE-2023-32409 - A WebKit flaw that could be exploited by a malicious actor to break out of the Web Content sandbox. It was addressed with
Red Hat Security Advisory 2023-2653-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
Debian Linux Security Advisory 5397-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. An anonymous researcher discovered that a website may be able to track sensitive user information. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Debian Linux Security Advisory 5396-1 - Vulnerabilities have been discovered in the WebKitGTK web engine. Luan Herrera discovered that an HTML document may be able to render iframes with sensitive user information. P1umer and Q1IQ discovered that processing maliciously crafted web content may lead to arbitrary code execution. An anonymous researcher discovered that processing maliciously crafted web content may bypass Same Origin Policy. Clement Lecigne and Donncha O Cearbhaill discovered that processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
Red Hat Security Advisory 2023-1919-01 - WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform. Issues addressed include code execution and use-after-free vulnerabilities.
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-28205: A flaw was found in the webkitgtk package. An improper input validation issue may lead to a use-after-free vulnerability. This vulnerability allows attackers with network access to pass specially crafted web content files, causing Denial of Service or Arbitrary Code Execution.
Microsoft zero-days, dark web forum takedowns and Pentagon leaks on Discord in this week's newsletter.
Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2023-04-07-3 - Safari 16.4.1 addresses code execution and use-after-free vulnerabilities.
Apple Security Advisory 2023-04-07-2 - macOS Ventura 13.3.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.
Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.
Categories: Apple Categories: Exploits and vulnerabilities Categories: News Tags: iOS 16.4.1 Tags: iPadOS 16.4.1 Tags: macOS 13.3.1 Tags: CVE-2023-28206 Tags: CVE-2023-28205 Tags: use-after-free Tags: out-of-bounds write Tags: IOSurfaceAccelerator Apple has released iOS 16.4.1, iPadOS 16.4.1, and macOS 13.3.1 for the iPhone, iPad, and Mac, respectively, and our advice is to install them as soon as possible. (Read more...) The post Apple releases emergency updates for two known-to-be-exploited vulnerabilities appeared first on Malwarebytes Labs.
Unpatched Macs, iPhones, and iPads open to browser takeover and system kernel-level malicious code execution, Apple warns.
A use after free issue was addressed with improved memory management. This issue is fixed in iOS 15.7.5 and iPadOS 15.7.5, Safari 16.4.1, iOS 16.4.1 and iPadOS 16.4.1, macOS Ventura 13.3.1. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added five security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. This includes three high-severity flaws in the Veritas Backup Exec Agent software (CVE-2021-27876, CVE-2021-27877, and CVE-2021-27878) that could lead to the execution of privileged commands
Apple on Friday released security updates for iOS, iPadOS, macOS, and Safari web browser to address a pair of zero-day flaws that are being exploited in the wild. The two vulnerabilities are as follows - CVE-2023-28205 - A use after free issue in WebKit that could lead to arbitrary code execution when processing specially crafted web content. CVE-2023-28206 - An out-of-bounds write issue in