Debian Linux Security Advisory 5468-1 - The following vulnerabilities have been discovered in the WebKitGTK web engine. YeongHyeon Choi discovered that processing web content may disclose sensitive information. Narendra Bhati discovered that a website may be able to bypass the Same Origin Policy. Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco Squarcina, and Lorenzo Veronese discovered that processing web content may lead to arbitrary code execution. Various other issues were also addressed.
f96baafb2777c917c6c60c4b8adcdaa219920d1d0a4a114805c70baaafefbbf5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- -------------------------------------------------------------------------
Debian Security Advisory DSA-5468-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
August 05, 2023 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : webkit2gtk
CVE ID : CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594
CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600
CVE-2023-38611
The following vulnerabilities have been discovered in the WebKitGTK
web engine:
CVE-2023-38133
YeongHyeon Choi discovered that processing web content may
disclose sensitive information.
CVE-2023-38572
Narendra Bhati discovered that a website may be able to bypass the
Same Origin Policy.
CVE-2023-38592
Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco
Squarcina, and Lorenzo Veronese discovered that processing web
content may lead to arbitrary code execution.
CVE-2023-38594
Yuhao Hu discovered that processing web content may lead to
arbitrary code execution.
CVE-2023-38595
An anonymous researcher, Jiming Wang, and Jikai Ren discovered
that processing web content may lead to arbitrary code execution.
CVE-2023-38597
Junsung Lee discovered that processing web content may lead to
arbitrary code execution.
CVE-2023-38599
Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel
Genkin, and Yuval Yarom discovered that a website may be able to
track sensitive user information.
CVE-2023-38600
An anonymous researcher discovered that processing web content may
lead to arbitrary code execution.
CVE-2023-38611
Francisco Alonso discovered that processing web content may lead
to arbitrary code execution.
For the oldstable distribution (bullseye), these problems have been fixed
in version 2.40.5-1~deb11u1.
For the stable distribution (bookworm), these problems have been fixed in
version 2.40.5-1~deb12u1.
We recommend that you upgrade your webkit2gtk packages.
For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmTOj+AACgkQAAyEYu0C
2AK4hw/+IqYa65blruup8jZigzY38U60+U+yzSa1MTtV04Nfv5UUMHw/AuSDi/ap
U5Vcee/oAb8pFeaZFODPY4k6vHUSjc4iL21zG4X0nYvNL7S9KZOS8TlxLVbbDElu
VLv3La7yB++vzv64DdU/ZuRkbuqowImesSxV8PFMaeJCWzMGX1Ck4jqqOPewmOAl
EEc9sFQHavZIdsC7kYGYcJi5UDgHUdG7K1JwKmDyQ+cW4CiTHIpGshpBnOyz7Kx9
AxTMscAqkigJznjY5kzWe5koFzZY7WTGmxmy7fjepEzB/Zdbl2+FRgFl3UHrd6kj
90blbnyTT6C+/PXkMR8dbeC2y7yTWZoeyyedRu2m700IdZVR19DKCwNj2TaFXD28
GKLe7fYKusyvPx63JVmHk6p9wokInOyimn+4Ldwv6q2CUAMXOLpia9hEjljrE1nj
CNbgyJFsgJTbW069GhkABySNKeQbFd4OCZxemb6jcJsXn3pRWoK/32B8tu/srzJo
OtdcuHC2TEyQS1EzgzJ25WrvcGkgTaz0eoemcXMdvp31xqWpmJEJoQ95Q/lwskq3
5e0mOH3AabSDVioImrBNtjnDcPP7Sy8Mq70pv+qx6fQZZnnFUD7YLr8D4KcayUSP
8M6hBjOj1qAJnXb2N2Cw2YRwYhcsFXQ9d7qbC7C03bEFIsSIx0A=VbdY
-----END PGP SIGNATURE-----