[SECURITY] [DLA 3274-1] webkit2gtk security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3274-1] webkit2gtk security update
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Thu, 19 Jan 2023 11:10:28 +0100 (CET)
Message-id: <[🔎] 20230119101028.8D6C62A044F@andromeda>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3274-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/               Emilio Pozuelo Monfort
January 19, 2023                              https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : webkit2gtk
Version        : 2.38.3-1~deb10u1
CVE ID         : CVE-2022-42852 CVE-2022-42856 CVE-2022-42867 CVE-2022-46692
                 CVE-2022-46698 CVE-2022-46699 CVE-2022-46700

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2022-42852

    hazbinhotel discovered that processing maliciously crafted web
    content may result in the disclosure of process memory.

CVE-2022-42856

    Clement Lecigne discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2022-42867

    Maddie Stone discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2022-46692

    KirtiKumar Anandrao Ramchandani discovered that processing
    maliciously crafted web content may bypass Same Origin Policy.

CVE-2022-46698

    Dohyun Lee and Ryan Shin discovered that processing maliciously
    crafted web content may disclose sensitive user information.

CVE-2022-46699

    Samuel Gross discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

CVE-2022-46700

    Samuel Gross discovered that processing maliciously crafted web
    content may lead to arbitrary code execution.

For Debian 10 buster, these problems have been fixed in version
2.38.3-1~deb10u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmPJFxEACgkQnUbEiOQ2
gwKkQA//QDUhHq0gLCIV4iq7optCNnzjkAXpUhsKYEslQaJZo/uUZmPF5sBZOyTf
aeUSrG2Ys4FUSj6NzeubpEW9TtBJzqRjfCj977n5mr142wg9ihjXq9T52BFqPnml
RenqZZwW3QPBD8c4N2oah6cijmHsnAApN/cNBjKHDiYlOHDesGzJL0OyZZpSzjZs
j+XbP9lm1/94DP9jvRu3EouMC3RyYoqPMBLMh5YoMKojVZfTlS0bc+xpBgESCLgB
/pOqoFfn4fSWdeErPoRvvuZuQwflbs/WiZH6y6qpEWCSsgH7i9CtGYOTBqxgls/J
v/D042T11ic5HkY3yp85HeKV70GF1Bxy5wV0WOsC4gQ4cRgNHHUqvnhsJGuSFKgA
oQLNVNcSnNcCPFqFNYBHC9FtE1WQOPiDOxxammaWuUbPW+UZV65tXS1nZWGDnrty
1JChTQMNMN2g4j36POxfQHBovvsGCBih2ewT8n0CvVRdXxR4CJVOauGfG9fKcizN
0CqPSvPER7RYQkz62himwE81bYDMOtRk6h+ibzPPgMoY7ym7SolFUAdEQ5bw4Y/2
ONJnA+f3WT+FkUVYrmxFSh12bXACyFZS9yEW535X6DoZzUBDLG6Kd0G4S2CG2x0h
QhUUM6fAxQMZSZIAjUtHTKiIVEnBSPJKw++CuriZTdL1KzIG2NU=
=XznE
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3273-1] libitext5-java security update
Next by Date: [SECURITY] [DLA 3275-1] firefox-esr security update
Previous by thread: [SECURITY] [DLA 3273-1] libitext5-java security update
Next by thread: [SECURITY] [DLA 3275-1] firefox-esr security update
Index(es):
- Date
- Thread