webkit2gtk3-2.42.5-1.el9

エラータID: AXSA:2024-8032:02

Release date: 
Thursday, May 30, 2024 - 19:21
Subject: 
webkit2gtk3-2.42.5-1.el9
Affected Channels: 
MIRACLE LINUX 9 for x86_64
Severity: 
High
Description: 

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.

Security Fix(es):

* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-40414)
* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42852)
* webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2024-23213)
* webkitgtk: Processing a file may lead to a denial of service or potentially disclose memory contents (CVE-2014-1745)
* webkitgtk: User password may be read aloud by a text-to-speech accessibility feature (CVE-2023-32359)
* webkitgtk: use-after-free in the MediaRecorder API of the WebKit GStreamer-based ports (CVE-2023-39928)
* webkitgtk: Processing web content may lead to a denial of service (CVE-2023-41983)
* webkitgtk: processing a malicious image may lead to a denial of service (CVE-2023-42883)
* webkitgtk: processing malicious web content may lead to arbitrary code execution (CVE-2023-42890)
* webkitgtk: A maliciously crafted webpage may be able to fingerprint the user (CVE-2024-23206)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the MIRACLE LINUX 9.4 Release Notes linked from the References section.

CVE-2014-1745
Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger removal of an SVGFontFaceElement object, related to core/svg/SVGFontFaceElement.cpp.
CVE-2023-32359
This issue was addressed with improved redaction of sensitive information. This issue is fixed in iOS 16.7.2 and iPadOS 16.7.2. A user's password may be read aloud by VoiceOver.
CVE-2023-39928
A use-after-free vulnerability exists in the MediaRecorder API of Webkit WebKitGTK 2.40.5. A specially crafted web page can abuse this vulnerability to cause memory corruption and potentially arbitrary code execution. A user would need to to visit a malicious webpage to trigger this vulnerability.
CVE-2023-40414
A use-after-free issue was addressed with improved memory management. This issue is fixed in watchOS 10, iOS 17 and iPadOS 17, tvOS 17, macOS Sonoma 14, Safari 17. Processing web content may lead to arbitrary code execution.
CVE-2023-41983
The issue was addressed with improved memory handling. This issue is fixed in macOS Sonoma 14.1, Safari 17.1, iOS 16.7.2 and iPadOS 16.7.2, iOS 17.1 and iPadOS 17.1. Processing web content may lead to a denial-of-service.
CVE-2023-42852
A logic issue was addressed with improved checks. This issue is fixed in iOS 17.1 and iPadOS 17.1, watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, macOS Sonoma 14.1, Safari 17.1, tvOS 17.1. Processing web content may lead to arbitrary code execution.
CVE-2023-42883
The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, iOS 17.2 and iPadOS 17.2, watchOS 10.2, tvOS 17.2, iOS 16.7.3 and iPadOS 16.7.3. Processing an image may lead to a denial-of-service.
CVE-2023-42890
The issue was addressed with improved memory handling. This issue is fixed in Safari 17.2, macOS Sonoma 14.2, watchOS 10.2, iOS 17.2 and iPadOS 17.2, tvOS 17.2. Processing web content may lead to arbitrary code execution.
CVE-2024-23206
An access issue was addressed with improved access restrictions. This issue is fixed in watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3. A maliciously crafted webpage may be able to fingerprint the user.
CVE-2024-23213
The issue was addressed with improved memory handling. This issue is fixed in watchOS 10.3, tvOS 17.3, iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, iOS 16.7.5 and iPadOS 16.7.5, Safari 17.3. Processing web content may lead to arbitrary code execution.

Solution: 

Update packages.

Additional Info: 

N/A

Download: 

SRPMS
  1. webkit2gtk3-2.42.5-1.el9.src.rpm
    MD5: e2b393a7259f008176f1c33943028000
    SHA-256: fe5180172d8160dbe508f998914c36b72d04ea09ec374496d0108652ad4f7e00
    Size: 33.08 MB

Asianux Server 9 for x86_64
  1. webkit2gtk3-2.42.5-1.el9.i686.rpm
    MD5: c3b99dbd9fbc7cc8ca9c0d85c0ebd0da
    SHA-256: 0adb13380459587e26818e2aec5f8aea67189afd464324c6306da179937ecfa9
    Size: 21.55 MB
  2. webkit2gtk3-2.42.5-1.el9.x86_64.rpm
    MD5: 9fa50afe947dee0b335213710044688c
    SHA-256: ff8c77321f2f44f3bceb0c9ed465cbbce545c82d4914da0ba1f4e38cbcb95640
    Size: 20.49 MB
  3. webkit2gtk3-devel-2.42.5-1.el9.i686.rpm
    MD5: afc9a554c4db56bf797280875474b606
    SHA-256: 6f7e12de6a1f7ea8e6c231ab7592e9623b31a0093fc64df6e3f38d1036074f61
    Size: 326.58 kB
  4. webkit2gtk3-devel-2.42.5-1.el9.x86_64.rpm
    MD5: 7fa3b7e23334004ea9730048e9ea566c
    SHA-256: 64fb2fec6687160fde739178b2776908b323b5f2c82a8e4cb892a5b8d7afb03e
    Size: 321.49 kB
  5. webkit2gtk3-jsc-2.42.5-1.el9.i686.rpm
    MD5: ec4447a5925d698c05494dd5b00ba0f4
    SHA-256: 657670fb82924ed92edb9690d9cd4007a48ab356d198bbaa127d848399bfbfdc
    Size: 3.62 MB
  6. webkit2gtk3-jsc-2.42.5-1.el9.x86_64.rpm
    MD5: 08532e571ed096e1a4280b2d1ec8eb55
    SHA-256: b87178d8b1fac5d11baa649f415bac7d2018d65497907291f1f170b0dd88d0f3
    Size: 3.60 MB
  7. webkit2gtk3-jsc-devel-2.42.5-1.el9.i686.rpm
    MD5: efeff423f2f20c68bde806405c1e9496
    SHA-256: 89864ad1331af07bef8fe85cbce8fc249732e84d88ebae8370007ba8155a435f
    Size: 163.55 kB
  8. webkit2gtk3-jsc-devel-2.42.5-1.el9.x86_64.rpm
    MD5: efaa72f198619a9d92f5014d2a943ca0
    SHA-256: cf13897a1c4151edc7d6c7bab80c47e126a91b0705919ad2850f2b1103b4d8eb
    Size: 154.73 kB