From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D1717139083 for ; Tue, 13 Dec 2016 13:27:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 44F8821C224; Tue, 13 Dec 2016 13:26:34 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E82CE21C03C for ; Tue, 13 Dec 2016 13:26:08 +0000 (UTC) Received: from [10.10.10.109] (oki-180-131-212-51.jptransit.net [180.131.212.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: bman) by smtp.gentoo.org (Postfix) with ESMTPSA id 62F6F340F27 for ; Tue, 13 Dec 2016 13:26:07 +0000 (UTC) To: gentoo-announce@lists.gentoo.org From: Aaron Bauman Subject: [gentoo-announce] ERRATA: [ GLSA 201612-41 ] WebKitGTK+: Multiple vulnerabilities Message-ID: <5e795dad-cb42-9e07-7969-668b1f1bf889@gentoo.org> Date: Tue, 13 Dec 2016 22:26:00 +0900 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-announce@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="FAkjb1MLD5dN4kKHHg4iowODnhl9eGl50" X-Archives-Salt: 00735888-2f55-4af4-93dd-34bca06b8e3a X-Archives-Hash: 1003795d48825f0d509d34757d780d18 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --FAkjb1MLD5dN4kKHHg4iowODnhl9eGl50 Content-Type: multipart/mixed; boundary="u9a7Cq4WH0SWBT2Q1TAkIHAJQp1jU0vV3" From: Aaron Bauman To: gentoo-announce@lists.gentoo.org Message-ID: <5e795dad-cb42-9e07-7969-668b1f1bf889@gentoo.org> Subject: ERRATA: [ GLSA 201612-41 ] WebKitGTK+: Multiple vulnerabilities --u9a7Cq4WH0SWBT2Q1TAkIHAJQp1jU0vV3 Content-Type: multipart/alternative; boundary="------------AFE23597429BBCEB3687D614" This is a multi-part message in MIME format. --------------AFE23597429BBCEB3687D614 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory [ERRATA UPDATE] GLSA 201612-41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: WebKitGTK+: Multiple vulnerabilities Date: December 13, 2016 Bugs: #570034 ID: 201612-41 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Errata =3D=3D=3D=3D=3D=3D The original GLSA contained additional bugs and CVEs which did not pertain to the affected package versions listed. The corrected sections appear below and in the "Bugs" listed above. Synopsis =3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been found in WebKitGTK+, the worst of which may allow execution of arbitrary code. Background =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. It offers WebKit=E2=80=99s full functionality and is useful in a wide range of syst= ems from desktop computers to embedded systems like phones, tablets, and televisions. WebKitGTK+ is made by a lively community of developers and designers, who hope to bring the web platform to everyone. It=E2=80=99s t= he official web engine of the GNOME platform and is used in browsers such as Epiphany and Midori. Affected packages =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 net-libs/webkit-gtk < 2.4.10-r200 >=3D 2.4.10-r200=20 Description =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Multiple vulnerabilities have been discovered in WebKitGTK+. Please review the CVE identifiers referenced below for details. Impact =3D=3D=3D=3D=3D=3D A remote attacker can use multiple vectors to execute arbitrary code or cause a Denial of Service condition. Workaround =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D There is no known workaround at this time. Resolution =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D All WebKitGTK+ users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=3Dnet-libs/webkit-gtk-2.4.10-r200" References =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D [ 1 ] CVE-2014-4412 http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2014-4412 [ 2 ] CVE-2014-4413 http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2014-4413 [ 3 ] CVE-2014-4414 http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-2014-4414 Availability =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201612-41 Concerns? =3D=3D=3D=3D=3D=3D=3D=3D=3D Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License =3D=3D=3D=3D=3D=3D=3D Copyright 2016 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.5 --------------AFE23597429BBCEB3687D614 Content-Type: text/html; charset=utf-8 Content-Transfer-Encoding: quoted-printable 
- - - - - - - - - - - =
- - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory [ERRATA UPDATE]           GLSA 201612-41
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                           https://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Normal
    Title: WebKitGTK+: Multiple vulnerabilities
     Date: December 13, 2016
     Bugs: #570034
       ID: 201612-41

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Errata
=3D=3D=3D=3D=3D=3D

The original GLSA contained additional bugs and CVEs which did not
pertain to the affected package versions listed.

The corrected sections appear below and in the "Bugs" listed above.

Synopsis
=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities have been found in WebKitGTK+, the worst of
which may allow execution of arbitrary code.

Background
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

WebKitGTK+ is a full-featured port of the WebKit rendering engine,
suitable for projects requiring any kind of web integration, from
hybrid HTML/CSS applications to full-fledged web browsers. It offers
WebKit=E2=80=99s full functionality and is useful in a wide range of syst=
ems
from desktop computers to embedded systems like phones, tablets, and
televisions. WebKitGTK+ is made by a lively community of developers and
designers, who hope to bring the web platform to everyone. It=E2=80=99s t=
he
official web engine of the GNOME platform and is used in browsers such
as Epiphany and Midori.

Affected packages
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

    -------------------------------------------------------------------
     Package              /     Vulnerable     /            Unaffected
    -------------------------------------------------------------------
  1  net-libs/webkit-gtk       < 2.4.10-r200           >=3D 2.4.10-=
r200=20

Description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Multiple vulnerabilities have been discovered in WebKitGTK+. Please
review the CVE identifiers referenced below for details.

Impact
=3D=3D=3D=3D=3D=3D

A remote attacker can use multiple vectors to execute arbitrary code or
cause a Denial of Service condition.

Workaround
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

There is no known workaround at this time.

Resolution
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All WebKitGTK+ users should upgrade to the latest version:

  # emerge --sync
  # emerge --ask --oneshot -v ">=3Dnet-libs/webkit-gtk-2.4.10-r200"

References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

[ 1 ] CVE-2014-4412
      http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20=
14-4412
[ 2 ] CVE-2014-4413
      http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20=
14-4413
[ 3 ] CVE-2014-4414
      http://nvd.nist.gov/nvd.cfm?cvename=3DCVE-20=
14-4414

Availability
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

 https://security.gentoo.org/glsa/201612-41

Concerns?
=3D=3D=3D=3D=3D=3D=3D=3D=3D

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https=
://bugs.gentoo.org.

License
=3D=3D=3D=3D=3D=3D=3D

Copyright 2016 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5
<= /body> --------------AFE23597429BBCEB3687D614-- --u9a7Cq4WH0SWBT2Q1TAkIHAJQp1jU0vV3-- --FAkjb1MLD5dN4kKHHg4iowODnhl9eGl50 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJ8BAEBCgBmBQJYT/boXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ1OTcyRDI4NDhFOEE0NDYwRTdERTY4QUM5 RjI4QkQ4QkQxRTM5NUZGAAoJEJ8ovYvR45X/iQAP/0xlF48blXZG9G6WKixE3ZwZ g5fTrPjAZic1tZZoecWYczGzq4LwQhlmbuOTHBqMK26ka6ecfvubzmC5WbmnW+Vl d5PbKPCB+aOdAiPco2uhR8ut0TjlFztN01ksZm3As4M24yjRuLHA7tmiMFArIwV5 6sjgsj8B1w8MLR/c/pC242ritJfHxS3OLws+FlJ0TAkpcj90CoUlr4MMFSGkfPQ4 uf74VFu5VAbMvJpFzYvhSmC54OBTNTNTiITm9SrtUs2gaZeS/CQv2SUSWMTi2XZr LxAheZpNS3mho+3TqA5nf+vjBDf6vjwqm2m7KBGdVPPLEZZTeR5JNkc4HiUi6SMB ZEhImrQGFL/G/jrws/SiKeJ6vC2M75lUebqkUXztenC7dlOttqLF4ow0eBRaPhvy gb3Sphs7C9rIISn+jloCgr3fZiha8JaS4yACEQ6gA+UiccBjOlD4ZBZUBX26Kk1T R8GX+9JUKOghqjjNjRdxTWhJHTkTAFGYFGcmipXU5SEVxfZkhmWJgUWeVDlmlPG/ QKLS/4PBIU0bfA1veeI+xkwVgVczLAAvJ9hZZWxt57sS/oLcVENToapz4zBIq2yc prmpzSjPHZAvNVtHQDOQFiA1W4CrWE6Dk4sQUt8x0+ZouhenlrS6H1Xbp0AxIwWL w9UZvvUjLyKgwp+wPGb2 =3/z4 -----END PGP SIGNATURE----- --FAkjb1MLD5dN4kKHHg4iowODnhl9eGl50--