[SECURITY] [DLA 3961-1] webkit2gtk security update

To: <debian-lts-announce@lists.debian.org>
Subject: [SECURITY] [DLA 3961-1] webkit2gtk security update
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Fri, 22 Nov 2024 11:28:15 +0100
Message-id: <[🔎] 20241122102815.C9C952AFF75@andromeda>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3961-1                debian-lts@lists.debian.org
http://www.debian.org/lts/security/               Emilio Pozuelo Monfort
November 22, 2024                             http://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : webkit2gtk
Version        : 2.46.3-1~deb11u2
CVE ID         : CVE-2024-40866 CVE-2024-44185 CVE-2024-44187 CVE-2024-44244
                 CVE-2024-44296

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2024-40866

    Hafiizh and YoKo Kho discovered that visiting a malicious website
    may lead to address bar spoofing.

CVE-2024-44185

    Gary Kwong discovered that processing maliciously crafted web
    content may lead to an unexpected process crash.

CVE-2024-44187

    Narendra Bhati discovered that a malicious website may exfiltrate
    data cross-origin.

CVE-2024-44244

    An anonymous researcher, Q1IQ (@q1iqF) and P1umer discovered that
    processing maliciously crafted web content may lead to an
    unexpected process crash.

CVE-2024-44296

    Narendra Bhati discovered that processing maliciously crafted web
    content may prevent Content Security Policy from being enforced.

For Debian 11 bullseye, these problems have been fixed in version
2.46.3-1~deb11u2.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
http://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAmdAXL0ACgkQnUbEiOQ2
gwKyQQ//eK/YYwYZzgqOVLvKqBf3lt3UQT94O9EgnyqguIhhQHiZ04Q2gxHybBfc
wb/zQw4F4333hAuF8qmoklW6V5R4ejMdWPoIWXD+P8yyMD6M5tO6ZrSig7hg9JD4
QQScHIktZeRLEefJoNdl+RKq6nUjqYtE97xFoM0DBJH/v2lrFB/uAyOYlE01wOiL
Cu6mNaV6KB0rq57d4vCyC8uT2iKOvDCo8O8m99A0FRXQFRaONEr9QHnMGCZIb7k6
uEoObdILwBqTS8l4rioFNAQ57WYyaQKeHCXyA/lmyeGKxPpRJmS/o+rfJOBOdrJn
xXnx+t8wwIC3H5JNVTTjUkXIzUgrWPpbGWOvpnbj4ytioZsY5xU68E1K1nEqTczf
+YnWTYq8fAkEOjpeGhhtOv6TivtzXDuBaAEsr9p3vvqNWy+R2RDZp+BMxRKmc43Q
xRoC454cEM9w+Hoq3eINwNsZDG1uBG8dPSUPy20nL1e5eojrhgCj99psTQIovVI1
VSxP+487BGaw4uAkHkHlAC3RYv0FPoGD7+4GtzjYG4E7KEGMTU1nu7Bo9+s5KBYa
i62iR6cTbcf2DW3jBF5xe7ZeGAv1kECj/txrDLcWaa5XaYQeorex/wzszUQsGfnO
J4g01aOrObvgMTto1/zRy7JKpbqTJPftKpvjpx/5dHiUUGom/Kc=
=e+o6
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3954-2] postgresql-13 - regression update
Next by Date: [SECURITY] [DLA 3962-1] glib2.0 security update
Previous by thread: [SECURITY] [DLA 3954-2] postgresql-13 - regression update
Next by thread: [SECURITY] [DLA 3962-1] glib2.0 security update
Index(es):
- Date
- Thread