Re: [webkit-gtk] How to fix CVEs of webkitgtk 2.36.x
On Wed, Mar 22, 2023 at 7:01 PM Michael Catanzaro wrote: > On Wed, Mar 22 2023 at 11:26:56 AM +0200, Adrian Perez de Castro > wrote: > > Recently advisories published by Apple include the Bugzilla issue > > numbers > > (e.g. [1]), so with some work you can find out which commits > > correspond to > > the fixes. > > It finally occurs to me that since Apple now publishes the bug > information, we could start publishing revision information. We'd want > to fix [1] first. > Hi Adrián and Michael, Thanks. I'll try to do more search for the existing CVEs. > > WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely > > update > > without needing to change applications. In general, we always keep > > the API and > > ABI backwards compatible. > > For avoidance of doubt, WebKitGTK 2.40.x is backwards-compatible as > well and that will remain true indefinitely, as long as you continue to > build the same API version [2]. Adrian might be planning one last > 2.38.x release, but it's really time to move on to 2.40. > > On rare occasions, an upgrade might affect the behavior of particular > API functionality within the same API version, but this is unusual and > is avoided whenever possible. I don't think any APIs broke between 2.36 > and 2.40, so that shouldn't be a problem for you this time. The goal is > for upgrades to be as safe as possible. > Great. Your comments will be powerful evidence to upgrade webkitgtk on Yocto lts release. Thanks a lot. Kai > Michael > > [1] https://bugs.webkit.org/show_bug.cgi?id=249672 > [2] > > https://blogs.gnome.org/mcatanzaro/2023/03/21/webkitgtk-api-for-gtk-4-is-now-stable/ > > > ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
Re: [webkit-gtk] How to fix CVEs of webkitgtk 2.36.x
On Wed, Mar 22 2023 at 11:26:56 AM +0200, Adrian Perez de Castro wrote: Recently advisories published by Apple include the Bugzilla issue numbers (e.g. [1]), so with some work you can find out which commits correspond to the fixes. It finally occurs to me that since Apple now publishes the bug information, we could start publishing revision information. We'd want to fix [1] first. WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely update without needing to change applications. In general, we always keep the API and ABI backwards compatible. For avoidance of doubt, WebKitGTK 2.40.x is backwards-compatible as well and that will remain true indefinitely, as long as you continue to build the same API version [2]. Adrian might be planning one last 2.38.x release, but it's really time to move on to 2.40. On rare occasions, an upgrade might affect the behavior of particular API functionality within the same API version, but this is unusual and is avoided whenever possible. I don't think any APIs broke between 2.36 and 2.40, so that shouldn't be a problem for you this time. The goal is for upgrades to be as safe as possible. Michael [1] https://bugs.webkit.org/show_bug.cgi?id=249672 [2] https://blogs.gnome.org/mcatanzaro/2023/03/21/webkitgtk-api-for-gtk-4-is-now-stable/ ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
Re: [webkit-gtk] How to fix CVEs of webkitgtk 2.36.x
Hello, On Wed, 22 Mar 2023 11:57:24 +0800 不会弹吉他的KK wrote: > I am working on Yocto project. In last LTS Yocto release the version of > webkitgtk is 2.36.8. And there are more than 15 CVE issues for 2.36.8 till > now. I checked the git log and "WebKitGTK and WPE WebKit Security Advisory" > pages that I only got info that which CVE has been fixed in which version of > webkitgtk. But I can NOT get the exact info that it is fixed by which > commit(s). So if there anywhere or some web page to get the specific > fix/patch for a CVE, please? Recently advisories published by Apple include the Bugzilla issue numbers (e.g. [1]), so with some work you can find out which commits correspond to the fixes. You will not be able to see the discussions in Bugzilla because security bugs are visible by default only to members of the WebKit Security Team [2] for a number of reasons, like avoiding leaks of information that could be used to make exploits. > And the second question is webkitgtk 2.38.x backward compatible with 2.36.8? > I compare the header files between 2.36.8 and 2.38.4 that it seems no > function deleted and no interface change for existing functions, only some > functions are marked deprecated and some new functions added. Does that mean > upgrade webkitgtk from 2.36.8 to 2.38.4 will not break applications which > depend on it, please? WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely update without needing to change applications. In general, we always keep the API and ABI backwards compatible. Note that the current stable releases (2.40.x) introduce a new API level when using GTK4, but I suppose this is not a problem because most likely you are still using GTK3. I hope this helps you with your doubts. Cheers, —Adrián --- [1] https://support.apple.com/en-us/HT213638 [2] https://webkit.org/security-team/ signature.asc Description: PGP signature ___ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk
