Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package wpewebkit
[ Reason ]
Fix five CVEs, one of them reported to have been actively exploited.
[ Impact ]
wpewebkit, like all other major browser engines, is affected by a
constant stream of security bugs so it's not recommended to browse the
web using an outdated version of the package. For this reason the
security team has been providing wpewebkit updates using the upstream
stable releases sice Debian bullseye.
2.38.6 is the next stable point release after 2.38.5 (already in
bookworm). It contains fixes for several bugs including 5 CVEs:
CVE-2022-0108
Impact: An HTML document may be able to render iframes with
sensitive user information.
CVE-2022-32885
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution.
CVE-2023-27932
Impact: Processing maliciously crafted web content may bypass Same
Origin Policy.
CVE-2023-27954
Impact: A website may be able to track sensitive user information.
CVE-2023-28205
Impact: Processing maliciously crafted web content may lead to
arbitrary code execution. Apple is aware of a report that this
issue may have been actively exploited.
[ Tests ]
Tested manually using the cog web browser.
[ Risks ]
WPE WebKit evolves very fast and its stable releases contain other
fixes apart from the security ones. Because of this the chance of
regressions is higher than with other packages. That said, upstream
has had a good track record of publishing updates with no major
issues.
In addition to that, WPE WebKit is also a niche browser engine with
few reverse dependencies so the impact of any possible regression is
very low and the risk is therefore much more controlled.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
This new version also works in bullseye and the the corresponding
security update is also being prepared.
Note that I only include the debian/ part of the debdiff since the
changes to the source itself are larger due to the nature of the
release.
unblock wpewebkit/2.38.6-1
diff -Nru wpewebkit-2.38.5/debian/changelog wpewebkit-2.38.6/debian/changelog
--- wpewebkit-2.38.5/debian/changelog 2023-02-15 22:52:14.000000000 +0100
+++ wpewebkit-2.38.6/debian/changelog 2023-04-25 09:17:43.000000000 +0200
@@ -1,3 +1,13 @@
+wpewebkit (2.38.6-1) unstable; urgency=high
+
+ * New upstream release.
+ * The WPE WebKit security advisory WSA-2023-0003 lists the following
+ security fixes in the latest versions of WPE WebKit:
+ - CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954,
+ CVE-2023-28205 (fixed in 2.38.6 and 2.40.1).
+
+ -- Alberto Garcia <be...@igalia.com> Tue, 25 Apr 2023 09:17:43 +0200
+
wpewebkit (2.38.5-1) unstable; urgency=high
* New upstream release.
