Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package wpewebkit [ Reason ] Fix five CVEs, one of them reported to have been actively exploited. [ Impact ] wpewebkit, like all other major browser engines, is affected by a constant stream of security bugs so it's not recommended to browse the web using an outdated version of the package. For this reason the security team has been providing wpewebkit updates using the upstream stable releases sice Debian bullseye. 2.38.6 is the next stable point release after 2.38.5 (already in bookworm). It contains fixes for several bugs including 5 CVEs: CVE-2022-0108 Impact: An HTML document may be able to render iframes with sensitive user information. CVE-2022-32885 Impact: Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2023-27932 Impact: Processing maliciously crafted web content may bypass Same Origin Policy. CVE-2023-27954 Impact: A website may be able to track sensitive user information. CVE-2023-28205 Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. [ Tests ] Tested manually using the cog web browser. [ Risks ] WPE WebKit evolves very fast and its stable releases contain other fixes apart from the security ones. Because of this the chance of regressions is higher than with other packages. That said, upstream has had a good track record of publishing updates with no major issues. In addition to that, WPE WebKit is also a niche browser engine with few reverse dependencies so the impact of any possible regression is very low and the risk is therefore much more controlled. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] This new version also works in bullseye and the the corresponding security update is also being prepared. Note that I only include the debian/ part of the debdiff since the changes to the source itself are larger due to the nature of the release. unblock wpewebkit/2.38.6-1
diff -Nru wpewebkit-2.38.5/debian/changelog wpewebkit-2.38.6/debian/changelog --- wpewebkit-2.38.5/debian/changelog 2023-02-15 22:52:14.000000000 +0100 +++ wpewebkit-2.38.6/debian/changelog 2023-04-25 09:17:43.000000000 +0200 @@ -1,3 +1,13 @@ +wpewebkit (2.38.6-1) unstable; urgency=high + + * New upstream release. + * The WPE WebKit security advisory WSA-2023-0003 lists the following + security fixes in the latest versions of WPE WebKit: + - CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954, + CVE-2023-28205 (fixed in 2.38.6 and 2.40.1). + + -- Alberto Garcia <be...@igalia.com> Tue, 25 Apr 2023 09:17:43 +0200 + wpewebkit (2.38.5-1) unstable; urgency=high * New upstream release.