*** This bug is a security vulnerability *** Public security bug reported:
Hello, WebKitGTK+ has recently started issuing regular security updates[1]. These updates have been made available for the "webkit2" version of WebKitGTK+, which is our webkit2gtk package. In a progress report about the updates[2] Michael Catanzaro has asked distributions to stop shipping the older version. The post includes, in part: > [T]his old version of WebKit is affected by over 200 known > vulnerabilities and really has to go sooner rather than later. We’ve > agreed to remove WebKitGTK+ 2.4 and its dependencies from Fedora rawhide > right after Fedora 26 is branched next month, so they will no longer be > present in Fedora 27 (targeted for release in November). It'd be nice to follow suit so that we don't ship this version of WebKit in 18.04 LTS. This transition may not be easy: $ reverse-depends src:webkitgtk Reverse-Depends =============== * apvlv (for libwebkitgtk-3.0-0) * balsa (for libjavascriptcoregtk-1.0-0) * balsa (for libwebkitgtk-1.0-0) * banshee (for libwebkitgtk-1.0-0) * bibledit-gtk (for libwebkitgtk-1.0-0) * bijiben (for libwebkitgtk-3.0-0) * cairo-dock-plug-ins (for libwebkitgtk-3.0-0) * cinnamon (for gir1.2-javascriptcoregtk-3.0) * cinnamon-screensaver-webkit-plugin (for gir1.2-webkit2-3.0) * claws-mail-fancy-plugin (for libwebkitgtk-1.0-0) * cyclograph-gtk3 (for gir1.2-webkit-3.0) * emacs25 (for libwebkitgtk-3.0-0) * empathy (for libwebkitgtk-3.0-0) * geany-plugin-devhelp (for libwebkitgtk-1.0-0) * geany-plugin-markdown (for libwebkitgtk-1.0-0) * geany-plugin-webhelper (for libwebkitgtk-1.0-0) * geary (for libwebkitgtk-3.0-0) * gnome-web-photo (for libwebkitgtk-3.0-0) * gnucash (for libwebkitgtk-1.0-0) * gphpedit (for libwebkitgtk-1.0-0) * gtkpod (for libwebkitgtk-3.0-0) * guitarix (for libwebkitgtk-1.0-0) * libwebkit1.1-cil (for libwebkitgtk-1.0-0) * libwebkitgtk3.0-cil (for libwebkitgtk-3.0-0) * libwxgtk-webview3.0-0v5 (for libwebkitgtk-1.0-0) * liferea (for libwebkitgtk-3.0-0) * lightdm-webkit-greeter (for libjavascriptcoregtk-1.0-0) * lightdm-webkit-greeter (for libwebkitgtk-1.0-0) * luakit (for libjavascriptcoregtk-1.0-0) * luakit (for libwebkitgtk-1.0-0) * maildir-utils-extra (for libwebkitgtk-3.0-0) * midori (for libwebkitgtk-1.0-0) * midori (for libjavascriptcoregtk-1.0-0) * monodevelop (for libwebkitgtk-1.0-0) * node-topcube (for libwebkitgtk-1.0-0) * osmo (for libwebkitgtk-1.0-0) * python-webkit (for libwebkitgtk-1.0-0) * ruby-webkit-gtk (for gir1.2-webkit-3.0) * sugar-read-activity (for gir1.2-webkit-3.0) * surf (for libjavascriptcoregtk-3.0-0) * surf (for libwebkitgtk-3.0-0) * thawab (for gir1.2-webkit-3.0) * typecatcher (for gir1.2-webkit-3.0) * ubuntu-release-upgrader-gtk (for gir1.2-webkit-3.0) * uzbl (for libwebkitgtk-1.0-0) * uzbl (for libjavascriptcoregtk-1.0-0) * variety (for gir1.2-webkit-3.0) * webkit-image-gtk (for libwebkitgtk-1.0-0) * webkit2pdf (for libwebkitgtk-1.0-0) * xiphos (for libwebkitgtk-3.0-0) * xombrero (for libjavascriptcoregtk-3.0-0) * xombrero (for libwebkitgtk-3.0-0) * xtrkcad (for libwebkitgtk-1.0-0) * zekr (for libwebkitgtk-1.0-0) The Fedora plans include removing all packages that aren't upgraded[3]: > Dependencies that are not updated to use modern WebKit will not be > present in Fedora 27. Thanks 1: https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ 2: https://blogs.gnome.org/mcatanzaro/2017/02/08/an-update-on-webkit-security-updates/ 3: https://bugzilla.redhat.com/show_bug.cgi?id=1375784 ** Affects: webkitgtk (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1662982 Title: please consider removing webkitgtk To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/webkitgtk/+bug/1662982/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
