On Wed, Sep 6, 2023 at 9:46 PM Michael Catanzaro <mcatanz...@redhat.com> wrote:
> On Wed, Sep 6 2023 at 04:23:17 PM +0800, 不会弹吉他的KK > <kai.7.k...@gmail.com> wrote: > > My question is > > 1. Does webkitgtk 2.38.6 is vulnerable to CVE-2023-32435? > > No clue, sorry. > > > 2. If YES, how to deal the patches with the 2 new files? If just > > ignore and only patch file > > Source/JavaScriptCore/wasm/WasmSectionParser.cpp, could > > CVE-2023-32435 be fixed for 2.38.6, please? > > Patching just that one file is what I would do if tasked with > backporting this fix. OK. That said, keep in mind that only 10-20% of our > security vulnerabilities receive CVEs, so just patching CVEs is not > sufficient to provide a secure version of WebKitGTK. The 2.38 branch is > no longer secure and you should try upgrading to 2.42. (I would skip > 2.40 at this point, since that branch will end next week when 2.42.0 is > released.) > For Yocto project whick I am working on, packages(recipes) can NOT be updated with major version upgrade on Yocto released products/branches. So we still have to fix such kind of CVEs. But for master branch, webkitgtk will be upgraded as soon as it released. Thanks a lot. Kai > > Michael > > >
_______________________________________________ webkit-gtk mailing list webkit-gtk@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-gtk