Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0282 SUSE Security Update: Security update for webkit2gtk3 30 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: webkit2gtk3 Publisher: SUSE Operating System: SUSE Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Denial of Service -- Remote with User Interaction Access Confidential Data -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-13870 CVE-2017-13866 CVE-2017-13856 CVE-2017-13803 CVE-2017-13798 CVE-2017-13788 CVE-2017-7157 CVE-2017-7156 CVE-2017-7142 CVE-2017-7120 CVE-2017-7117 CVE-2017-7111 CVE-2017-7109 CVE-2017-7107 CVE-2017-7104 CVE-2017-7102 CVE-2017-7100 CVE-2017-7099 CVE-2017-7098 CVE-2017-7096 CVE-2017-7095 CVE-2017-7094 CVE-2017-7093 CVE-2017-7092 CVE-2017-7091 CVE-2017-7090 CVE-2017-7089 CVE-2017-7087 CVE-2017-7081 CVE-2017-7064 CVE-2017-7061 CVE-2017-7059 CVE-2017-7056 CVE-2017-7055 CVE-2017-7052 CVE-2017-7049 CVE-2017-7048 CVE-2017-7046 CVE-2017-7043 CVE-2017-7042 CVE-2017-7041 CVE-2017-7040 CVE-2017-7039 CVE-2017-7038 CVE-2017-7037 CVE-2017-7034 CVE-2017-7030 CVE-2017-7020 CVE-2017-7019 CVE-2017-7018 CVE-2017-7012 CVE-2017-7011 CVE-2017-7006 CVE-2017-5754 CVE-2017-5753 CVE-2017-5715 CVE-2017-2539 CVE-2017-2510 CVE-2017-2496 CVE-2017-2373 CVE-2017-2371 CVE-2017-2369 CVE-2017-2366 CVE-2017-2365 CVE-2017-2364 CVE-2017-2363 CVE-2017-2362 CVE-2017-2356 CVE-2017-2355 CVE-2017-2354 CVE-2017-2350 CVE-2016-7656 CVE-2016-7654 CVE-2016-7652 CVE-2016-7645 CVE-2016-7641 CVE-2016-7639 CVE-2016-7635 CVE-2016-7632 CVE-2016-7623 CVE-2016-7610 CVE-2016-7599 CVE-2016-7598 CVE-2016-7592 CVE-2016-7589 CVE-2016-7587 CVE-2016-7586 CVE-2016-4743 CVE-2016-4692 Reference: ASB-2018.0033 ASB-2018.0030 ASB-2018.0009 ESB-2017.2768 ESB-2016.2962 ASB-2018.0002.4 ESB-2016.2928.2 ESB-2016.2927.2 ESB-2016.2926.2 Original Bulletin: https://www.suse.com/support/update/announcement/2018/suse-su-20180219-1/ - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for webkit2gtk3 ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:0219-1 Rating: important References: #1020950 #1024749 #1050469 #1066892 #1069925 #1073654 #1075419 Cross-References: CVE-2016-4692 CVE-2016-4743 CVE-2016-7586 CVE-2016-7587 CVE-2016-7589 CVE-2016-7592 CVE-2016-7598 CVE-2016-7599 CVE-2016-7610 CVE-2016-7623 CVE-2016-7632 CVE-2016-7635 CVE-2016-7639 CVE-2016-7641 CVE-2016-7645 CVE-2016-7652 CVE-2016-7654 CVE-2016-7656 CVE-2017-13788 CVE-2017-13798 CVE-2017-13803 CVE-2017-13856 CVE-2017-13866 CVE-2017-13870 CVE-2017-2350 CVE-2017-2354 CVE-2017-2355 CVE-2017-2356 CVE-2017-2362 CVE-2017-2363 CVE-2017-2364 CVE-2017-2365 CVE-2017-2366 CVE-2017-2369 CVE-2017-2371 CVE-2017-2373 CVE-2017-2496 CVE-2017-2510 CVE-2017-2539 CVE-2017-5715 CVE-2017-5753 CVE-2017-5754 CVE-2017-7006 CVE-2017-7011 CVE-2017-7012 CVE-2017-7018 CVE-2017-7019 CVE-2017-7020 CVE-2017-7030 CVE-2017-7034 CVE-2017-7037 CVE-2017-7038 CVE-2017-7039 CVE-2017-7040 CVE-2017-7041 CVE-2017-7042 CVE-2017-7043 CVE-2017-7046 CVE-2017-7048 CVE-2017-7049 CVE-2017-7052 CVE-2017-7055 CVE-2017-7056 CVE-2017-7059 CVE-2017-7061 CVE-2017-7064 CVE-2017-7081 CVE-2017-7087 CVE-2017-7089 CVE-2017-7090 CVE-2017-7091 CVE-2017-7092 CVE-2017-7093 CVE-2017-7094 CVE-2017-7095 CVE-2017-7096 CVE-2017-7098 CVE-2017-7099 CVE-2017-7100 CVE-2017-7102 CVE-2017-7104 CVE-2017-7107 CVE-2017-7109 CVE-2017-7111 CVE-2017-7117 CVE-2017-7120 CVE-2017-7142 CVE-2017-7156 CVE-2017-7157 Affected Products: SUSE Linux Enterprise Workstation Extension 12-SP3 SUSE Linux Enterprise Workstation Extension 12-SP2 SUSE Linux Enterprise Software Development Kit 12-SP3 SUSE Linux Enterprise Software Development Kit 12-SP2 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP2 SUSE Linux Enterprise Desktop 12-SP3 SUSE Linux Enterprise Desktop 12-SP2 ______________________________________________________________________________ An update that fixes 89 vulnerabilities is now available. Description: This update for webkit2gtk3 fixes the following issues: Update to version 2.18.5: + Disable SharedArrayBuffers from Web API. + Reduce the precision of "high" resolution time to 1ms. + bsc#1075419 - Security fixes: includes improvements to mitigate the effects of Spectre and Meltdown (CVE-2017-5753 and CVE-2017-5715). Update to version 2.18.4: + Make WebDriver implementation more spec compliant. + Fix a bug when trying to remove cookies before a web process is spawned. + WebKitWebDriver process no longer links to libjavascriptcoregtk. + Fix several memory leaks in GStreamer media backend. + bsc#1073654 - Security fixes: CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, CVE-2017-13856. Update to version 2.18.3: + Improve calculation of font metrics to prevent scrollbars from being shown unnecessarily in some cases. + Fix handling of null capabilities in WebDriver implementation. + Security fixes: CVE-2017-13798, CVE-2017-13788, CVE-2017-13803. Update to version 2.18.2: + Fix rendering of arabic text. + Fix a crash in the web process when decoding GIF images. + Fix rendering of wind in Windy.com. + Fix several crashes and rendering issues. Update to version 2.18.1: + Improve performance of GIF animations. + Fix garbled display in GMail. + Fix rendering of several material design icons when using the web font. + Fix flickering when resizing the window in Wayland. + Prevent default kerberos authentication credentials from being used in ephemeral sessions. + Fix a crash when webkit_web_resource_get_data() is cancelled. + Correctly handle touchmove and touchend events in WebKitWebView. + Fix the build with enchant 2.1.1. + Fix the build in HPPA and Alpha. + Fix several crashes and rendering issues. + Security fixes: CVE-2017-7081, CVE-2017-7087, CVE-2017-7089, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120, CVE-2017-7142. - Enable gold linker on s390/s390x on SLE15/Tumbleweed. Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP3: zypper in -t patch SUSE-SLE-WE-12-SP3-2018-150=1 - SUSE Linux Enterprise Workstation Extension 12-SP2: zypper in -t patch SUSE-SLE-WE-12-SP2-2018-150=1 - SUSE Linux Enterprise Software Development Kit 12-SP3: zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-150=1 - SUSE Linux Enterprise Software Development Kit 12-SP2: zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-150=1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2: zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-150=1 - SUSE Linux Enterprise Server 12-SP3: zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-150=1 - SUSE Linux Enterprise Server 12-SP2: zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-150=1 - SUSE Linux Enterprise Desktop 12-SP3: zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-150=1 - SUSE Linux Enterprise Desktop 12-SP2: zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-150=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Linux Enterprise Workstation Extension 12-SP3 (noarch): libwebkit2gtk3-lang-2.18.5-2.18.1 - SUSE Linux Enterprise Workstation Extension 12-SP2 (noarch): libwebkit2gtk3-lang-2.18.5-2.18.1 - SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64): webkit2gtk3-debugsource-2.18.5-2.18.1 webkit2gtk3-devel-2.18.5-2.18.1 - SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64): webkit2gtk3-debugsource-2.18.5-2.18.1 webkit2gtk3-devel-2.18.5-2.18.1 - SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64): libjavascriptcoregtk-4_0-18-2.18.5-2.18.1 libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1 libwebkit2gtk-4_0-37-2.18.5-2.18.1 libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1 typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1 typelib-1_0-WebKit2-4_0-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1 webkit2gtk3-debugsource-2.18.5-2.18.1 - SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.18.5-2.18.1 libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1 libwebkit2gtk-4_0-37-2.18.5-2.18.1 libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1 typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1 typelib-1_0-WebKit2-4_0-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1 webkit2gtk3-debugsource-2.18.5-2.18.1 - SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64): libjavascriptcoregtk-4_0-18-2.18.5-2.18.1 libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1 libwebkit2gtk-4_0-37-2.18.5-2.18.1 libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1 typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1 typelib-1_0-WebKit2-4_0-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1 webkit2gtk3-debugsource-2.18.5-2.18.1 - SUSE Linux Enterprise Desktop 12-SP3 (noarch): libwebkit2gtk3-lang-2.18.5-2.18.1 - SUSE Linux Enterprise Desktop 12-SP3 (x86_64): libjavascriptcoregtk-4_0-18-2.18.5-2.18.1 libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1 libwebkit2gtk-4_0-37-2.18.5-2.18.1 libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1 typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1 typelib-1_0-WebKit2-4_0-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1 webkit2gtk3-debugsource-2.18.5-2.18.1 - SUSE Linux Enterprise Desktop 12-SP2 (x86_64): libjavascriptcoregtk-4_0-18-2.18.5-2.18.1 libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1 libwebkit2gtk-4_0-37-2.18.5-2.18.1 libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1 typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1 typelib-1_0-WebKit2-4_0-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1 webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1 webkit2gtk3-debugsource-2.18.5-2.18.1 - SUSE Linux Enterprise Desktop 12-SP2 (noarch): libwebkit2gtk3-lang-2.18.5-2.18.1 References: https://www.suse.com/security/cve/CVE-2016-4692.html https://www.suse.com/security/cve/CVE-2016-4743.html https://www.suse.com/security/cve/CVE-2016-7586.html https://www.suse.com/security/cve/CVE-2016-7587.html https://www.suse.com/security/cve/CVE-2016-7589.html https://www.suse.com/security/cve/CVE-2016-7592.html https://www.suse.com/security/cve/CVE-2016-7598.html https://www.suse.com/security/cve/CVE-2016-7599.html https://www.suse.com/security/cve/CVE-2016-7610.html https://www.suse.com/security/cve/CVE-2016-7623.html https://www.suse.com/security/cve/CVE-2016-7632.html https://www.suse.com/security/cve/CVE-2016-7635.html https://www.suse.com/security/cve/CVE-2016-7639.html https://www.suse.com/security/cve/CVE-2016-7641.html https://www.suse.com/security/cve/CVE-2016-7645.html https://www.suse.com/security/cve/CVE-2016-7652.html https://www.suse.com/security/cve/CVE-2016-7654.html https://www.suse.com/security/cve/CVE-2016-7656.html https://www.suse.com/security/cve/CVE-2017-13788.html https://www.suse.com/security/cve/CVE-2017-13798.html https://www.suse.com/security/cve/CVE-2017-13803.html https://www.suse.com/security/cve/CVE-2017-13856.html https://www.suse.com/security/cve/CVE-2017-13866.html https://www.suse.com/security/cve/CVE-2017-13870.html https://www.suse.com/security/cve/CVE-2017-2350.html https://www.suse.com/security/cve/CVE-2017-2354.html https://www.suse.com/security/cve/CVE-2017-2355.html https://www.suse.com/security/cve/CVE-2017-2356.html https://www.suse.com/security/cve/CVE-2017-2362.html https://www.suse.com/security/cve/CVE-2017-2363.html https://www.suse.com/security/cve/CVE-2017-2364.html https://www.suse.com/security/cve/CVE-2017-2365.html https://www.suse.com/security/cve/CVE-2017-2366.html https://www.suse.com/security/cve/CVE-2017-2369.html https://www.suse.com/security/cve/CVE-2017-2371.html https://www.suse.com/security/cve/CVE-2017-2373.html https://www.suse.com/security/cve/CVE-2017-2496.html https://www.suse.com/security/cve/CVE-2017-2510.html https://www.suse.com/security/cve/CVE-2017-2539.html https://www.suse.com/security/cve/CVE-2017-5715.html https://www.suse.com/security/cve/CVE-2017-5753.html https://www.suse.com/security/cve/CVE-2017-5754.html https://www.suse.com/security/cve/CVE-2017-7006.html https://www.suse.com/security/cve/CVE-2017-7011.html https://www.suse.com/security/cve/CVE-2017-7012.html https://www.suse.com/security/cve/CVE-2017-7018.html https://www.suse.com/security/cve/CVE-2017-7019.html https://www.suse.com/security/cve/CVE-2017-7020.html https://www.suse.com/security/cve/CVE-2017-7030.html https://www.suse.com/security/cve/CVE-2017-7034.html https://www.suse.com/security/cve/CVE-2017-7037.html https://www.suse.com/security/cve/CVE-2017-7038.html https://www.suse.com/security/cve/CVE-2017-7039.html https://www.suse.com/security/cve/CVE-2017-7040.html https://www.suse.com/security/cve/CVE-2017-7041.html https://www.suse.com/security/cve/CVE-2017-7042.html https://www.suse.com/security/cve/CVE-2017-7043.html https://www.suse.com/security/cve/CVE-2017-7046.html https://www.suse.com/security/cve/CVE-2017-7048.html https://www.suse.com/security/cve/CVE-2017-7049.html https://www.suse.com/security/cve/CVE-2017-7052.html https://www.suse.com/security/cve/CVE-2017-7055.html https://www.suse.com/security/cve/CVE-2017-7056.html https://www.suse.com/security/cve/CVE-2017-7059.html https://www.suse.com/security/cve/CVE-2017-7061.html https://www.suse.com/security/cve/CVE-2017-7064.html https://www.suse.com/security/cve/CVE-2017-7081.html https://www.suse.com/security/cve/CVE-2017-7087.html https://www.suse.com/security/cve/CVE-2017-7089.html https://www.suse.com/security/cve/CVE-2017-7090.html https://www.suse.com/security/cve/CVE-2017-7091.html https://www.suse.com/security/cve/CVE-2017-7092.html https://www.suse.com/security/cve/CVE-2017-7093.html https://www.suse.com/security/cve/CVE-2017-7094.html https://www.suse.com/security/cve/CVE-2017-7095.html https://www.suse.com/security/cve/CVE-2017-7096.html https://www.suse.com/security/cve/CVE-2017-7098.html https://www.suse.com/security/cve/CVE-2017-7099.html https://www.suse.com/security/cve/CVE-2017-7100.html https://www.suse.com/security/cve/CVE-2017-7102.html https://www.suse.com/security/cve/CVE-2017-7104.html https://www.suse.com/security/cve/CVE-2017-7107.html https://www.suse.com/security/cve/CVE-2017-7109.html https://www.suse.com/security/cve/CVE-2017-7111.html https://www.suse.com/security/cve/CVE-2017-7117.html https://www.suse.com/security/cve/CVE-2017-7120.html https://www.suse.com/security/cve/CVE-2017-7142.html https://www.suse.com/security/cve/CVE-2017-7156.html https://www.suse.com/security/cve/CVE-2017-7157.html https://bugzilla.suse.com/1020950 https://bugzilla.suse.com/1024749 https://bugzilla.suse.com/1050469 https://bugzilla.suse.com/1066892 https://bugzilla.suse.com/1069925 https://bugzilla.suse.com/1073654 https://bugzilla.suse.com/1075419 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWm+qAIx+lLeg9Ub1AQjtDA/+ONEI7e4aVp2FD0cMA5HbUM/rJkAulHbi yCBxIYsrTUVUNW7FrWYS3nJ8hJtrzbZlzYi5OzzXDGWeURXEm+1LSfGrt6F9/Ujk qj0pzyz+FrqN2+G7QbZ2LV9ronTlvVq3En4CWfm7gSt7V9MPB2acdfDbeVqvP7fA +p2aonN2mAvZyGXYQHidJEinrHmpdWiUH5evoa4nkCDossLXs0G/YhJ7m+PV4jno ZrySnHG/N9Ay/mjhM1qh3wsN2uWKPMdq/dhbJkPzJyOI5MK5v/lgEd0LqcZ7oFRY 1Xt7UBcJJ6UnehDiTPhKHUa3R37UrAoAFpTlYXn+M1V0qcjsxjAgQDY1D5ptJsmM TSHCViejxTyM1BNAX6kgA2JrZOEJmMf3tYAwSErMCEKBH6bXmpJK/84UlGG8R5LQ avx8UMva7Zj5xTwnStAfvJkCYsmQND3NC1KAKNE68IYJa1mzFKaywRfZ0+Qegr84 MPfO7ituac7v/JYc/5cyk0zzoVX9Jl22FMFb1eMwsn3jaiz7apdqp+FSaltQoFrJ ETHpOu0kzgfXikpxSK//6EXIFHO7iRm/n5WxtJPSnTs33NvY76cBcwQ4iiNYYjTO 75VDcVYg33Fi3CQqhEJLBu8IIOl5oDrSTL5Tz5DEry0yJVRRyMdfkuycTmLOlkDX zb5lx+YZjc4= =zO76 -----END PGP SIGNATURE-----