Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2018.0282
SUSE Security Update: Security update for webkit2gtk3
30 January 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: webkit2gtk3
Publisher: SUSE
Operating System: SUSE
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2017-13870 CVE-2017-13866 CVE-2017-13856
CVE-2017-13803 CVE-2017-13798 CVE-2017-13788
CVE-2017-7157 CVE-2017-7156 CVE-2017-7142
CVE-2017-7120 CVE-2017-7117 CVE-2017-7111
CVE-2017-7109 CVE-2017-7107 CVE-2017-7104
CVE-2017-7102 CVE-2017-7100 CVE-2017-7099
CVE-2017-7098 CVE-2017-7096 CVE-2017-7095
CVE-2017-7094 CVE-2017-7093 CVE-2017-7092
CVE-2017-7091 CVE-2017-7090 CVE-2017-7089
CVE-2017-7087 CVE-2017-7081 CVE-2017-7064
CVE-2017-7061 CVE-2017-7059 CVE-2017-7056
CVE-2017-7055 CVE-2017-7052 CVE-2017-7049
CVE-2017-7048 CVE-2017-7046 CVE-2017-7043
CVE-2017-7042 CVE-2017-7041 CVE-2017-7040
CVE-2017-7039 CVE-2017-7038 CVE-2017-7037
CVE-2017-7034 CVE-2017-7030 CVE-2017-7020
CVE-2017-7019 CVE-2017-7018 CVE-2017-7012
CVE-2017-7011 CVE-2017-7006 CVE-2017-5754
CVE-2017-5753 CVE-2017-5715 CVE-2017-2539
CVE-2017-2510 CVE-2017-2496 CVE-2017-2373
CVE-2017-2371 CVE-2017-2369 CVE-2017-2366
CVE-2017-2365 CVE-2017-2364 CVE-2017-2363
CVE-2017-2362 CVE-2017-2356 CVE-2017-2355
CVE-2017-2354 CVE-2017-2350 CVE-2016-7656
CVE-2016-7654 CVE-2016-7652 CVE-2016-7645
CVE-2016-7641 CVE-2016-7639 CVE-2016-7635
CVE-2016-7632 CVE-2016-7623 CVE-2016-7610
CVE-2016-7599 CVE-2016-7598 CVE-2016-7592
CVE-2016-7589 CVE-2016-7587 CVE-2016-7586
CVE-2016-4743 CVE-2016-4692
Reference: ASB-2018.0033
ASB-2018.0030
ASB-2018.0009
ESB-2017.2768
ESB-2016.2962
ASB-2018.0002.4
ESB-2016.2928.2
ESB-2016.2927.2
ESB-2016.2926.2
Original Bulletin:
https://www.suse.com/support/update/announcement/2018/suse-su-20180219-1/
- --------------------------BEGIN INCLUDED TEXT--------------------
SUSE Security Update: Security update for webkit2gtk3
______________________________________________________________________________
Announcement ID: SUSE-SU-2018:0219-1
Rating: important
References: #1020950 #1024749 #1050469 #1066892 #1069925
#1073654 #1075419
Cross-References: CVE-2016-4692 CVE-2016-4743 CVE-2016-7586
CVE-2016-7587 CVE-2016-7589 CVE-2016-7592
CVE-2016-7598 CVE-2016-7599 CVE-2016-7610
CVE-2016-7623 CVE-2016-7632 CVE-2016-7635
CVE-2016-7639 CVE-2016-7641 CVE-2016-7645
CVE-2016-7652 CVE-2016-7654 CVE-2016-7656
CVE-2017-13788 CVE-2017-13798 CVE-2017-13803
CVE-2017-13856 CVE-2017-13866 CVE-2017-13870
CVE-2017-2350 CVE-2017-2354 CVE-2017-2355
CVE-2017-2356 CVE-2017-2362 CVE-2017-2363
CVE-2017-2364 CVE-2017-2365 CVE-2017-2366
CVE-2017-2369 CVE-2017-2371 CVE-2017-2373
CVE-2017-2496 CVE-2017-2510 CVE-2017-2539
CVE-2017-5715 CVE-2017-5753 CVE-2017-5754
CVE-2017-7006 CVE-2017-7011 CVE-2017-7012
CVE-2017-7018 CVE-2017-7019 CVE-2017-7020
CVE-2017-7030 CVE-2017-7034 CVE-2017-7037
CVE-2017-7038 CVE-2017-7039 CVE-2017-7040
CVE-2017-7041 CVE-2017-7042 CVE-2017-7043
CVE-2017-7046 CVE-2017-7048 CVE-2017-7049
CVE-2017-7052 CVE-2017-7055 CVE-2017-7056
CVE-2017-7059 CVE-2017-7061 CVE-2017-7064
CVE-2017-7081 CVE-2017-7087 CVE-2017-7089
CVE-2017-7090 CVE-2017-7091 CVE-2017-7092
CVE-2017-7093 CVE-2017-7094 CVE-2017-7095
CVE-2017-7096 CVE-2017-7098 CVE-2017-7099
CVE-2017-7100 CVE-2017-7102 CVE-2017-7104
CVE-2017-7107 CVE-2017-7109 CVE-2017-7111
CVE-2017-7117 CVE-2017-7120 CVE-2017-7142
CVE-2017-7156 CVE-2017-7157
Affected Products:
SUSE Linux Enterprise Workstation Extension 12-SP3
SUSE Linux Enterprise Workstation Extension 12-SP2
SUSE Linux Enterprise Software Development Kit 12-SP3
SUSE Linux Enterprise Software Development Kit 12-SP2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2
SUSE Linux Enterprise Server 12-SP3
SUSE Linux Enterprise Server 12-SP2
SUSE Linux Enterprise Desktop 12-SP3
SUSE Linux Enterprise Desktop 12-SP2
______________________________________________________________________________
An update that fixes 89 vulnerabilities is now available.
Description:
This update for webkit2gtk3 fixes the following issues:
Update to version 2.18.5:
+ Disable SharedArrayBuffers from Web API.
+ Reduce the precision of "high" resolution time to 1ms.
+ bsc#1075419 - Security fixes: includes improvements to mitigate the
effects of Spectre and Meltdown (CVE-2017-5753 and CVE-2017-5715).
Update to version 2.18.4:
+ Make WebDriver implementation more spec compliant.
+ Fix a bug when trying to remove cookies before a web process is
spawned.
+ WebKitWebDriver process no longer links to libjavascriptcoregtk.
+ Fix several memory leaks in GStreamer media backend.
+ bsc#1073654 - Security fixes: CVE-2017-13866, CVE-2017-13870,
CVE-2017-7156, CVE-2017-13856.
Update to version 2.18.3:
+ Improve calculation of font metrics to prevent scrollbars from being
shown unnecessarily in some cases.
+ Fix handling of null capabilities in WebDriver implementation.
+ Security fixes: CVE-2017-13798, CVE-2017-13788, CVE-2017-13803.
Update to version 2.18.2:
+ Fix rendering of arabic text.
+ Fix a crash in the web process when decoding GIF images.
+ Fix rendering of wind in Windy.com.
+ Fix several crashes and rendering issues.
Update to version 2.18.1:
+ Improve performance of GIF animations.
+ Fix garbled display in GMail.
+ Fix rendering of several material design icons when using the web font.
+ Fix flickering when resizing the window in Wayland.
+ Prevent default kerberos authentication credentials from being used in
ephemeral sessions.
+ Fix a crash when webkit_web_resource_get_data() is cancelled.
+ Correctly handle touchmove and touchend events in WebKitWebView.
+ Fix the build with enchant 2.1.1.
+ Fix the build in HPPA and Alpha.
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2017-7081, CVE-2017-7087, CVE-2017-7089,
CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093,
CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098,
CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104,
CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117,
CVE-2017-7120, CVE-2017-7142.
- Enable gold linker on s390/s390x on SLE15/Tumbleweed.
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Linux Enterprise Workstation Extension 12-SP3:
zypper in -t patch SUSE-SLE-WE-12-SP3-2018-150=1
- SUSE Linux Enterprise Workstation Extension 12-SP2:
zypper in -t patch SUSE-SLE-WE-12-SP2-2018-150=1
- SUSE Linux Enterprise Software Development Kit 12-SP3:
zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-150=1
- SUSE Linux Enterprise Software Development Kit 12-SP2:
zypper in -t patch SUSE-SLE-SDK-12-SP2-2018-150=1
- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:
zypper in -t patch SUSE-SLE-RPI-12-SP2-2018-150=1
- SUSE Linux Enterprise Server 12-SP3:
zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-150=1
- SUSE Linux Enterprise Server 12-SP2:
zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-150=1
- SUSE Linux Enterprise Desktop 12-SP3:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-150=1
- SUSE Linux Enterprise Desktop 12-SP2:
zypper in -t patch SUSE-SLE-DESKTOP-12-SP2-2018-150=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Linux Enterprise Workstation Extension 12-SP3 (noarch):
libwebkit2gtk3-lang-2.18.5-2.18.1
- SUSE Linux Enterprise Workstation Extension 12-SP2 (noarch):
libwebkit2gtk3-lang-2.18.5-2.18.1
- SUSE Linux Enterprise Software Development Kit 12-SP3 (aarch64 ppc64le s390x x86_64):
webkit2gtk3-debugsource-2.18.5-2.18.1
webkit2gtk3-devel-2.18.5-2.18.1
- SUSE Linux Enterprise Software Development Kit 12-SP2 (aarch64 ppc64le s390x x86_64):
webkit2gtk3-debugsource-2.18.5-2.18.1
webkit2gtk3-devel-2.18.5-2.18.1
- SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (aarch64):
libjavascriptcoregtk-4_0-18-2.18.5-2.18.1
libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1
libwebkit2gtk-4_0-37-2.18.5-2.18.1
libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1
typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1
typelib-1_0-WebKit2-4_0-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1
webkit2gtk3-debugsource-2.18.5-2.18.1
- SUSE Linux Enterprise Server 12-SP3 (aarch64 ppc64le s390x x86_64):
libjavascriptcoregtk-4_0-18-2.18.5-2.18.1
libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1
libwebkit2gtk-4_0-37-2.18.5-2.18.1
libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1
typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1
typelib-1_0-WebKit2-4_0-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1
webkit2gtk3-debugsource-2.18.5-2.18.1
- SUSE Linux Enterprise Server 12-SP2 (aarch64 ppc64le s390x x86_64):
libjavascriptcoregtk-4_0-18-2.18.5-2.18.1
libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1
libwebkit2gtk-4_0-37-2.18.5-2.18.1
libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1
typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1
typelib-1_0-WebKit2-4_0-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1
webkit2gtk3-debugsource-2.18.5-2.18.1
- SUSE Linux Enterprise Desktop 12-SP3 (noarch):
libwebkit2gtk3-lang-2.18.5-2.18.1
- SUSE Linux Enterprise Desktop 12-SP3 (x86_64):
libjavascriptcoregtk-4_0-18-2.18.5-2.18.1
libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1
libwebkit2gtk-4_0-37-2.18.5-2.18.1
libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1
typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1
typelib-1_0-WebKit2-4_0-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1
webkit2gtk3-debugsource-2.18.5-2.18.1
- SUSE Linux Enterprise Desktop 12-SP2 (x86_64):
libjavascriptcoregtk-4_0-18-2.18.5-2.18.1
libjavascriptcoregtk-4_0-18-debuginfo-2.18.5-2.18.1
libwebkit2gtk-4_0-37-2.18.5-2.18.1
libwebkit2gtk-4_0-37-debuginfo-2.18.5-2.18.1
typelib-1_0-JavaScriptCore-4_0-2.18.5-2.18.1
typelib-1_0-WebKit2-4_0-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-2.18.5-2.18.1
webkit2gtk-4_0-injected-bundles-debuginfo-2.18.5-2.18.1
webkit2gtk3-debugsource-2.18.5-2.18.1
- SUSE Linux Enterprise Desktop 12-SP2 (noarch):
libwebkit2gtk3-lang-2.18.5-2.18.1
References:
https://www.suse.com/security/cve/CVE-2016-4692.html
https://www.suse.com/security/cve/CVE-2016-4743.html
https://www.suse.com/security/cve/CVE-2016-7586.html
https://www.suse.com/security/cve/CVE-2016-7587.html
https://www.suse.com/security/cve/CVE-2016-7589.html
https://www.suse.com/security/cve/CVE-2016-7592.html
https://www.suse.com/security/cve/CVE-2016-7598.html
https://www.suse.com/security/cve/CVE-2016-7599.html
https://www.suse.com/security/cve/CVE-2016-7610.html
https://www.suse.com/security/cve/CVE-2016-7623.html
https://www.suse.com/security/cve/CVE-2016-7632.html
https://www.suse.com/security/cve/CVE-2016-7635.html
https://www.suse.com/security/cve/CVE-2016-7639.html
https://www.suse.com/security/cve/CVE-2016-7641.html
https://www.suse.com/security/cve/CVE-2016-7645.html
https://www.suse.com/security/cve/CVE-2016-7652.html
https://www.suse.com/security/cve/CVE-2016-7654.html
https://www.suse.com/security/cve/CVE-2016-7656.html
https://www.suse.com/security/cve/CVE-2017-13788.html
https://www.suse.com/security/cve/CVE-2017-13798.html
https://www.suse.com/security/cve/CVE-2017-13803.html
https://www.suse.com/security/cve/CVE-2017-13856.html
https://www.suse.com/security/cve/CVE-2017-13866.html
https://www.suse.com/security/cve/CVE-2017-13870.html
https://www.suse.com/security/cve/CVE-2017-2350.html
https://www.suse.com/security/cve/CVE-2017-2354.html
https://www.suse.com/security/cve/CVE-2017-2355.html
https://www.suse.com/security/cve/CVE-2017-2356.html
https://www.suse.com/security/cve/CVE-2017-2362.html
https://www.suse.com/security/cve/CVE-2017-2363.html
https://www.suse.com/security/cve/CVE-2017-2364.html
https://www.suse.com/security/cve/CVE-2017-2365.html
https://www.suse.com/security/cve/CVE-2017-2366.html
https://www.suse.com/security/cve/CVE-2017-2369.html
https://www.suse.com/security/cve/CVE-2017-2371.html
https://www.suse.com/security/cve/CVE-2017-2373.html
https://www.suse.com/security/cve/CVE-2017-2496.html
https://www.suse.com/security/cve/CVE-2017-2510.html
https://www.suse.com/security/cve/CVE-2017-2539.html
https://www.suse.com/security/cve/CVE-2017-5715.html
https://www.suse.com/security/cve/CVE-2017-5753.html
https://www.suse.com/security/cve/CVE-2017-5754.html
https://www.suse.com/security/cve/CVE-2017-7006.html
https://www.suse.com/security/cve/CVE-2017-7011.html
https://www.suse.com/security/cve/CVE-2017-7012.html
https://www.suse.com/security/cve/CVE-2017-7018.html
https://www.suse.com/security/cve/CVE-2017-7019.html
https://www.suse.com/security/cve/CVE-2017-7020.html
https://www.suse.com/security/cve/CVE-2017-7030.html
https://www.suse.com/security/cve/CVE-2017-7034.html
https://www.suse.com/security/cve/CVE-2017-7037.html
https://www.suse.com/security/cve/CVE-2017-7038.html
https://www.suse.com/security/cve/CVE-2017-7039.html
https://www.suse.com/security/cve/CVE-2017-7040.html
https://www.suse.com/security/cve/CVE-2017-7041.html
https://www.suse.com/security/cve/CVE-2017-7042.html
https://www.suse.com/security/cve/CVE-2017-7043.html
https://www.suse.com/security/cve/CVE-2017-7046.html
https://www.suse.com/security/cve/CVE-2017-7048.html
https://www.suse.com/security/cve/CVE-2017-7049.html
https://www.suse.com/security/cve/CVE-2017-7052.html
https://www.suse.com/security/cve/CVE-2017-7055.html
https://www.suse.com/security/cve/CVE-2017-7056.html
https://www.suse.com/security/cve/CVE-2017-7059.html
https://www.suse.com/security/cve/CVE-2017-7061.html
https://www.suse.com/security/cve/CVE-2017-7064.html
https://www.suse.com/security/cve/CVE-2017-7081.html
https://www.suse.com/security/cve/CVE-2017-7087.html
https://www.suse.com/security/cve/CVE-2017-7089.html
https://www.suse.com/security/cve/CVE-2017-7090.html
https://www.suse.com/security/cve/CVE-2017-7091.html
https://www.suse.com/security/cve/CVE-2017-7092.html
https://www.suse.com/security/cve/CVE-2017-7093.html
https://www.suse.com/security/cve/CVE-2017-7094.html
https://www.suse.com/security/cve/CVE-2017-7095.html
https://www.suse.com/security/cve/CVE-2017-7096.html
https://www.suse.com/security/cve/CVE-2017-7098.html
https://www.suse.com/security/cve/CVE-2017-7099.html
https://www.suse.com/security/cve/CVE-2017-7100.html
https://www.suse.com/security/cve/CVE-2017-7102.html
https://www.suse.com/security/cve/CVE-2017-7104.html
https://www.suse.com/security/cve/CVE-2017-7107.html
https://www.suse.com/security/cve/CVE-2017-7109.html
https://www.suse.com/security/cve/CVE-2017-7111.html
https://www.suse.com/security/cve/CVE-2017-7117.html
https://www.suse.com/security/cve/CVE-2017-7120.html
https://www.suse.com/security/cve/CVE-2017-7142.html
https://www.suse.com/security/cve/CVE-2017-7156.html
https://www.suse.com/security/cve/CVE-2017-7157.html
https://bugzilla.suse.com/1020950
https://bugzilla.suse.com/1024749
https://bugzilla.suse.com/1050469
https://bugzilla.suse.com/1066892
https://bugzilla.suse.com/1069925
https://bugzilla.suse.com/1073654
https://bugzilla.suse.com/1075419
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWm+qAIx+lLeg9Ub1AQjtDA/+ONEI7e4aVp2FD0cMA5HbUM/rJkAulHbi
yCBxIYsrTUVUNW7FrWYS3nJ8hJtrzbZlzYi5OzzXDGWeURXEm+1LSfGrt6F9/Ujk
qj0pzyz+FrqN2+G7QbZ2LV9ronTlvVq3En4CWfm7gSt7V9MPB2acdfDbeVqvP7fA
+p2aonN2mAvZyGXYQHidJEinrHmpdWiUH5evoa4nkCDossLXs0G/YhJ7m+PV4jno
ZrySnHG/N9Ay/mjhM1qh3wsN2uWKPMdq/dhbJkPzJyOI5MK5v/lgEd0LqcZ7oFRY
1Xt7UBcJJ6UnehDiTPhKHUa3R37UrAoAFpTlYXn+M1V0qcjsxjAgQDY1D5ptJsmM
TSHCViejxTyM1BNAX6kgA2JrZOEJmMf3tYAwSErMCEKBH6bXmpJK/84UlGG8R5LQ
avx8UMva7Zj5xTwnStAfvJkCYsmQND3NC1KAKNE68IYJa1mzFKaywRfZ0+Qegr84
MPfO7ituac7v/JYc/5cyk0zzoVX9Jl22FMFb1eMwsn3jaiz7apdqp+FSaltQoFrJ
ETHpOu0kzgfXikpxSK//6EXIFHO7iRm/n5WxtJPSnTs33NvY76cBcwQ4iiNYYjTO
75VDcVYg33Fi3CQqhEJLBu8IIOl5oDrSTL5Tz5DEry0yJVRRyMdfkuycTmLOlkDX
zb5lx+YZjc4=
=zO76
-----END PGP SIGNATURE-----