Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.0434 WebKitGTK+ and WPE WebKit Security Advisory WSA-2019-0001 12 February 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WebKitGTK+ WPE WebKit Publisher: WebKit Operating System: Linux variants Mac OS Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2019-6234 CVE-2019-6233 CVE-2019-6229 CVE-2019-6227 CVE-2019-6226 CVE-2019-6217 CVE-2019-6216 CVE-2019-6215 CVE-2019-6212 Reference: ESB-2019.0228 ESB-2019.0199 ESB-2019.0197 ESB-2019.0196 ESB-2019.0195 ESB-2019.0194 Original Bulletin: https://webkitgtk.org/security/WSA-2019-0001.html - --------------------------BEGIN INCLUDED TEXT-------------------- - ------------------------------------------------------------------------ WebKitGTK+ and WPE WebKit Security Advisory WSA-2019-0001 - ------------------------------------------------------------------------ Date reported : February 08, 2019 Advisory ID : WSA-2019-0001 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2019-0001.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0001.html CVE identifiers : CVE-2019-6212, CVE-2019-6215, CVE-2019-6216, CVE-2019-6217, CVE-2019-6226, CVE-2019-6227, CVE-2019-6229, CVE-2019-6233, CVE-2019-6234. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2019-6212 Versions affected: WebKitGTK+ before 2.22.6 and WPE WebKit before 2.22.4. Credit to an anonymous researcher. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6215 Versions affected: WebKitGTK+ before 2.22.6 and WPE WebKit before 2.22.4. Credit to Lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A type confusion issue was addressed with improved memory handling. CVE-2019-6216 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Credit to Fluoroacetate working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6217 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Credit to Fluoroacetate working with Trend Micro's Zero Day Initiative, Proteas, Shrek_wzw, and Zhuo Liang of Qihoo 360 Nirvan Team. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6226 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Apple. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6227 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Credit to Qixun Zhao of Qihoo 360 Vulcan Team. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2019-6229 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Credit to Ryan Pickren. Processing maliciously crafted web content may lead to universal cross site scripting. A logic issue was addressed with improved validation. CVE-2019-6233 Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before 2.22.2. Credit to G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2019-6234 Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before 2.22.2. Credit to G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK+ and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK+ and WPE WebKit team, February 08, 2019 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXGJKzWaOgq3Tt24GAQhg7RAAoauUqzJ5s7JvRiipAG8ybldHTD7NbDp0 DL1VX2L3IbWF/s9lWMYsTzX5Vzy5URMks2xejF/4+1zlghAd0vcvjUgFNalb6ID6 R3N4KVmX/pIAh9Zc+y2AsUzpLkC72ywi1kX506HcGueLfE6eiKgoSRYhMMQtLh84 WGfuiEO+Slzt7JslAW/cplDkLZPRyB7NPG/QaHMniCC/XALTn4awcH+aRCn29mfV Z8aDe8jv5MTYX4OusSnYIsdkX7umDBRALtSA1QiwzLbUmZd1NJfts0EIMTZWH1jJ 3iS4qVPlp6cMtZhCBd1HJtNTEc3JUyLXdF4cEhRPGONHmR5ypBIt5a2j8hfF4plW Y0dGzJs3KiLlN1R3Yq2+gqSBxHjqEraImfh3rKz0F2rsrwD1uqcLxJLVHpBhKWb6 SqpQv4QymN77AqYQSAOeg4dVuTPORN7aHMgj/DbfwgLzEDTlQ43Jk0f25gQC0Dhg DX3xpil+s2GuTadqM+jwhmOqmFwqyJc5QKvzSI6LDk5udUHAWmTk89fgWLP6OnfT qxUd3Homfl+vXO+0npyt0JWUYVCcQNOdFFd3QIPwoiPi9ijx+o/KVOt3cIMuFtDh OGZt7wvBi2JAlxR9pwkQ0rc9gIL/EmlmU+2/RVrApfrNvvKpHg/N16hM20/yWqfq BYIwvkliViQ= =/15G -----END PGP SIGNATURE-----