Published:
27 January 2022
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.0371 webkit2gtk and wpewebkit security update 27 January 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: webkit2gtk wpewebkit Publisher: Debian Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-30984 CVE-2021-30954 CVE-2021-30953 CVE-2021-30952 CVE-2021-30951 CVE-2021-30936 CVE-2021-30934 Reference: ESB-2021.4268 ESB-2021.4267 Original Bulletin: http://www.debian.org/security/2022/dsa-5060 http://www.debian.org/security/2022/dsa-5061 Comment: This bulletin contains two (2) Debian security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5060-1 security@debian.org https://www.debian.org/security/ Alberto Garcia January 25, 2022 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : webkit2gtk CVE ID : CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952 CVE-2021-30953 CVE-2021-30954 CVE-2021-30984 The following vulnerabilities have been discovered in the webkit2gtk web engine: CVE-2021-30934 Dani Biro discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30936 Chijin Zhou discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30951 Pangu discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30952 WeBin discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30953 VRIJ discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30954 Kunlun Lab discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30984 Kunlun Lab discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the oldstable distribution (buster), these problems have been fixed in version 2.34.4-1~deb10u1. For the stable distribution (bullseye), these problems have been fixed in version 2.34.4-1~deb11u1. We recommend that you upgrade your webkit2gtk packages. For the detailed security status of webkit2gtk please refer to its security tracker page at: https://security-tracker.debian.org/tracker/webkit2gtk Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmHwVZ0ACgkQAAyEYu0C 2ALcBw/+KecJ2pZzcoe0ZMw8iM8MeIKdF2l7ggcKIYMYFGeFQAWEzZ6mKKFrN6/b 45K7XG0yhBJ+9SbSISoG03bR//N+TsoncOhjJ84RFycmEIL5Rsp/wNgzkpMV77b0 REmn3S+1Hb/9+r9EZiRK2ArSXAnP/N2uj6CHx2IOipClbRQ7BKfYkVbPy+AyZyig Tw7beB98HU8gp/AtZFbQ+4WDJX50n587Hp160llLPUklF0jT/LYJKquS3FMPrlTr HSu7TWce0hlI7bozZJgNY7iYFffJE6ykclSX9e7QjV7SIn1cBLrb1F45qAxayaVY 9zMUgPcB7eilujBKLOfVSm6JA1OyjJyyofiX9JZxUpPvqFTNDql3hmwC11XO/UUT 5nfqAiM5GmvQ3FUFk7ml+bVJEishyNfYRssGq7pZQAqLwjzqeq/kaIoyaRNyfjGZ Ugei2/agwLREgeJz7ILrRsd9F6Z//IpLq6CTyn/gFtHUhrvFm/D5lGPy+sEmkQAI O2ZDUpNaRG9gAmvKI+ZYJ6ZbAGtvhxMYacXICmcpNzwygUQ0Yu7BIqXlK4BjHkWH 499a8cgRJe9kRuoLGOJAmh+DzFNO2sfsGl9g1XjP/Kb4UYGKx3IElRiwNGNN12m7 +1eY3saczkDFqbAe2Wk4V2+PAerxHBSYe5WcO9JNvaviB4FXR4M= =0Nlr - -----END PGP SIGNATURE----- - ----------------------------------------------------------------------------------------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-5061-1 security@debian.org https://www.debian.org/security/ Alberto Garcia January 25, 2022 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : wpewebkit CVE ID : CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952 CVE-2021-30953 CVE-2021-30954 CVE-2021-30984 The following vulnerabilities have been discovered in the wpewebkit web engine: CVE-2021-30934 Dani Biro discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30936 Chijin Zhou discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30951 Pangu discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30952 WeBin discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30953 VRIJ discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30954 Kunlun Lab discovered that processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30984 Kunlun Lab discovered that processing maliciously crafted web content may lead to arbitrary code execution. For the stable distribution (bullseye), these problems have been fixed in version 2.34.4-1~deb11u1. We recommend that you upgrade your wpewebkit packages. For the detailed security status of wpewebkit please refer to its security tracker page at: https://security-tracker.debian.org/tracker/wpewebkit Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmHwVd8ACgkQAAyEYu0C 2AI+HQ//ax1cmz6NmIRfPZCqzAL5HqXWacOI9XsnW9AxlOCrExNQFdGwG7XcecEA xOWlVx61KMYB6eTFO5zb8echceKwUlOZsOqlr4vlFHPTouvIAIsQOuW8GgR5bxHs tm3WAvQLhXHTOicOqzDrkHSuouxOGnIbEHlvUhP2turayX1nQ4FVRSYAoo6AlmDW hDg/STRkrvi0KvdBFb7x+U/jGirq5V7F4cL5MnVznp4ZYorLe5nXDHkNnujgwDUv heOs2NtpvVo2M157Bwh+TMcOTxqKK+D9ZjSK++xhStooLpHugYfLclPWrHeLkfqE +EeOHUHAMSYC9Ta+np3Eofs5joDai3Hpg541RG2Du43ivFe1wGmuYoZHg5CCE05H uQOu5B8pY1iUMx6Pxeaw9PjN4lwCGpJBRSxnRu2oKDCUqCM2sYHBB5W2qxYLS9GZ KKyg8aqGLiJ6o55YjB0LZwkg/OjUs3BKUDsrFVg/HMmRoQMReEH+JX3S6JCkGIur TErg0lz4wjU7yMRZFZQZsNpvNmk1rurjZ3XztwPnEda/wa8WhPVh0Fz4t9HwW81F SYBgHZexDb4YJ8phK7XsJ8c/FInlCj9KWbla0BtadGFt0A4RO3b5ySyGIf4AUU9H MMxmtiKx7zz1kZcVWW/SyJOpEpjOr7A0nsRH6FpD0f1k+RtC3qU= =A+Cj - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYfIscuNLKJtyKPYoAQjYXA//VIJfOWJF3K+MMt9DDzoyDdcHu9aKNoAF wr7GRYLLKDMsE6TNF8yia+TPSt1qK/Y13awcZSa1Y7EF42BECguRcdFtwLy7Ltu7 TDltixB5eUyWC0v0fs0ee1Tg1sswxtNFp2K4jcnBfTtP7tD4CAQ+OrTVJvWB95/T F2ExonXBI2fV4RvXTqOWZGeJbEs66EWfzz39z/OSAXcI+nFozodeqfhefVsFbgbu q0oOXne3KK490e4irc0IzX5d/pg7maUZ1P+qooJ3yAjQRw9zQWZfGG1O8XdzhdD+ /iIAaAjBMWW43U0SUGaQa4FQ17A0338iqfsZJ1FMCPMaj+ECyj20jMQ8VKWwGhNm fIpdR0GjGprqL4CdriQec76A3aJsrXHBIUv5AEPP5CDAOwJokd/DznTbQqmbB92K MVdiqEqE3p+YoGXpO5DnXRDBKUjEirZHUweB93VmsWMsYRWqRnUcWJdrX4CLYE6v /oZwnc5qkTXoqJjQF6NrMsNd8kRNQ4Tr2gJUf1IO1AYOYnwYMF2c3ZzR8dg0/V/G dndwTWaIlHYfGj+B5fJz+U2HqrrSgMQRnP1aQvUTOjfKT4lMcECS1OeTadmGse9h 4OgnwEUKpyn3pv7sSiJT3bae5s28qL2dOTd0xlmFgDaPTh56KsAihURaX21ElPyc buoihsUlMM8= =cgRG -----END PGP SIGNATURE-----