Published:
27 January 2022
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.0371
webkit2gtk and wpewebkit security update
27 January 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: webkit2gtk
wpewebkit
Publisher: Debian
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-30984 CVE-2021-30954 CVE-2021-30953
CVE-2021-30952 CVE-2021-30951 CVE-2021-30936
CVE-2021-30934
Reference: ESB-2021.4268
ESB-2021.4267
Original Bulletin:
http://www.debian.org/security/2022/dsa-5060
http://www.debian.org/security/2022/dsa-5061
Comment: This bulletin contains two (2) Debian security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5060-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
January 25, 2022 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : webkit2gtk
CVE ID : CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952
CVE-2021-30953 CVE-2021-30954 CVE-2021-30984
The following vulnerabilities have been discovered in the webkit2gtk
web engine:
CVE-2021-30934
Dani Biro discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2021-30936
Chijin Zhou discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2021-30951
Pangu discovered that processing maliciously crafted web content
may lead to arbitrary code execution.
CVE-2021-30952
WeBin discovered that processing maliciously crafted web content
may lead to arbitrary code execution.
CVE-2021-30953
VRIJ discovered that processing maliciously crafted web content
may lead to arbitrary code execution.
CVE-2021-30954
Kunlun Lab discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2021-30984
Kunlun Lab discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
For the oldstable distribution (buster), these problems have been fixed
in version 2.34.4-1~deb10u1.
For the stable distribution (bullseye), these problems have been fixed in
version 2.34.4-1~deb11u1.
We recommend that you upgrade your webkit2gtk packages.
For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmHwVZ0ACgkQAAyEYu0C
2ALcBw/+KecJ2pZzcoe0ZMw8iM8MeIKdF2l7ggcKIYMYFGeFQAWEzZ6mKKFrN6/b
45K7XG0yhBJ+9SbSISoG03bR//N+TsoncOhjJ84RFycmEIL5Rsp/wNgzkpMV77b0
REmn3S+1Hb/9+r9EZiRK2ArSXAnP/N2uj6CHx2IOipClbRQ7BKfYkVbPy+AyZyig
Tw7beB98HU8gp/AtZFbQ+4WDJX50n587Hp160llLPUklF0jT/LYJKquS3FMPrlTr
HSu7TWce0hlI7bozZJgNY7iYFffJE6ykclSX9e7QjV7SIn1cBLrb1F45qAxayaVY
9zMUgPcB7eilujBKLOfVSm6JA1OyjJyyofiX9JZxUpPvqFTNDql3hmwC11XO/UUT
5nfqAiM5GmvQ3FUFk7ml+bVJEishyNfYRssGq7pZQAqLwjzqeq/kaIoyaRNyfjGZ
Ugei2/agwLREgeJz7ILrRsd9F6Z//IpLq6CTyn/gFtHUhrvFm/D5lGPy+sEmkQAI
O2ZDUpNaRG9gAmvKI+ZYJ6ZbAGtvhxMYacXICmcpNzwygUQ0Yu7BIqXlK4BjHkWH
499a8cgRJe9kRuoLGOJAmh+DzFNO2sfsGl9g1XjP/Kb4UYGKx3IElRiwNGNN12m7
+1eY3saczkDFqbAe2Wk4V2+PAerxHBSYe5WcO9JNvaviB4FXR4M=
=0Nlr
- -----END PGP SIGNATURE-----
- -----------------------------------------------------------------------------------------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-5061-1 security@debian.org
https://www.debian.org/security/ Alberto Garcia
January 25, 2022 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : wpewebkit
CVE ID : CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952
CVE-2021-30953 CVE-2021-30954 CVE-2021-30984
The following vulnerabilities have been discovered in the wpewebkit
web engine:
CVE-2021-30934
Dani Biro discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2021-30936
Chijin Zhou discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2021-30951
Pangu discovered that processing maliciously crafted web content
may lead to arbitrary code execution.
CVE-2021-30952
WeBin discovered that processing maliciously crafted web content
may lead to arbitrary code execution.
CVE-2021-30953
VRIJ discovered that processing maliciously crafted web content
may lead to arbitrary code execution.
CVE-2021-30954
Kunlun Lab discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
CVE-2021-30984
Kunlun Lab discovered that processing maliciously crafted web
content may lead to arbitrary code execution.
For the stable distribution (bullseye), these problems have been fixed in
version 2.34.4-1~deb11u1.
We recommend that you upgrade your wpewebkit packages.
For the detailed security status of wpewebkit please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/wpewebkit
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmHwVd8ACgkQAAyEYu0C
2AI+HQ//ax1cmz6NmIRfPZCqzAL5HqXWacOI9XsnW9AxlOCrExNQFdGwG7XcecEA
xOWlVx61KMYB6eTFO5zb8echceKwUlOZsOqlr4vlFHPTouvIAIsQOuW8GgR5bxHs
tm3WAvQLhXHTOicOqzDrkHSuouxOGnIbEHlvUhP2turayX1nQ4FVRSYAoo6AlmDW
hDg/STRkrvi0KvdBFb7x+U/jGirq5V7F4cL5MnVznp4ZYorLe5nXDHkNnujgwDUv
heOs2NtpvVo2M157Bwh+TMcOTxqKK+D9ZjSK++xhStooLpHugYfLclPWrHeLkfqE
+EeOHUHAMSYC9Ta+np3Eofs5joDai3Hpg541RG2Du43ivFe1wGmuYoZHg5CCE05H
uQOu5B8pY1iUMx6Pxeaw9PjN4lwCGpJBRSxnRu2oKDCUqCM2sYHBB5W2qxYLS9GZ
KKyg8aqGLiJ6o55YjB0LZwkg/OjUs3BKUDsrFVg/HMmRoQMReEH+JX3S6JCkGIur
TErg0lz4wjU7yMRZFZQZsNpvNmk1rurjZ3XztwPnEda/wa8WhPVh0Fz4t9HwW81F
SYBgHZexDb4YJ8phK7XsJ8c/FInlCj9KWbla0BtadGFt0A4RO3b5ySyGIf4AUU9H
MMxmtiKx7zz1kZcVWW/SyJOpEpjOr7A0nsRH6FpD0f1k+RtC3qU=
=A+Cj
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYfIscuNLKJtyKPYoAQjYXA//VIJfOWJF3K+MMt9DDzoyDdcHu9aKNoAF
wr7GRYLLKDMsE6TNF8yia+TPSt1qK/Y13awcZSa1Y7EF42BECguRcdFtwLy7Ltu7
TDltixB5eUyWC0v0fs0ee1Tg1sswxtNFp2K4jcnBfTtP7tD4CAQ+OrTVJvWB95/T
F2ExonXBI2fV4RvXTqOWZGeJbEs66EWfzz39z/OSAXcI+nFozodeqfhefVsFbgbu
q0oOXne3KK490e4irc0IzX5d/pg7maUZ1P+qooJ3yAjQRw9zQWZfGG1O8XdzhdD+
/iIAaAjBMWW43U0SUGaQa4FQ17A0338iqfsZJ1FMCPMaj+ECyj20jMQ8VKWwGhNm
fIpdR0GjGprqL4CdriQec76A3aJsrXHBIUv5AEPP5CDAOwJokd/DznTbQqmbB92K
MVdiqEqE3p+YoGXpO5DnXRDBKUjEirZHUweB93VmsWMsYRWqRnUcWJdrX4CLYE6v
/oZwnc5qkTXoqJjQF6NrMsNd8kRNQ4Tr2gJUf1IO1AYOYnwYMF2c3ZzR8dg0/V/G
dndwTWaIlHYfGj+B5fJz+U2HqrrSgMQRnP1aQvUTOjfKT4lMcECS1OeTadmGse9h
4OgnwEUKpyn3pv7sSiJT3bae5s28qL2dOTd0xlmFgDaPTh56KsAihURaX21ElPyc
buoihsUlMM8=
=cgRG
-----END PGP SIGNATURE-----