[SECURITY] [DLA 3423-1] epiphany-browser security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 3423-1] epiphany-browser security update
From: "Chris Lamb" <lamby@debian.org>
Date: Mon, 15 May 2023 14:36:11 -0700
Message-id: <[🔎] 168418117453.932369.2266119855120787206@copycat>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-3423-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                           Chris Lamb
May 15, 2023                                  https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : epiphany-browser
Version        : 3.32.1.2-3~deb10u3
CVE ID         : CVE-2023-26081
Debian Bug     : 1031727

It was discovered that there was a potential credential stealing
attack in epiphany-browser, the default GNOME web browser.

When using a sandboxed Content Security Policy (CSP) or the HTML
"iframe" tag, the sandboxed web content was trusted by the
main/surrounding resource. After this change, however, the password
manager is disabled entirely in this situations, so that the
untrusted web content cannot exfiltrate passwords.

For Debian 10 buster, this problem has been fixed in version
3.32.1.2-3~deb10u3.

We recommend that you upgrade your epiphany-browser packages.

For the detailed security status of epiphany-browser please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/epiphany-browser

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmRikKcACgkQHpU+J9Qx
HlhamhAAlme/ukU40uYqO3v7Qx4toS/L9V2jqRV0Ki/+wbR7ynKgmZjfIxqZpzhE
l9e1DwLKLJjSYoT88s02AJr15QPHdGsnJiFS06/qFCqD9tFL9vl7w7PzyIbEnAHq
Z1J8q+bxpKxpXhJq5pBmWoMOYQX0ROKTvh89Fabk+OSRgdYbreNfDf66tAHEoVfX
BYBlpHr6JBBDe6rbWYcPGMZothLiPOGOLxjRaPFxyKIsZHNO0zFheZ16Q5qKpirI
ugF4PDMlwOkjdE0cfP867gy9LTDSj8w6I0Q74nYxT/U128fbytmkTVFoEm76thXn
DICl1UDHNjAkMUWr7SziumdAgZPFazqrur8TyEyEIchdPfqruZJU6V2pDzBAG/NO
2Jg+4X42l1ArOl5Vfw1q/i3cxfwhgoqsPdXWLTJj12mN/114ln4xRrTMhsnhnCU1
QRtuhSHGer7n55m0uAp9k3Uy3QewChgEoSpn6uYyC6yLdcJOvf3Bs2chSY4XIhPW
nG5UmcodAZ++gmMGtSDQ/ED5++L0ab7JDwCZgRdXAerGCrzPl+ZjcyF58Tj+eP9z
80awfmTQoaYigd+gY8dBLPZF95skvtfogqlTlM2d25MqgfsXM57XKAHg3JOjT9DA
gdCEZwZUJLdRUTEBiS/uYBJeivArYfQ+wtoOzc0OMFhCkT6+Pkc=
=3UKq
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 3422-1] postgresql-11 security update
Next by Date: [SECURITY] [DLA 3424-1] python-ipaddress security update
Previous by thread: [SECURITY] [DLA 3422-1] postgresql-11 security update
Next by thread: [SECURITY] [DLA 3424-1] python-ipaddress security update
Index(es):
- Date
- Thread