[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#787021: marked as done (jessie-pu: package webkitgtk/2.4.8-2)

Your message dated Sat, 23 Jan 2016 13:57:15 +0000
with message-id <1453557435.1835.52.camel@adam-barratt.org.uk>
and subject line 8.3 point release cleanup
has caused the Debian Bug report #787021,
regarding jessie-pu: package webkitgtk/2.4.8-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
787021: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787021
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

Hello,

webkitgtk 2.4.9 was released containing several bug fixes, including
the one for CVE-2015-2330.

I contacted the Debian security team in order to make a security
release with this fix. However, and since webkitgtk is in the
limited-support set of packages it's very unlikely that the fix can be
released through a DSA. They suggested to check if the
proposed-updates mechanism would be suitable.

The 2.4 branch of webkit is a stable branch and there's no active
development there. However it's still maintained and there are
releases with important bugfixes periodically, so I think it's the
kind of releases that would make sense in a stable distribution.

Should I upload webkitgtk 2.4.9 to wheezy-pu?

For reference here's the changelog of the latest release:

   * Check TLS errors as soon as they are set in the SoupMessage to
     prevent any data from being sent to the server in case of invalid
     certificate. [CVE-2015-2330]
   * Clear the GObject DOM bindings internal cache when frames are
     destroyed or web view contents are updated.
   * Add HighDPI support for non-accelerated compositing contents.
   * Fix some transfer annotations used in GObject DOM bindings.
   * Use latin1 instead of UTF-8 for HTTP header values.
   * Fix synchronous loads when maximum connection limits are reached.
   * Fix a crash ScrollView::contentsToWindow() when GtkPluginWidget
     doesn’t have a parent.
   * Fix a memory leak in webkit_web_policy_decision_new.
   * Fix g_closure_unref runtime warning.
   * Fix a crash due to empty drag image during drag and drop.
   * Fix rendering of scrollbars with GTK+ >= 3.16.
   * Fix the build on mingw32/msys.
   * Fix the build with WebKit2 disabled.
   * Fix the build with accelerated compositing disabled.
   * Fix clang version check in configure.
   * Fix the build with recent versions of GLib that have
     GMutexLocker.
   * Fix the build for Linux/MIPS64EL.

Regards,

Berto

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Version: 8.3

Hi,

The updates referred to in these bugs were included in today's 8.3
Jessie point release.

Regards,

Adam

--- End Message ---
Reply to: