Package: release.debian.org User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-CC: pkg-webkit-maintainers@lists.alioth.debian.org, team@security.debian.org Severity: normal Please unblock package webkit2gtk for inclusion in Debian 9.0. unblock webkit2gtk/2.16.3-2 Justification ------------------ Three known publicized security vulnerabilities have been fixed in 2.16.3: CVE-2017-2496, CVE-2017-2539 and CVE-2017-2510. For more details about these and other recent security fixes, see [1]. webkit2gtk follows GNOME's Release Schedule (new major updates in March and September with bugfix updates in between). The 2.14 series is no longer supported and will not be updated to fix those or future security vulnerabilities. Background Info ------------------------ Sadly, Debian's security packaging infrastructure is not set up to test this kind of update very well. To provide a reasonable balance between security for Debian 9 users and API stability for apps, the current proposal [2] is to use Debian's s-p-u procedures and get these updates into Debian point releases. This is a huge improvement over Debian 8 where webkitgtk got only one early update and webkit2gtk was only updated through backports. [3] [4] [5] To summarize a bit of the discussion on debian-devel, Ubuntu 16.04 LTS has been receiving new webkit2gtk versions within about a week of their release. Although regressions are possible, these have been averted so far because Ubuntu tests the new major beta releases in the development release of Ubuntu and because regressions are quickly pointed out by users of more bleeding-edge distros (and these regressions are quickly fixed!) Nearly every major distro now packages new webkit2gtk versions like Ubuntu does. Debian's well-justified reputation for security excellence is at risk of being tarnished if Debian ends up keeping webkit2gtk 2.14 for Debian 9's entire lifetime. Fedora 25 (current stable) got this update on May 28. Ubuntu 16.04 LTS and newer got the update on May 30. Besides publishing regular CVEs, the webkit2gtk developers have intentionally crafted their dependency policy to explicitly support the lifetime of Debian stable releases. [6] The output from debdiff is way too large to attach here and probably would not end up being useful. I am attaching the diff of the debian/ directory. Testing Done ------------------- I installed libwebkit2gtk-4.0-37 2.16.3-2 (and its dependencies) from unstable on my Debian stretch install. I verified that these apps still work fine: - evolution - epiphany-browser - gnome-online-accounts - yelp References ---------------- [1] https://webkitgtk.org/security.html [2] https://lists.debian.org/debian-devel/2017/05/msg00378.html [3] https://www.debian.org/releases/jessie/amd64/release-notes/ch-information.html#browser-security [4] https://tracker.debian.org/media/packages/w/webkitgtk/changelog-2.4.9-1~deb8u1 [5] https://tracker.debian.org/pkg/webkit2gtk [6] https://trac.webkit.org/wiki/WebKitGTK/DependenciesPolicy Thanks, Jeremy Bicha
Attachment:
webkit216.debdiff
Description: Binary data