On Wed, Aug 21, 2019 at 10:04:45PM +0000, Adam D Barratt wrote:
Package: webkit2gtk
Version: 2.24.3-1~deb10u1
Explanation: new upstream stable version; includes several security
fixes [CVE-2019-8571 CVE-2019-8583 CVE-2019-8586 CVE-2019-8594
CVE-2019-8609 CVE-2019-8611 CVE-2019-8622 CVE-2019-8623
CVE-2019-6237 CVE-2019-8584 CVE-2019-8587 CVE-2019-8596
CVE-2019-8597 CVE-2019-8601 CVE-2019-8608 CVE-2019-8610
CVE-2019-8619 CVE-2019-8595 CVE-2019-8607 CVE-2019-8615]; stop
requiring SSE2-capable CPUs
A correction on this: this upload of webkit2gtk does *not* include any
new security fix. All those CVEs refer to vulnerabilities that were
already fixed in 2.24.2 (the version in buster) and earlier versions.
The CVE numbers only appeared later in debian/changelog because the
WebKitGTK security advisory was published *after* the release.
What this upload does fix is the support for x86 CPUs without SSE2
instructions.