Bug#932111: webkit2gtk 2.24.3-1~deb10u1 flagged for acceptance

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

On 2019-08-22 09:10, Alberto Garcia wrote:
> On Wed, Aug 21, 2019 at 10:04:45PM +0000, Adam D Barratt wrote:
>
> > Package: webkit2gtk
> > Version: 2.24.3-1~deb10u1
> >
> > Explanation: new upstream stable version; includes several security
> > fixes [CVE-2019-8571 CVE-2019-8583 CVE-2019-8586 CVE-2019-8594
> > CVE-2019-8609 CVE-2019-8611 CVE-2019-8622 CVE-2019-8623
> > CVE-2019-6237 CVE-2019-8584 CVE-2019-8587 CVE-2019-8596
> > CVE-2019-8597 CVE-2019-8601 CVE-2019-8608 CVE-2019-8610
> > CVE-2019-8619 CVE-2019-8595 CVE-2019-8607 CVE-2019-8615]; stop
> > requiring SSE2-capable CPUs
>
> A correction on this: this upload of webkit2gtk does *not* include any
> new security fix. All those CVEs refer to vulnerabilities that were
> already fixed in 2.24.2 (the version in buster) and earlier versions.
>
> The CVE numbers only appeared later in debian/changelog because the
> WebKitGTK security advisory was published *after* the release.
>
> What this upload does fix is the support for x86 CPUs without SSE2
> instructions.

Oops, sorry about that. Fixed on our records.

They'll still show up on the overview page as "CVEs referenced", as that 
parses the changelog, but won't be mentioned in the point release 
announcement.

Regards,

Adam