Control: tags -1 moreinfo On 2021-05-28 11:18:00 +0200, Alberto Garcia wrote: > Package: release.debian.org > Severity: normal > User: release.debian.org@packages.debian.org > Usertags: unblock > > Please unblock package webkit2gtk > > Starting from buster webkit2gtk has been receiving security updates, > with a dozen DSAs published so far, at a pace of once every month or > two. These updates follow the upstream stable releases. > > webkit2gtk 2.32.1 was published on the 10th of May and it belongs to > the new 2.32.x stable branch (which started on the 26th of March with > the 2.32.0 release). > > This fixes three security bugs: CVE-2021-1871, CVE-2021-1844 and > CVE-2021-1788. You can see the details here: > > https://webkitgtk.org/security/WSA-2021-0003.html > > According to the CVE description, Apple is aware that the first of > those bugs may have been actively exploited. > > Since this is a new stable branch (2.30.x -> 2.32.x) I wanted to give > it more time than usual before proposing an unblock to detect possible > regressions. > > We found two: > > - https://bugs.debian.org/987448 > > The titles of articles of RSS feeds have wrong colors due to broken > CSS. This is due to upstream changes in WebKitGTK and required > changes in Liferea. Liferea is now fixed in testing and works fine > with WebKitGTK 2.32.x > > NOTE: theoretically other packages could have similar problems, but > we haven't detected any. > > - https://bugs.debian.org/987686 > > An autopkgtest regression. This is actually not a bug in WebKitGTK, > but the new dependency on xdg-desktop-portal-gtk triggers it. I > downgraded the dependency to a recommendation and the problem is > gone. I also uploaded a patch for balsa. > > I am not aware of any other regression. 2.32.0 was uploaded to > unstable on the 22nd of April and 2.32.1 on the 10th of May. > > I would like to have this version of webkit2gtk unblocked and after > that I'll prepare a new security update for buster. diff -Nru webkit2gtk-2.30.6/debian/libwebkit2gtk-4.0-37.symbols webkit2gtk-2.32.1/debian/libwebkit2gtk-4.0-37.symbols --- webkit2gtk-2.30.6/debian/libwebkit2gtk-4.0-37.symbols 2021-03-18 15:05:45.000000000 +0000 +++ webkit2gtk-2.32.1/debian/libwebkit2gtk-4.0-37.symbols 2021-05-10 10:20:44.000000000 +0000 @@ -1,7 +1,6 @@ libwebkit2gtk-4.0.so.37 libwebkit2gtk-4.0-37 #MINVER# * Build-Depends-Package: libwebkit2gtk-4.0-dev (c++)"WebKit::NetworkProcessMain(int, char**)@Base" 2.27.90 - (c++)"WebKit::PluginProcessMain(int, char**)@Base" 2.27.90 (c++)"WebKit::WebProcessMain(int, char**)@Base" 2.27.90 (c++)"WebKit::WebKitExtensionManager::initialize(WebKit::InjectedBundle*, API::Object*)@Base" 2.17.5 (c++)"WebKit::WebKitExtensionManager::singleton()@Base" 2.17.5 Is that an internal symbol or why is it safe to remove it without a SONAME bump? Cheers > > Thanks, > > Berto > > unblock webkit2gtk/2.32.1-1 > -- Sebastian Ramacher
Attachment:
signature.asc
Description: PGP signature