Bug#1034872: marked as done (unblock: wpewebkit/2.38.6-1)

To: Paul Gevers <elbrus@debian.org>
Subject: Bug#1034872: marked as done (unblock: wpewebkit/2.38.6-1)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Thu, 27 Apr 2023 10:39:05 +0000
Message-id: <[🔎] handler.1034872.D1034872.16825916973507524.ackdone@bugs.debian.org>
Reply-to: 1034872@bugs.debian.org
References: <d311a9c6-86cf-9576-eb0e-730bc8a48253@debian.org> <[🔎] 168250623951.150182.2337140026149012324.reportbug@zeus.local>

Your message dated Thu, 27 Apr 2023 12:34:52 +0200
with message-id <d311a9c6-86cf-9576-eb0e-730bc8a48253@debian.org>
and subject line Re: Bug#1034872: unblock: wpewebkit/2.38.6-1
has caused the Debian Bug report #1034872,
regarding unblock: wpewebkit/2.38.6-1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1034872: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034872
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: wpewebkit/2.38.6-1
From: Alberto Garcia <berto@igalia.com>
Date: Wed, 26 Apr 2023 12:50:39 +0200
Message-id: <[🔎] 168250623951.150182.2337140026149012324.reportbug@zeus.local>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package wpewebkit

[ Reason ]
Fix five CVEs, one of them reported to have been actively exploited.

[ Impact ]
wpewebkit, like all other major browser engines, is affected by a
constant stream of security bugs so it's not recommended to browse the
web using an outdated version of the package. For this reason the
security team has been providing wpewebkit updates using the upstream
stable releases sice Debian bullseye.

2.38.6 is the next stable point release after 2.38.5 (already in
bookworm). It contains fixes for several bugs including 5 CVEs:

  CVE-2022-0108

    Impact: An HTML document may be able to render iframes with
    sensitive user information.

  CVE-2022-32885

    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution.

  CVE-2023-27932

    Impact: Processing maliciously crafted web content may bypass Same
    Origin Policy.

  CVE-2023-27954

    Impact: A website may be able to track sensitive user information.

  CVE-2023-28205

    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Apple is aware of a report that this
    issue may have been actively exploited.

[ Tests ]
Tested manually using the cog web browser.

[ Risks ]
WPE WebKit evolves very fast and its stable releases contain other
fixes apart from the security ones. Because of this the chance of
regressions is higher than with other packages. That said, upstream
has had a good track record of publishing updates with no major
issues.

In addition to that, WPE WebKit is also a niche browser engine with
few reverse dependencies so the impact of any possible regression is
very low and the risk is therefore much more controlled.

[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing

[ Other info ]
This new version also works in bullseye and the the corresponding
security update is also being prepared.

Note that I only include the debian/ part of the debdiff since the
changes to the source itself are larger due to the nature of the
release.

unblock wpewebkit/2.38.6-1

diff -Nru wpewebkit-2.38.5/debian/changelog wpewebkit-2.38.6/debian/changelog
--- wpewebkit-2.38.5/debian/changelog	2023-02-15 22:52:14.000000000 +0100
+++ wpewebkit-2.38.6/debian/changelog	2023-04-25 09:17:43.000000000 +0200
@@ -1,3 +1,13 @@
+wpewebkit (2.38.6-1) unstable; urgency=high
+
+  * New upstream release.
+  * The WPE WebKit security advisory WSA-2023-0003 lists the following
+    security fixes in the latest versions of WPE WebKit:
+    - CVE-2022-0108, CVE-2022-32885, CVE-2023-27932, CVE-2023-27954,
+      CVE-2023-28205 (fixed in 2.38.6 and 2.40.1).
+
+ -- Alberto Garcia <berto@igalia.com>  Tue, 25 Apr 2023 09:17:43 +0200
+
 wpewebkit (2.38.5-1) unstable; urgency=high
 
   * New upstream release.

--- End Message ---

--- Begin Message ---

To: Alberto Garcia <berto@igalia.com>, 1034872-done@bugs.debian.org

Subject: Re: Bug#1034872: unblock: wpewebkit/2.38.6-1

From: Paul Gevers <elbrus@debian.org>

Date: Thu, 27 Apr 2023 12:34:52 +0200

Message-id: <d311a9c6-86cf-9576-eb0e-730bc8a48253@debian.org>

In-reply-to: <[🔎] 168250623951.150182.2337140026149012324.reportbug@zeus.local>

References: <[🔎] 168250623951.150182.2337140026149012324.reportbug@zeus.local>
Hi,

On 26-04-2023 12:50, Alberto Garcia wrote:
unblock wpewebkit/2.38.6-1
done.

Paul
Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

Reply to:

References:
- Bug#1034872: unblock: wpewebkit/2.38.6-1
  - From: Alberto Garcia <berto@igalia.com>

Prev by Date: Bug#1034715: marked as done (unblock: python-xmlschema/1.10.0)
Next by Date: Bug#1033935: unblock: ausweisapp2/1.26.3-1
Previous by thread: Bug#1034872: unblock: wpewebkit/2.38.6-1
Next by thread: Processed: tagging 1034664
Index(es):
- Date
- Thread