Debian Bug report logs -
#899409
epiphany-browser: CVE-2018-11396
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#899409; Package src:epiphany-browser.
(Wed, 23 May 2018 20:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Wed, 23 May 2018 20:51:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: epiphany-browser
Version: 3.28.1-1
Severity: normal
Tags: security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=795740
Hi,
The following vulnerability was published for epiphany-browser.
CVE-2018-11396[0]:
| ephy-session.c in libephymain.so in GNOME Web (aka Epiphany) through
| 3.28.2.1 allows remote attackers to cause a denial of service
| (application crash) via JavaScript code that triggers access to a NULL
| URL, as demonstrated by a crafted window.open call.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-11396
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11396
[1] https://bugzilla.gnome.org/show_bug.cgi?id=795740
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#899409.
(Wed, 23 May 2018 22:18:02 GMT) (full text, mbox, link).
Message #8 received at 899409-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #899409 in epiphany-browser reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/epiphany-browser/commit/2f5160ba4e369b83926d3072408c6e98e2b7a9ce
------------------------------------------------------------------------
Add session-Fix-crash-when-JS-opens-an-invalid-URI.patch
Cherry-pick patch to fix CVE-2018-11396
Closes: #899409
Gbp-Dch: Full
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/899409
Added tag(s) pending.
Request was from jbicha@ubuntu.com
to 899409-submitter@bugs.debian.org.
(Wed, 23 May 2018 22:18:02 GMT) (full text, mbox, link).
Reply sent
to Jeremy Bicha <jbicha@debian.org>:
You have taken responsibility.
(Wed, 23 May 2018 22:36:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 23 May 2018 22:36:05 GMT) (full text, mbox, link).
Message #15 received at 899409-close@bugs.debian.org (full text, mbox, reply):
Source: epiphany-browser
Source-Version: 3.28.2.1-1
We believe that the bug you reported is fixed in the latest version of
epiphany-browser, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 899409@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bicha <jbicha@debian.org> (supplier of updated epiphany-browser package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 23 May 2018 18:05:28 -0400
Source: epiphany-browser
Binary: epiphany-browser epiphany-browser-data
Architecture: source
Version: 3.28.2.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Jeremy Bicha <jbicha@debian.org>
Description:
epiphany-browser - Intuitive GNOME web browser
epiphany-browser-data - Data files for the GNOME web browser
Closes: 899409
Launchpad-Bugs-Fixed: 1773026
Changes:
epiphany-browser (3.28.2.1-1) unstable; urgency=medium
.
* New upstream release (LP: #1773026)
* Drop disable-tests.patch: Applied in new release
* Add session-Fix-crash-when-JS-opens-an-invalid-URI.patch:
Cherry-pick patch to fix CVE-2018-11396 (Closes: #899409)
Checksums-Sha1:
125c30f5e77331545ee3840c212699df4255ac2f 2772 epiphany-browser_3.28.2.1-1.dsc
089d50102965a89d46ec1d329fb14a53dcf7d34a 4470360 epiphany-browser_3.28.2.1.orig.tar.xz
de2e6853d660f58b7fa8d8527f4a89795a017631 29264 epiphany-browser_3.28.2.1-1.debian.tar.xz
3b169bc93b9c6140325f5a1b6d54b84b0e37d9b2 19172 epiphany-browser_3.28.2.1-1_source.buildinfo
Checksums-Sha256:
9099c677e505b316f56d571d85bb818d3ef4ce61c82372ce4ec6af86fa3f02f9 2772 epiphany-browser_3.28.2.1-1.dsc
baa4e9f0ac0b1e95fa2027af796859114f448f0f274976c30c9b8db734c6402d 4470360 epiphany-browser_3.28.2.1.orig.tar.xz
7c8ece15867b4a155d93896e92ba7026229a58c63e16b9226c6ad7b2c6ade6d2 29264 epiphany-browser_3.28.2.1-1.debian.tar.xz
a021abfe93f6ad3105351bd959312632df5ea8d96f5adf16b979b26819f2af92 19172 epiphany-browser_3.28.2.1-1_source.buildinfo
Files:
d90cbf190d96e336bcedefb1d2b7df8d 2772 gnome optional epiphany-browser_3.28.2.1-1.dsc
9a301dafdf6c2aac012eef8305ff1d46 4470360 gnome optional epiphany-browser_3.28.2.1.orig.tar.xz
8ffaaad35e5e9f0baa14b90ae3566c04 29264 gnome optional epiphany-browser_3.28.2.1-1.debian.tar.xz
48f0c85048db6e24e85d83ad2ce633ff 19172 gnome optional epiphany-browser_3.28.2.1-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAlsF6LIACgkQ5mx3Wuv+
bH3HGg//YpfFBU/6bNl95s89JX00W+fhpsoSxwO+SwwA51mctejZGaGBxh7Z9Khd
HV7ALqPQGA4+0XlsIp7GOR34rthRSapqtBUp+Z0Nf+iJJ+KkgT69VNPLhdMbzUcn
uZJHNseNCNxI/fvvEcIMuZimAVuM2kLXUCz1PYmpAz3KVRfXZOQE963/mxr209pB
Zb/NQQx13dKRYM4Sk00150uh4/2Dy58XjRVD9GqWeOCOyeU3RY+WyrGFLTLhFxAE
h9jySKX/t88+dmEVF1KrftTqntM9DTZ3wUR1fCY7ntTn0AsIYJepu0uEZB0LFXhi
Ln14FWV2u7RBSpmlEjYChkop4Wv3J56x7WzJ10dhkA2XIJv2yCfJYQUnnK+vszAh
U7v0NLd2QepZ6AwyPZphPH7gGGCWHtWYP6cW/k1jnSvM7/xpuaHP+/RPJsUNZorq
fH/xiMpp/W+bK6GJm6lr6Tzx8rjS4jRtjC0XFDdA/J65PmdfX9ZE99qidOmbV1y4
919zOd/zLbnuO1kOwL3BnKAOhroOiViBhVQ3GmelvfVJjSmfNTwO/V7NKp4ivrMc
9Z1pSqlKAfA2mE796dSikKOF18kXTpoX3InqpSxicbdDx8M1wqeB27kA9uEGeNYF
ldeETqnIYqmjeNKinT1FhazKK9kLkhitH/RQVGHNjIlaK+zdsIc=
=LYTx
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 21 Jun 2018 07:25:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:45:37 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon