Moderate: webkitgtk4 security, bug fix, and enhancement update

Synopsis

Moderate: webkitgtk4 security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Topic

An update for webkitgtk4 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

WebKitGTK+ is port of the WebKit portable web rendering engine to the GTK+ platform. These packages provide WebKitGTK+ for GTK+ 3.

The following packages have been upgraded to a later upstream version: webkitgtk4 (2.28.2). (BZ#1817144)

Security Fix(es):

• webkitgtk: Multiple security issues (CVE-2019-6237, CVE-2019-6251, CVE-2019-8506, CVE-2019-8524, CVE-2019-8535, CVE-2019-8536, CVE-2019-8544, CVE-2019-8551, CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, CVE-2019-8571, CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, CVE-2019-8597, CVE-2019-8601, CVE-2019-8607, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8611, CVE-2019-8615, CVE-2019-8619, CVE-2019-8622, CVE-2019-8623, CVE-2019-8625, CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8674, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8690, CVE-2019-8707, CVE-2019-8710, CVE-2019-8719, CVE-2019-8720, CVE-2019-8726, CVE-2019-8733, CVE-2019-8735, CVE-2019-8743, CVE-2019-8763, CVE-2019-8764, CVE-2019-8765, CVE-2019-8766, CVE-2019-8768, CVE-2019-8769, CVE-2019-8771, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8821, CVE-2019-8822, CVE-2019-8823, CVE-2019-8835, CVE-2019-8844, CVE-2019-8846, CVE-2019-11070, CVE-2020-3862, CVE-2020-3864, CVE-2020-3865, CVE-2020-3867, CVE-2020-3868, CVE-2020-3885, CVE-2020-3894, CVE-2020-3895, CVE-2020-3897, CVE-2020-3899, CVE-2020-3900, CVE-2020-3901, CVE-2020-3902, CVE-2020-10018, CVE-2020-11793)
  

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 7 x86_64
• Red Hat Enterprise Linux Workstation 7 x86_64
• Red Hat Enterprise Linux Desktop 7 x86_64
• Red Hat Enterprise Linux for IBM z Systems 7 s390x
• Red Hat Enterprise Linux for Power, big endian 7 ppc64
• Red Hat Enterprise Linux for Scientific Computing 7 x86_64
• Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

• BZ - 1667409 - CVE-2019-6251 webkitgtk: processing maliciously crafted web content lead to URI spoofing
• BZ - 1709289 - CVE-2019-11070 webkitgtk: HTTP proxy setting deanonymization information disclosure
• BZ - 1719199 - CVE-2019-8506 webkitgtk: malicous web content leads to arbitrary code execution
• BZ - 1719209 - CVE-2019-8524 webkitgtk: malicious web content leads to arbitrary code execution
• BZ - 1719210 - CVE-2019-8535 webkitgtk: malicious crafted web content leads to arbitrary code execution
• BZ - 1719213 - CVE-2019-8536 webkitgtk: malicious crafted web content leads to arbitrary code execution
• BZ - 1719224 - CVE-2019-8544 webkitgtk: malicious crafted web content leads to arbitrary we content
• BZ - 1719231 - CVE-2019-8558 webkitgtk: malicious crafted web content leads to arbitrary code execution
• BZ - 1719235 - CVE-2019-8559 webkitgtk: malicious web content leads to arbitrary code execution
• BZ - 1719237 - CVE-2019-8563 webkitgtk: malicious web content leads to arbitrary code execution
• BZ - 1719238 - CVE-2019-8551 webkitgtk: malicious web content leads to cross site scripting
• BZ - 1811721 - CVE-2020-10018 webkitgtk: Use-after-free issue in accessibility/AXObjectCache.cpp
• BZ - 1816678 - CVE-2019-8846 webkitgtk: Use after free issue may lead to remote code execution
• BZ - 1816684 - CVE-2019-8835 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
• BZ - 1816686 - CVE-2019-8844 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
• BZ - 1817144 - Rebase WebKitGTK to 2.28
• BZ - 1829369 - CVE-2020-11793 webkitgtk: use-after-free via crafted web content
• BZ - 1876462 - CVE-2020-3885 webkitgtk: Incorrect processing of file URLs
• BZ - 1876463 - CVE-2020-3894 webkitgtk: Race condition allows reading of restricted memory
• BZ - 1876465 - CVE-2020-3895 webkitgtk: Memory corruption triggered by a malicious web content
• BZ - 1876468 - CVE-2020-3897 webkitgtk: Type confusion leading to arbitrary code execution
• BZ - 1876470 - CVE-2020-3899 webkitgtk: Memory consumption issue leading to arbitrary code execution
• BZ - 1876472 - CVE-2020-3900 webkitgtk: Memory corruption triggered by a malicious web content
• BZ - 1876473 - CVE-2020-3901 webkitgtk: Type confusion leading to arbitrary code execution
• BZ - 1876476 - CVE-2020-3902 webkitgtk: Input validation issue leading to cross-site script attack
• BZ - 1876516 - CVE-2020-3862 webkitgtk: Denial of service via incorrect memory handling
• BZ - 1876518 - CVE-2020-3864 webkitgtk: Non-unique security origin for DOM object contexts
• BZ - 1876521 - CVE-2020-3865 webkitgtk: Incorrect security check for a top-level DOM object context
• BZ - 1876522 - CVE-2020-3867 webkitgtk: Incorrect state management leading to universal cross-site scripting
• BZ - 1876523 - CVE-2020-3868 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876536 - CVE-2019-8710 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876537 - CVE-2019-8743 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876540 - CVE-2019-8764 webkitgtk: Incorrect state management leading to universal cross-site scripting
• BZ - 1876542 - CVE-2019-8765 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876543 - CVE-2019-8766 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876545 - CVE-2019-8782 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876548 - CVE-2019-8783 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876549 - CVE-2019-8808 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876550 - CVE-2019-8811 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876552 - CVE-2019-8812 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876553 - CVE-2019-8813 webkitgtk: Incorrect state management leading to universal cross-site scripting
• BZ - 1876554 - CVE-2019-8814 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876555 - CVE-2019-8815 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876556 - CVE-2019-8816 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876590 - CVE-2019-8819 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876591 - CVE-2019-8820 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876592 - CVE-2019-8821 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876593 - CVE-2019-8822 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876594 - CVE-2019-8823 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876607 - CVE-2019-8625 webkitgtk: Incorrect state management leading to universal cross-site scripting
• BZ - 1876608 - CVE-2019-8674 webkitgtk: Incorrect state management leading to universal cross-site scripting
• BZ - 1876609 - CVE-2019-8707 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876610 - CVE-2019-8719 webkitgtk: Incorrect state management leading to universal cross-site scripting
• BZ - 1876611 - CVE-2019-8720 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876612 - CVE-2019-8726 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876613 - CVE-2019-8733 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876614 - CVE-2019-8735 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876615 - CVE-2019-8763 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876616 - CVE-2019-8768 webkitgtk: Browsing history could not be deleted
• BZ - 1876617 - CVE-2019-8769 webkitgtk: Websites could reveal browsing history
• BZ - 1876619 - CVE-2019-8771 webkitgtk: Violation of iframe sandboxing policy
• BZ - 1876626 - CVE-2019-8644 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876628 - CVE-2019-8649 webkitgtk: Incorrect state management leading to universal cross-site scripting
• BZ - 1876629 - CVE-2019-8658 webkitgtk: Incorrect state management leading to universal cross-site scripting
• BZ - 1876630 - CVE-2019-8666 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876631 - CVE-2019-8669 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876632 - CVE-2019-8671 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876634 - CVE-2019-8672 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876643 - CVE-2019-8673 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876644 - CVE-2019-8676 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876645 - CVE-2019-8677 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876646 - CVE-2019-8678 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876647 - CVE-2019-8679 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876648 - CVE-2019-8680 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876650 - CVE-2019-8681 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876651 - CVE-2019-8683 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876652 - CVE-2019-8684 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876653 - CVE-2019-8686 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876655 - CVE-2019-8687 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876656 - CVE-2019-8688 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876657 - CVE-2019-8689 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876664 - CVE-2019-8690 webkitgtk: Incorrect state management leading to universal cross-site scripting
• BZ - 1876880 - CVE-2019-6237 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876881 - CVE-2019-8571 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876882 - CVE-2019-8583 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876883 - CVE-2019-8584 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876884 - CVE-2019-8586 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876887 - CVE-2019-8587 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876891 - CVE-2019-8594 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876892 - CVE-2019-8595 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876893 - CVE-2019-8596 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876894 - CVE-2019-8597 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876895 - CVE-2019-8601 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876897 - CVE-2019-8607 webkitgtk: Out-of-bounds read leading to memory disclosure
• BZ - 1876898 - CVE-2019-8608 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876899 - CVE-2019-8609 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1876900 - CVE-2019-8610 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1877045 - CVE-2019-8615 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1877046 - CVE-2019-8611 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1877047 - CVE-2019-8619 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1877048 - CVE-2019-8622 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution
• BZ - 1877049 - CVE-2019-8623 webkitgtk: Multiple memory corruption issues leading to arbitrary code execution

CVEs

• CVE-2019-6237
• CVE-2019-6251
• CVE-2019-8506
• CVE-2019-8524
• CVE-2019-8535
• CVE-2019-8536
• CVE-2019-8544
• CVE-2019-8551
• CVE-2019-8558
• CVE-2019-8559
• CVE-2019-8563
• CVE-2019-8571
• CVE-2019-8583
• CVE-2019-8584
• CVE-2019-8586
• CVE-2019-8587
• CVE-2019-8594
• CVE-2019-8595
• CVE-2019-8596
• CVE-2019-8597
• CVE-2019-8601
• CVE-2019-8607
• CVE-2019-8608
• CVE-2019-8609
• CVE-2019-8610
• CVE-2019-8611
• CVE-2019-8615
• CVE-2019-8619
• CVE-2019-8622
• CVE-2019-8623
• CVE-2019-8625
• CVE-2019-8644
• CVE-2019-8649
• CVE-2019-8658
• CVE-2019-8666
• CVE-2019-8669
• CVE-2019-8671
• CVE-2019-8672
• CVE-2019-8673
• CVE-2019-8674
• CVE-2019-8676
• CVE-2019-8677
• CVE-2019-8678
• CVE-2019-8679
• CVE-2019-8680
• CVE-2019-8681
• CVE-2019-8683
• CVE-2019-8684
• CVE-2019-8686
• CVE-2019-8687
• CVE-2019-8688
• CVE-2019-8689
• CVE-2019-8690
• CVE-2019-8707
• CVE-2019-8710
• CVE-2019-8719
• CVE-2019-8720
• CVE-2019-8726
• CVE-2019-8733
• CVE-2019-8735
• CVE-2019-8743
• CVE-2019-8763
• CVE-2019-8764
• CVE-2019-8765
• CVE-2019-8766
• CVE-2019-8768
• CVE-2019-8769
• CVE-2019-8771
• CVE-2019-8782
• CVE-2019-8783
• CVE-2019-8808
• CVE-2019-8811
• CVE-2019-8812
• CVE-2019-8813
• CVE-2019-8814
• CVE-2019-8815
• CVE-2019-8816
• CVE-2019-8819
• CVE-2019-8820
• CVE-2019-8821
• CVE-2019-8822
• CVE-2019-8823
• CVE-2019-8835
• CVE-2019-8844
• CVE-2019-8846
• CVE-2019-11070
• CVE-2020-3862
• CVE-2020-3864
• CVE-2020-3865
• CVE-2020-3867
• CVE-2020-3868
• CVE-2020-3885
• CVE-2020-3894
• CVE-2020-3895
• CVE-2020-3897
• CVE-2020-3899
• CVE-2020-3900
• CVE-2020-3901
• CVE-2020-3902
• CVE-2020-10018
• CVE-2020-11793

References

• https://access.redhat.com/security/updates/classification/#moderate
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.9_release_notes/index