- Issued:
- 2023-11-14
- Updated:
- 2023-11-14
RHSA-2023:7055 - Security Advisory
Synopsis
Important: webkit2gtk3 security, bug fix, and enhancement update
Type/Severity
Security Advisory: Important
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Description
WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
Security Fix(es):
- webkitgtk: arbitrary code execution (CVE-2023-32393)
- webkitgtk: disclose sensitive information (CVE-2023-38133)
- webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-38592)
- webkitgtk: arbitrary code execution (CVE-2023-38594)
- webkitgtk: arbitrary code execution (CVE-2023-38595)
- webkitgtk: track sensitive user information (CVE-2023-38599)
- webkitgtk: arbitrary code execution (CVE-2023-38600)
- webkitgtk: arbitrary code execution (CVE-2023-38611)
- webkitgtk: bypass Same Origin Policy (CVE-2023-38572)
- webkitgtk: arbitrary code execution (CVE-2023-38597)
- webkitgtk: Memory corruption issue when processing web content (CVE-2022-32885)
- webkitgtk: Same Origin Policy bypass via crafted web content (CVE-2023-27932)
- webkitgtk: Website may be able to track sensitive user information (CVE-2023-27954)
- webkitgtk: use after free vulnerability (CVE-2023-28198)
- webkitgtk: content security policy blacklist failure (CVE-2023-32370)
- webkitgtk: arbitrary javascript code execution (CVE-2023-40397)
- webkitgtk: attacker with JavaScript execution may be able to execute arbitrary code (CVE-2023-40451)
- webkitgtk: Processing web content may lead to arbitrary code execution (CVE-2023-42833)
- webkitgtk: Visiting a website that frames malicious content may lead to UI spoofing. (CVE-2022-32919)
- webkitgtk: A website may able to track visited websites in private browsing (CVE-2022-32933)
- webkitgtk: Visiting a malicious website may lead to address bar spoofing (CVE-2022-46705)
- webkitgtk: Visiting a malicious website may lead to address bar spoofing. (CVE-2022-46725)
Bug Fix(es) and Enhancement(s):
- Upgrade WebKitGTK for RHEL 8.9 (BZ#2176269)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8 Release Notes linked from the References section.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to:
Affected Products
- Red Hat Enterprise Linux for x86_64 8 x86_64
- Red Hat Enterprise Linux for IBM z Systems 8 s390x
- Red Hat Enterprise Linux for Power, little endian 8 ppc64le
- Red Hat Enterprise Linux for ARM 64 8 aarch64
Fixes
- BZ - 2176269 - Upgrade WebKitGTK for RHEL 8.9
- BZ - 2224608 - CVE-2023-32393 webkitgtk: arbitrary code execution
- BZ - 2231015 - CVE-2023-38133 webkitgtk: disclose sensitive information
- BZ - 2231017 - CVE-2023-38592 webkitgtk: Processing web content may lead to arbitrary code execution
- BZ - 2231018 - CVE-2023-38594 webkitgtk: arbitrary code execution
- BZ - 2231019 - CVE-2023-38595 webkitgtk: arbitrary code execution
- BZ - 2231020 - CVE-2023-38599 webkitgtk: track sensitive user information
- BZ - 2231021 - CVE-2023-38600 webkitgtk: arbitrary code execution
- BZ - 2231022 - CVE-2023-38611 webkitgtk: arbitrary code execution
- BZ - 2231028 - CVE-2023-38572 webkitgtk: bypass Same Origin Policy
- BZ - 2231043 - CVE-2023-38597 webkitgtk: arbitrary code execution
- BZ - 2236842 - CVE-2022-32885 webkitgtk: Memory corruption issue when processing web content
- BZ - 2236843 - CVE-2023-27932 webkitgtk: Same Origin Policy bypass via crafted web content
- BZ - 2236844 - CVE-2023-27954 webkitgtk: Website may be able to track sensitive user information
- BZ - 2238943 - CVE-2023-28198 webkitgtk: use after free vulnerability
- BZ - 2238944 - CVE-2023-32370 webkitgtk: content security policy blacklist failure
- BZ - 2238945 - CVE-2023-40397 webkitgtk: arbitrary javascript code execution
- BZ - 2241409 - CVE-2023-40451 webkitgtk: attacker with JavaScript execution may be able to execute arbitrary code
- BZ - 2270146 - CVE-2023-42833 webkitgtk: Processing web content may lead to arbitrary code execution
- BZ - 2271437 - CVE-2022-32919 webkitgtk: Visiting a website that frames malicious content may lead to UI spoofing.
- BZ - 2271441 - CVE-2022-32933 webkitgtk: A website may able to track visited websites in private browsing
- BZ - 2271444 - CVE-2022-46705 webkitgtk: Visiting a malicious website may lead to address bar spoofing
- BZ - 2271446 - CVE-2022-46725 webkitgtk: Visiting a malicious website may lead to address bar spoofing.
CVEs
- CVE-2022-32885
- CVE-2022-32919
- CVE-2022-32933
- CVE-2022-46705
- CVE-2022-46725
- CVE-2023-27932
- CVE-2023-27954
- CVE-2023-28198
- CVE-2023-32370
- CVE-2023-32393
- CVE-2023-38133
- CVE-2023-38572
- CVE-2023-38592
- CVE-2023-38594
- CVE-2023-38595
- CVE-2023-38597
- CVE-2023-38599
- CVE-2023-38600
- CVE-2023-38611
- CVE-2023-40397
- CVE-2023-40451
- CVE-2023-42833
Note:
More recent versions of these packages may be available.
Click a package name for more details.
Red Hat Enterprise Linux for x86_64 8
| SRPM | |
|---|---|
| webkit2gtk3-2.40.5-1.el8.src.rpm | SHA-256: d9025a838982d0440b7c933e25cac1fda8c2ba598d4e950a2d9fa5b3ee85c37c |
| x86_64 | |
| webkit2gtk3-2.40.5-1.el8.i686.rpm | SHA-256: 793a81b915cc429d38596f343a7802e827cb9cd876f0ed9046f35b6dd9ecd6b7 |
| webkit2gtk3-2.40.5-1.el8.x86_64.rpm | SHA-256: baa35f86f53431e7b6e2a25c8b3809d5bc190ca028f8405540fd3afd9079cbf5 |
| webkit2gtk3-debuginfo-2.40.5-1.el8.i686.rpm | SHA-256: 3e2c8995c9a0568c7575e5f5196dee2f666d33d7091e018e3e70adc7aca3a414 |
| webkit2gtk3-debuginfo-2.40.5-1.el8.x86_64.rpm | SHA-256: 0ad0db5af1f7f6c305a49cf084d924351783e8445eaee52ceeaa2888ae7a202d |
| webkit2gtk3-debugsource-2.40.5-1.el8.i686.rpm | SHA-256: e9968656d450cc643f723d4500fedd0d9e6cf923092c81fb9e6bf7cc76cbdf18 |
| webkit2gtk3-debugsource-2.40.5-1.el8.x86_64.rpm | SHA-256: c865c5b150624877b8dca944b46033ca7d9771c9b85820bfcdea839792fe714c |
| webkit2gtk3-devel-2.40.5-1.el8.i686.rpm | SHA-256: 8d3708e645dffbc7a3a42c5aee0b8215f04b4dba1f6c9ef7967e61c68d75aace |
| webkit2gtk3-devel-2.40.5-1.el8.x86_64.rpm | SHA-256: 04e219b712ef45ce05178062c12eabdba9370852a5aef69d937b9f490d0588ff |
| webkit2gtk3-devel-debuginfo-2.40.5-1.el8.i686.rpm | SHA-256: 5e808c8cadd233bcb1cc1ac155c1d5ffd9f33d63c40f1444ccc0fc214c45ad8b |
| webkit2gtk3-devel-debuginfo-2.40.5-1.el8.x86_64.rpm | SHA-256: 57f768b09af20084851537c580233f8f15fea4420c26c6caf362c2276c513399 |
| webkit2gtk3-jsc-2.40.5-1.el8.i686.rpm | SHA-256: 373806d4d12876d459ba183012d78f744370662b50e85c7727f927999b962124 |
| webkit2gtk3-jsc-2.40.5-1.el8.x86_64.rpm | SHA-256: 23aaf03daf63e25e7eda7c1818a32833fa897e8d3e13ff5105436ec32ae6b699 |
| webkit2gtk3-jsc-debuginfo-2.40.5-1.el8.i686.rpm | SHA-256: 222904db147f510fab2148916e543587f1e061e451e227074820843cfa315651 |
| webkit2gtk3-jsc-debuginfo-2.40.5-1.el8.x86_64.rpm | SHA-256: 88399892250fbec232b9b88c1cedf4545a5b6df4384abbd9daf619230e2bb87f |
| webkit2gtk3-jsc-devel-2.40.5-1.el8.i686.rpm | SHA-256: f23e18c9520c4786eacc5c741c58c9c8b43953625e101a83dac1ddd87178a3a2 |
| webkit2gtk3-jsc-devel-2.40.5-1.el8.x86_64.rpm | SHA-256: d8d7c4d18418b453abf854fe4858cbf5646c51596ba469bc158744e6484a4444 |
| webkit2gtk3-jsc-devel-debuginfo-2.40.5-1.el8.i686.rpm | SHA-256: 52a2fd6ae0614a62b0215cd07de2e973dc5ea6f11de7f16254af539a4095e73c |
| webkit2gtk3-jsc-devel-debuginfo-2.40.5-1.el8.x86_64.rpm | SHA-256: a9642afd8cb0873c36bf4ad06d6c2cedfc1ab69e2ef13c3b370f9a8ab001a6ff |
Red Hat Enterprise Linux for IBM z Systems 8
| SRPM | |
|---|---|
| webkit2gtk3-2.40.5-1.el8.src.rpm | SHA-256: d9025a838982d0440b7c933e25cac1fda8c2ba598d4e950a2d9fa5b3ee85c37c |
| s390x | |
| webkit2gtk3-2.40.5-1.el8.s390x.rpm | SHA-256: ee58318ba1b957f6d52804ed034b1f92f450004797529754808c12659abbcc5e |
| webkit2gtk3-debuginfo-2.40.5-1.el8.s390x.rpm | SHA-256: ef111123d15aa709c31e980d61ec6abd5c6267585a49886ca1b90cbc2e041cab |
| webkit2gtk3-debugsource-2.40.5-1.el8.s390x.rpm | SHA-256: 1d7a189de83ad0369a324ee5a8e6752ebd83980177e65865daa970d242519433 |
| webkit2gtk3-devel-2.40.5-1.el8.s390x.rpm | SHA-256: 3e68a730ea30f6c105f37329b4a457c752aaebd4a7ac29993c0ff22f6c51863d |
| webkit2gtk3-devel-debuginfo-2.40.5-1.el8.s390x.rpm | SHA-256: df7936dc789ec4d53bc7420d21cbbed87122faf9a41272d8e2b1033ae320d7e0 |
| webkit2gtk3-jsc-2.40.5-1.el8.s390x.rpm | SHA-256: 666dacbad7c59c4228be21b7e59f7f94230e83a3a6420fc0d3b153acce43f7db |
| webkit2gtk3-jsc-debuginfo-2.40.5-1.el8.s390x.rpm | SHA-256: 7caad10fed2d734fcbd185a8e260f3e5f16c561f91e3c71a7bc80e24fa5ccbd3 |
| webkit2gtk3-jsc-devel-2.40.5-1.el8.s390x.rpm | SHA-256: 20a4f1681038f05084990a6c909a1ba6580389dbb9c08e8ea56fe45ee27e3158 |
| webkit2gtk3-jsc-devel-debuginfo-2.40.5-1.el8.s390x.rpm | SHA-256: 0b757553d8da46f2cf58396f33738b3325d493978cb209fafae9c7c1de114fe0 |
Red Hat Enterprise Linux for Power, little endian 8
| SRPM | |
|---|---|
| webkit2gtk3-2.40.5-1.el8.src.rpm | SHA-256: d9025a838982d0440b7c933e25cac1fda8c2ba598d4e950a2d9fa5b3ee85c37c |
| ppc64le | |
| webkit2gtk3-2.40.5-1.el8.ppc64le.rpm | SHA-256: 6762ab83c6b5ced0a9427d2f2edcd874d7d2c87b25a2a53599d4d65879768113 |
| webkit2gtk3-debuginfo-2.40.5-1.el8.ppc64le.rpm | SHA-256: a1f80d90994af99e163c5cebe774e4ac251b05bfaf8fae90839f36b1b6298eee |
| webkit2gtk3-debugsource-2.40.5-1.el8.ppc64le.rpm | SHA-256: c132c32b665da6fb15e2c13efec00c1bb3efd4009b5ecf242dd6decb43bc7b42 |
| webkit2gtk3-devel-2.40.5-1.el8.ppc64le.rpm | SHA-256: 78a83fbb0f6bc2405612492aaa72ab94fd4692166364d926e90f5ab515e1a101 |
| webkit2gtk3-devel-debuginfo-2.40.5-1.el8.ppc64le.rpm | SHA-256: e6c8997f98f1f98bc720be2fcd7d7272f3e030724dad28bdd747b8171e638303 |
| webkit2gtk3-jsc-2.40.5-1.el8.ppc64le.rpm | SHA-256: 26db2996a8f94675b555e160bb8327e6eabbff1707dc1d0a94f605dcc56bf4c3 |
| webkit2gtk3-jsc-debuginfo-2.40.5-1.el8.ppc64le.rpm | SHA-256: 8b0ac8980f440017ee566a2f53694978ac7a79b64399c29b728552cd1f32278d |
| webkit2gtk3-jsc-devel-2.40.5-1.el8.ppc64le.rpm | SHA-256: c1a6595857bccd30051150a7a0a19bdd496d26975111cbdc46e5b15b9b2bfe79 |
| webkit2gtk3-jsc-devel-debuginfo-2.40.5-1.el8.ppc64le.rpm | SHA-256: e07f688eee63944ff67d8d10ac4988cce78e55432a34bc4ba54a1e73d1037b55 |
Red Hat Enterprise Linux for ARM 64 8
| SRPM | |
|---|---|
| webkit2gtk3-2.40.5-1.el8.src.rpm | SHA-256: d9025a838982d0440b7c933e25cac1fda8c2ba598d4e950a2d9fa5b3ee85c37c |
| aarch64 | |
| webkit2gtk3-2.40.5-1.el8.aarch64.rpm | SHA-256: 2fab109589964b7b3325a0d3ec7c8d8fdf13d3fb444016530577d0c9c8d2612c |
| webkit2gtk3-debuginfo-2.40.5-1.el8.aarch64.rpm | SHA-256: ea109aa86e2a0891834dc6b8d9b4e966a4ea8ae36e99c7ca0b1f4c66bb896c5b |
| webkit2gtk3-debugsource-2.40.5-1.el8.aarch64.rpm | SHA-256: d407a38e94d95830e7b467c8428a9c0d32fceb4680978e35258fd2fe98692b7a |
| webkit2gtk3-devel-2.40.5-1.el8.aarch64.rpm | SHA-256: 7c5a1a33376ae56d7a95ac1b243af035d339f02aeb4e51d624c7f0c6eb497a4b |
| webkit2gtk3-devel-debuginfo-2.40.5-1.el8.aarch64.rpm | SHA-256: e9334808049a9bd96e5ac923b2fb75a1394077a1e445d939b812cca1d2c66750 |
| webkit2gtk3-jsc-2.40.5-1.el8.aarch64.rpm | SHA-256: bd58e348184af1df24be5050df6ab71882980fe2afcf1b22f7114f2ed95e52c7 |
| webkit2gtk3-jsc-debuginfo-2.40.5-1.el8.aarch64.rpm | SHA-256: 602dd4592ae353dad2f1a909eb154fcd50e945aad5e1e183b26f1554ebf68419 |
| webkit2gtk3-jsc-devel-2.40.5-1.el8.aarch64.rpm | SHA-256: 41654c6c239386132d40cd37666820805dc018a3fe24d17f5d68e42eadfaf2cd |
| webkit2gtk3-jsc-devel-debuginfo-2.40.5-1.el8.aarch64.rpm | SHA-256: f752cc0587ae4d451b469493e1660c3e693f593836fd6cd1466bc890df5ea242 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
