-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Moderate: webkit2gtk3 security, bug fix, and enhancement update
Advisory ID:       RHSA-2022:1777-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:1777
Issue date:        2022-05-10
CVE Names:         CVE-2021-30809 CVE-2021-30818 CVE-2021-30823 
                   CVE-2021-30836 CVE-2021-30846 CVE-2021-30848 
                   CVE-2021-30849 CVE-2021-30851 CVE-2021-30884 
                   CVE-2021-30887 CVE-2021-30888 CVE-2021-30889 
                   CVE-2021-30890 CVE-2021-30897 CVE-2021-30934 
                   CVE-2021-30936 CVE-2021-30951 CVE-2021-30952 
                   CVE-2021-30953 CVE-2021-30954 CVE-2021-30984 
                   CVE-2021-45481 CVE-2021-45482 CVE-2021-45483 
                   CVE-2022-22589 CVE-2022-22590 CVE-2022-22592 
                   CVE-2022-22594 CVE-2022-22620 CVE-2022-22637 
====================================================================
1. Summary:

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64

3. Description:

WebKitGTK is the port of the portable web rendering engine WebKit to the
GTK platform.

The following packages have been upgraded to a later upstream version:
webkit2gtk3 (2.34.6). (BZ#1985042)

Security Fix(es):

* webkitgtk: maliciously crafted web content may lead to arbitrary code
execution due to use after free (CVE-2022-22620)

* webkitgtk: Use-after-free leading to arbitrary code execution
(CVE-2021-30809)

* webkitgtk: Type confusion issue leading to arbitrary code execution
(CVE-2021-30818)

* webkitgtk: Logic issue leading to HSTS bypass (CVE-2021-30823)

* webkitgtk: Memory corruption issue leading to arbitrary code execution
(CVE-2021-30846)

* webkitgtk: Memory corruption issue leading to arbitrary code execution
(CVE-2021-30848)

* webkitgtk: Multiple memory corruption issue leading to arbitrary code
execution (CVE-2021-30849)

* webkitgtk: Memory corruption issue leading to arbitrary code execution
(CVE-2021-30851)

* webkitgtk: Logic issue leading to Content Security Policy bypass
(CVE-2021-30887)

* webkitgtk: Information leak via Content Security Policy reports
(CVE-2021-30888)

* webkitgtk: Buffer overflow leading to arbitrary code execution
(CVE-2021-30889)

* webkitgtk: Logic issue leading to universal cross-site scripting
(CVE-2021-30890)

* webkitgtk: Cross-origin data exfiltration via resource timing API
(CVE-2021-30897)

* webkitgtk: Processing maliciously crafted web content may lead to
arbitrary code execution (CVE-2021-30934)

* webkitgtk: Processing maliciously crafted web content may lead to
arbitrary code execution (CVE-2021-30936)

* webkitgtk: Processing maliciously crafted web content may lead to
arbitrary code execution (CVE-2021-30951)

* webkitgtk: Processing maliciously crafted web content may lead to
arbitrary code execution (CVE-2021-30952)

* webkitgtk: Processing maliciously crafted web content may lead to
arbitrary code execution (CVE-2021-30953)

* webkitgtk: Processing maliciously crafted web content may lead to
arbitrary code execution (CVE-2021-30954)

* webkitgtk: Processing maliciously crafted web content may lead to
arbitrary code execution (CVE-2021-30984)

* webkitgtk: Incorrect memory allocation in
WebCore::ImageBufferCairoImageSurfaceBackend::create (CVE-2021-45481)

* webkitgtk: use-after-free in WebCore::ContainerNode::firstChild
(CVE-2021-45482)

* webkitgtk: use-after-free in WebCore::Frame::page (CVE-2021-45483)

* webkitgtk: Processing a maliciously crafted mail message may lead to
running arbitrary javascript (CVE-2022-22589)

* webkitgtk: Processing maliciously crafted web content may lead to
arbitrary code execution (CVE-2022-22590)

* webkitgtk: Processing maliciously crafted web content may prevent Content
Security Policy from being enforced (CVE-2022-22592)

* webkitgtk: A malicious website may exfiltrate data cross-origin
(CVE-2022-22594)

* webkitgtk: logic issue was addressed with improved state management
(CVE-2022-22637)

* webkitgtk: Out-of-bounds read leading to memory disclosure
(CVE-2021-30836)

* webkitgtk: CSS compositing issue leading to revealing of the browsing
history (CVE-2021-30884)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 8.6 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1985042 - Upgrade WebKitGTK for RHEL 8.6
2017898 - CVE-2021-30846 webkitgtk: Memory corruption issue leading to arbitrary code execution
2017901 - CVE-2021-30848 webkitgtk: Memory corruption issue leading to arbitrary code execution
2017904 - CVE-2021-30849 webkitgtk: Multiple memory corruption issue leading to arbitrary code execution
2018573 - CVE-2021-30851 webkitgtk: Memory corruption issue leading to arbitrary code execution
2034347 - CVE-2021-30809 webkitgtk: Use-after-free leading to arbitrary code execution
2034368 - CVE-2021-30818 webkitgtk: Type confusion issue leading to arbitrary code execution
2034373 - CVE-2021-30823 webkitgtk: Logic issue leading to HSTS bypass
2034376 - CVE-2021-30836 webkitgtk: Out-of-bounds read leading to memory disclosure
2034378 - CVE-2021-30884 webkitgtk: CSS compositing issue leading to revealing of the browsing history
2034381 - CVE-2021-30887 webkitgtk: Logic issue leading to Content Security Policy bypass
2034383 - CVE-2021-30888 webkitgtk: Information leak via Content Security Policy reports
2034386 - CVE-2021-30889 webkitgtk: Buffer overflow leading to arbitrary code execution
2034389 - CVE-2021-30890 webkitgtk: Logic issue leading to universal cross-site scripting
2038907 - CVE-2021-30897 webkitgtk: Cross-origin data exfiltration via resource timing API
2040327 - CVE-2021-45481 webkitgtk: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create
2040329 - CVE-2021-45482 webkitgtk: use-after-free in WebCore::ContainerNode::firstChild
2040331 - CVE-2021-45483 webkitgtk: use-after-free in WebCore::Frame::page
2041559 - Doesn't show document with ongoing resources' download immediately
2044521 - CVE-2021-30934 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
2044528 - CVE-2021-30936 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
2044534 - CVE-2021-30951 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
2044538 - CVE-2021-30952 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
2044542 - CVE-2021-30953 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
2044551 - CVE-2021-30954 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
2044553 - CVE-2021-30984 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
2045291 - CVE-2022-22594 webkitgtk: A malicious website may exfiltrate data cross-origin
2053179 - CVE-2022-22589 webkitgtk: Processing a maliciously crafted mail message may lead to running arbitrary javascript
2053181 - CVE-2022-22590 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution
2053185 - CVE-2022-22592 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced
2056474 - CVE-2022-22620 webkitgtk: maliciously crafted web content may lead to arbitrary code execution due to use after free
2073903 - CVE-2022-22637 webkitgtk: logic issue was addressed with improved state management

6. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source:
webkit2gtk3-2.34.6-1.el8.src.rpm

aarch64:
webkit2gtk3-2.34.6-1.el8.aarch64.rpm
webkit2gtk3-debuginfo-2.34.6-1.el8.aarch64.rpm
webkit2gtk3-debugsource-2.34.6-1.el8.aarch64.rpm
webkit2gtk3-devel-2.34.6-1.el8.aarch64.rpm
webkit2gtk3-devel-debuginfo-2.34.6-1.el8.aarch64.rpm
webkit2gtk3-jsc-2.34.6-1.el8.aarch64.rpm
webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.aarch64.rpm
webkit2gtk3-jsc-devel-2.34.6-1.el8.aarch64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.aarch64.rpm

ppc64le:
webkit2gtk3-2.34.6-1.el8.ppc64le.rpm
webkit2gtk3-debuginfo-2.34.6-1.el8.ppc64le.rpm
webkit2gtk3-debugsource-2.34.6-1.el8.ppc64le.rpm
webkit2gtk3-devel-2.34.6-1.el8.ppc64le.rpm
webkit2gtk3-devel-debuginfo-2.34.6-1.el8.ppc64le.rpm
webkit2gtk3-jsc-2.34.6-1.el8.ppc64le.rpm
webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.ppc64le.rpm
webkit2gtk3-jsc-devel-2.34.6-1.el8.ppc64le.rpm
webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.ppc64le.rpm

s390x:
webkit2gtk3-2.34.6-1.el8.s390x.rpm
webkit2gtk3-debuginfo-2.34.6-1.el8.s390x.rpm
webkit2gtk3-debugsource-2.34.6-1.el8.s390x.rpm
webkit2gtk3-devel-2.34.6-1.el8.s390x.rpm
webkit2gtk3-devel-debuginfo-2.34.6-1.el8.s390x.rpm
webkit2gtk3-jsc-2.34.6-1.el8.s390x.rpm
webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.s390x.rpm
webkit2gtk3-jsc-devel-2.34.6-1.el8.s390x.rpm
webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.s390x.rpm

x86_64:
webkit2gtk3-2.34.6-1.el8.i686.rpm
webkit2gtk3-2.34.6-1.el8.x86_64.rpm
webkit2gtk3-debuginfo-2.34.6-1.el8.i686.rpm
webkit2gtk3-debuginfo-2.34.6-1.el8.x86_64.rpm
webkit2gtk3-debugsource-2.34.6-1.el8.i686.rpm
webkit2gtk3-debugsource-2.34.6-1.el8.x86_64.rpm
webkit2gtk3-devel-2.34.6-1.el8.i686.rpm
webkit2gtk3-devel-2.34.6-1.el8.x86_64.rpm
webkit2gtk3-devel-debuginfo-2.34.6-1.el8.i686.rpm
webkit2gtk3-devel-debuginfo-2.34.6-1.el8.x86_64.rpm
webkit2gtk3-jsc-2.34.6-1.el8.i686.rpm
webkit2gtk3-jsc-2.34.6-1.el8.x86_64.rpm
webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.i686.rpm
webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.x86_64.rpm
webkit2gtk3-jsc-devel-2.34.6-1.el8.i686.rpm
webkit2gtk3-jsc-devel-2.34.6-1.el8.x86_64.rpm
webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.i686.rpm
webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2021-30809
https://access.redhat.com/security/cve/CVE-2021-30818
https://access.redhat.com/security/cve/CVE-2021-30823
https://access.redhat.com/security/cve/CVE-2021-30836
https://access.redhat.com/security/cve/CVE-2021-30846
https://access.redhat.com/security/cve/CVE-2021-30848
https://access.redhat.com/security/cve/CVE-2021-30849
https://access.redhat.com/security/cve/CVE-2021-30851
https://access.redhat.com/security/cve/CVE-2021-30884
https://access.redhat.com/security/cve/CVE-2021-30887
https://access.redhat.com/security/cve/CVE-2021-30888
https://access.redhat.com/security/cve/CVE-2021-30889
https://access.redhat.com/security/cve/CVE-2021-30890
https://access.redhat.com/security/cve/CVE-2021-30897
https://access.redhat.com/security/cve/CVE-2021-30934
https://access.redhat.com/security/cve/CVE-2021-30936
https://access.redhat.com/security/cve/CVE-2021-30951
https://access.redhat.com/security/cve/CVE-2021-30952
https://access.redhat.com/security/cve/CVE-2021-30953
https://access.redhat.com/security/cve/CVE-2021-30954
https://access.redhat.com/security/cve/CVE-2021-30984
https://access.redhat.com/security/cve/CVE-2021-45481
https://access.redhat.com/security/cve/CVE-2021-45482
https://access.redhat.com/security/cve/CVE-2021-45483
https://access.redhat.com/security/cve/CVE-2022-22589
https://access.redhat.com/security/cve/CVE-2022-22590
https://access.redhat.com/security/cve/CVE-2022-22592
https://access.redhat.com/security/cve/CVE-2022-22594
https://access.redhat.com/security/cve/CVE-2022-22620
https://access.redhat.com/security/cve/CVE-2022-22637
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYnqQrdzjgjWX9erEAQi/6BAAhaqaCDj0g7uJ6LdXEng5SqGBFl5g6GIV
p/WSKyL+tI3BpKaaUWr6+d4tNnaQbKxhRTwTSJa8GMrOc7n6Y7LO8Y7mQj3bEFvn
z3HHLZK8EMgDUz4I0esuh0qNWnfsD/vJDuGbXlHLdNLlc5XzgX7YA6eIb1lxSbxV
ueSENHohbMJLbWoeI2gMUYGb5cAzBHrgdmFIsr4XUd6sr5Z1ZOPnQPf36vrXGdzj
mPXPijZtr9QiPgwijm4/DkJG7NQ4KyaPMOKauC7PEB1AHWIwHteRnVxnWuZLjpMf
RqYBQu2pYeTiyGky+ozshJ81mdfLyUQBR/+4KbB2TMFZHDlhxzNFZrErh4+dfQja
Cuf+IwTOSZgC/8XouTQMA27KFSYKd4PzwnB3yQeGU0NA/VngYp12BegeVHlDiadS
hO+mAk/BAAesdywt7ZTU1e1yROLm/jp0VcmvkQO+gh2WhErEFV3s0qnsu1dfuLY7
B1e0z6c/vp8lkSFs2fcx0Oq1S7nGIGZiR66loghp03nDoCcxblsxBcFV9CNq6yVG
BkEAFzMb/AHxqn7KbZeN6g4Los+3Dr7eFYPGUkVEXy+AbHqE+b99pT2TIjCOMh/L
wXOE+nX3KXbD5MCqvmF2K6w+MfIf3AxzzgirwXyLewSP8NKBmsdBtgwbgFam1QfM
Uqt+dghxtOQ=LCNn
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2022-1777:01 Moderate: webkit2gtk3 security, bug fix,

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8

Summary

WebKitGTK is the port of the portable web rendering engine WebKit to the GTK platform.
The following packages have been upgraded to a later upstream version: webkit2gtk3 (2.34.6). (BZ#1985042)
Security Fix(es):
* webkitgtk: maliciously crafted web content may lead to arbitrary code execution due to use after free (CVE-2022-22620)
* webkitgtk: Use-after-free leading to arbitrary code execution (CVE-2021-30809)
* webkitgtk: Type confusion issue leading to arbitrary code execution (CVE-2021-30818)
* webkitgtk: Logic issue leading to HSTS bypass (CVE-2021-30823)
* webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-30846)
* webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-30848)
* webkitgtk: Multiple memory corruption issue leading to arbitrary code execution (CVE-2021-30849)
* webkitgtk: Memory corruption issue leading to arbitrary code execution (CVE-2021-30851)
* webkitgtk: Logic issue leading to Content Security Policy bypass (CVE-2021-30887)
* webkitgtk: Information leak via Content Security Policy reports (CVE-2021-30888)
* webkitgtk: Buffer overflow leading to arbitrary code execution (CVE-2021-30889)
* webkitgtk: Logic issue leading to universal cross-site scripting (CVE-2021-30890)
* webkitgtk: Cross-origin data exfiltration via resource timing API (CVE-2021-30897)
* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30934)
* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30936)
* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30951)
* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30952)
* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30953)
* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30954)
* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2021-30984)
* webkitgtk: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create (CVE-2021-45481)
* webkitgtk: use-after-free in WebCore::ContainerNode::firstChild (CVE-2021-45482)
* webkitgtk: use-after-free in WebCore::Frame::page (CVE-2021-45483)
* webkitgtk: Processing a maliciously crafted mail message may lead to running arbitrary javascript (CVE-2022-22589)
* webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution (CVE-2022-22590)
* webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced (CVE-2022-22592)
* webkitgtk: A malicious website may exfiltrate data cross-origin (CVE-2022-22594)
* webkitgtk: logic issue was addressed with improved state management (CVE-2022-22637)
* webkitgtk: Out-of-bounds read leading to memory disclosure (CVE-2021-30836)
* webkitgtk: CSS compositing issue leading to revealing of the browsing history (CVE-2021-30884)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.6 Release Notes linked from the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2021-30809 https://access.redhat.com/security/cve/CVE-2021-30818 https://access.redhat.com/security/cve/CVE-2021-30823 https://access.redhat.com/security/cve/CVE-2021-30836 https://access.redhat.com/security/cve/CVE-2021-30846 https://access.redhat.com/security/cve/CVE-2021-30848 https://access.redhat.com/security/cve/CVE-2021-30849 https://access.redhat.com/security/cve/CVE-2021-30851 https://access.redhat.com/security/cve/CVE-2021-30884 https://access.redhat.com/security/cve/CVE-2021-30887 https://access.redhat.com/security/cve/CVE-2021-30888 https://access.redhat.com/security/cve/CVE-2021-30889 https://access.redhat.com/security/cve/CVE-2021-30890 https://access.redhat.com/security/cve/CVE-2021-30897 https://access.redhat.com/security/cve/CVE-2021-30934 https://access.redhat.com/security/cve/CVE-2021-30936 https://access.redhat.com/security/cve/CVE-2021-30951 https://access.redhat.com/security/cve/CVE-2021-30952 https://access.redhat.com/security/cve/CVE-2021-30953 https://access.redhat.com/security/cve/CVE-2021-30954 https://access.redhat.com/security/cve/CVE-2021-30984 https://access.redhat.com/security/cve/CVE-2021-45481 https://access.redhat.com/security/cve/CVE-2021-45482 https://access.redhat.com/security/cve/CVE-2021-45483 https://access.redhat.com/security/cve/CVE-2022-22589 https://access.redhat.com/security/cve/CVE-2022-22590 https://access.redhat.com/security/cve/CVE-2022-22592 https://access.redhat.com/security/cve/CVE-2022-22594 https://access.redhat.com/security/cve/CVE-2022-22620 https://access.redhat.com/security/cve/CVE-2022-22637 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.6_release_notes/

Package List

Red Hat Enterprise Linux AppStream (v. 8):
Source: webkit2gtk3-2.34.6-1.el8.src.rpm
aarch64: webkit2gtk3-2.34.6-1.el8.aarch64.rpm webkit2gtk3-debuginfo-2.34.6-1.el8.aarch64.rpm webkit2gtk3-debugsource-2.34.6-1.el8.aarch64.rpm webkit2gtk3-devel-2.34.6-1.el8.aarch64.rpm webkit2gtk3-devel-debuginfo-2.34.6-1.el8.aarch64.rpm webkit2gtk3-jsc-2.34.6-1.el8.aarch64.rpm webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.aarch64.rpm webkit2gtk3-jsc-devel-2.34.6-1.el8.aarch64.rpm webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.aarch64.rpm
ppc64le: webkit2gtk3-2.34.6-1.el8.ppc64le.rpm webkit2gtk3-debuginfo-2.34.6-1.el8.ppc64le.rpm webkit2gtk3-debugsource-2.34.6-1.el8.ppc64le.rpm webkit2gtk3-devel-2.34.6-1.el8.ppc64le.rpm webkit2gtk3-devel-debuginfo-2.34.6-1.el8.ppc64le.rpm webkit2gtk3-jsc-2.34.6-1.el8.ppc64le.rpm webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.ppc64le.rpm webkit2gtk3-jsc-devel-2.34.6-1.el8.ppc64le.rpm webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.ppc64le.rpm
s390x: webkit2gtk3-2.34.6-1.el8.s390x.rpm webkit2gtk3-debuginfo-2.34.6-1.el8.s390x.rpm webkit2gtk3-debugsource-2.34.6-1.el8.s390x.rpm webkit2gtk3-devel-2.34.6-1.el8.s390x.rpm webkit2gtk3-devel-debuginfo-2.34.6-1.el8.s390x.rpm webkit2gtk3-jsc-2.34.6-1.el8.s390x.rpm webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.s390x.rpm webkit2gtk3-jsc-devel-2.34.6-1.el8.s390x.rpm webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.s390x.rpm
x86_64: webkit2gtk3-2.34.6-1.el8.i686.rpm webkit2gtk3-2.34.6-1.el8.x86_64.rpm webkit2gtk3-debuginfo-2.34.6-1.el8.i686.rpm webkit2gtk3-debuginfo-2.34.6-1.el8.x86_64.rpm webkit2gtk3-debugsource-2.34.6-1.el8.i686.rpm webkit2gtk3-debugsource-2.34.6-1.el8.x86_64.rpm webkit2gtk3-devel-2.34.6-1.el8.i686.rpm webkit2gtk3-devel-2.34.6-1.el8.x86_64.rpm webkit2gtk3-devel-debuginfo-2.34.6-1.el8.i686.rpm webkit2gtk3-devel-debuginfo-2.34.6-1.el8.x86_64.rpm webkit2gtk3-jsc-2.34.6-1.el8.i686.rpm webkit2gtk3-jsc-2.34.6-1.el8.x86_64.rpm webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.i686.rpm webkit2gtk3-jsc-debuginfo-2.34.6-1.el8.x86_64.rpm webkit2gtk3-jsc-devel-2.34.6-1.el8.i686.rpm webkit2gtk3-jsc-devel-2.34.6-1.el8.x86_64.rpm webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.i686.rpm webkit2gtk3-jsc-devel-debuginfo-2.34.6-1.el8.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2022:1777-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2022:1777
Issued Date: : 2022-05-10
CVE Names: CVE-2021-30809 CVE-2021-30818 CVE-2021-30823 CVE-2021-30836 CVE-2021-30846 CVE-2021-30848 CVE-2021-30849 CVE-2021-30851 CVE-2021-30884 CVE-2021-30887 CVE-2021-30888 CVE-2021-30889 CVE-2021-30890 CVE-2021-30897 CVE-2021-30934 CVE-2021-30936 CVE-2021-30951 CVE-2021-30952 CVE-2021-30953 CVE-2021-30954 CVE-2021-30984 CVE-2021-45481 CVE-2021-45482 CVE-2021-45483 CVE-2022-22589 CVE-2022-22590 CVE-2022-22592 CVE-2022-22594 CVE-2022-22620 CVE-2022-22637

Topic

An update for webkit2gtk3 is now available for Red Hat Enterprise Linux 8.Red Hat Product Security has rated this update as having a security impactof Moderate. A Common Vulnerability Scoring System (CVSS) base score, whichgives a detailed severity rating, is available for each vulnerability fromthe CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, ppc64le, s390x, x86_64


Bugs Fixed

1985042 - Upgrade WebKitGTK for RHEL 8.6

2017898 - CVE-2021-30846 webkitgtk: Memory corruption issue leading to arbitrary code execution

2017901 - CVE-2021-30848 webkitgtk: Memory corruption issue leading to arbitrary code execution

2017904 - CVE-2021-30849 webkitgtk: Multiple memory corruption issue leading to arbitrary code execution

2018573 - CVE-2021-30851 webkitgtk: Memory corruption issue leading to arbitrary code execution

2034347 - CVE-2021-30809 webkitgtk: Use-after-free leading to arbitrary code execution

2034368 - CVE-2021-30818 webkitgtk: Type confusion issue leading to arbitrary code execution

2034373 - CVE-2021-30823 webkitgtk: Logic issue leading to HSTS bypass

2034376 - CVE-2021-30836 webkitgtk: Out-of-bounds read leading to memory disclosure

2034378 - CVE-2021-30884 webkitgtk: CSS compositing issue leading to revealing of the browsing history

2034381 - CVE-2021-30887 webkitgtk: Logic issue leading to Content Security Policy bypass

2034383 - CVE-2021-30888 webkitgtk: Information leak via Content Security Policy reports

2034386 - CVE-2021-30889 webkitgtk: Buffer overflow leading to arbitrary code execution

2034389 - CVE-2021-30890 webkitgtk: Logic issue leading to universal cross-site scripting

2038907 - CVE-2021-30897 webkitgtk: Cross-origin data exfiltration via resource timing API

2040327 - CVE-2021-45481 webkitgtk: Incorrect memory allocation in WebCore::ImageBufferCairoImageSurfaceBackend::create

2040329 - CVE-2021-45482 webkitgtk: use-after-free in WebCore::ContainerNode::firstChild

2040331 - CVE-2021-45483 webkitgtk: use-after-free in WebCore::Frame::page

2041559 - Doesn't show document with ongoing resources' download immediately

2044521 - CVE-2021-30934 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution

2044528 - CVE-2021-30936 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution

2044534 - CVE-2021-30951 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution

2044538 - CVE-2021-30952 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution

2044542 - CVE-2021-30953 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution

2044551 - CVE-2021-30954 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution

2044553 - CVE-2021-30984 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution

2045291 - CVE-2022-22594 webkitgtk: A malicious website may exfiltrate data cross-origin

2053179 - CVE-2022-22589 webkitgtk: Processing a maliciously crafted mail message may lead to running arbitrary javascript

2053181 - CVE-2022-22590 webkitgtk: Processing maliciously crafted web content may lead to arbitrary code execution

2053185 - CVE-2022-22592 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced

2056474 - CVE-2022-22620 webkitgtk: maliciously crafted web content may lead to arbitrary code execution due to use after free

2073903 - CVE-2022-22637 webkitgtk: logic issue was addressed with improved state management


Related News

19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved