APPLE-SA-2015-09-16-1

APPLE-SA-2015-09-30-2

openSUSE-SU-2016:0761

76766

1033609

https://support.apple.com/HT205212

https://support.apple.com/HT205265

This update for webkit2gtk3 fixes the following issues :

  - Update to version 2.10.7 :

  + Fix the build with GTK+ < 3.16.

  - Changes from version 2.10.6 :

  + Fix a deadlock in the Web Process when JavaScript     garbage collector was running for a web worker thread     that made google maps to hang.

  + Fix media controls displaying without controls     attribute.

  + Fix a Web Process crash when quickly attempting many DnD     operations.

  - Changes from version 2.10.5 :

  + Disable DNS prefetch when a proxy is configured.

  + Reduce the maximum simultaneous network connections to     match other browsers.

  + Make WebKitWebView always propagate motion-notify-event     signal.

  + Add a way to force accelerating compositing mode at     runtime using an environment variable.

  + Fix input elements and scrollbars rendering with GTK+     3.19.

  + Fix rendering of lines when using solid colors.

  + Fix UI process crashes related to not having a main     resource response when the load is committed for pages     restored from the history cache.

  + Fix a WebProcess crash when loading large contents with     custom URI schemes API.

  + Fix a crash in the UI process when the WebView is     destroyed while the screensaver DBus proxy is being     created.

  + Fix WebProcess crashes due to BadDrawable X errors in     accelerated compositing mode.

  + Fix crashes on PPC64 due to mprotect() on address not     aligned to the page size.

  + Fix std::bad_function_call exception raised in     dispatchDecidePolicyForNavigationAction.

  + Fix downloads of data URLs.

  + Fix runtime critical warnings when closing a page     containing windowed plugins.

  + Fix several crashes and rendering issues.

  + Translation updates: French, German, Italian, Turkish.

  + Security fixes: CVE-2015-7096, CVE-2015-7098.

  - Update to version 2.10.4, notable changes :

  + New HTTP disk cache for the Network Process.

  + New Web Inspector UI.

  + Automatic ScreenServer inhibition when playing     fullscreen videos.

  + Initial Editor API.

  + Performance improvements.

  - This update addresses the following security issues:
    CVE-2015-1122, CVE-2015-1152, CVE-2015-1155,     CVE-2015-3660, CVE-2015-3730, CVE-2015-3738,     CVE-2015-3740, CVE-2015-3742, CVE-2015-3744,     CVE-2015-3746, CVE-2015-3750, CVE-2015-3751,     CVE-2015-3754, CVE-2015-3755, CVE-2015-5804,     CVE-2015-5805, CVE-2015-5807, CVE-2015-5810,     CVE-2015-5813, CVE-2015-5814, CVE-2015-5815,     CVE-2015-5817, CVE-2015-5818, CVE-2015-5825,     CVE-2015-5827, CVE-2015-5828, CVE-2015-5929,     CVE-2015-5930, CVE-2015-5931, CVE-2015-7002,     CVE-2015-7013, CVE-2015-7014, CVE-2015-7048,     CVE-2015-7095, CVE-2015-7097, CVE-2015-7099,     CVE-2015-7100, CVE-2015-7102, CVE-2015-7103,     CVE-2015-7104

  - Add BuildRequires: hyphen-devel to pick up hyphenation     support. Note this is broken upstream.

  - Build with -DENABLE_DATABASE_PROCESS=OFF and

    -DENABLE_INDEXED_DATABASE=OFF to avoid an issue with GCC     4.8.

The remote host is running a version of iOS that is prior to version 9.0 and the following components contain vulnerabilities :

 - Apple Pay 
 - AppleKeyStore 
 - Application Store 
 - Audio 
 - Certificate Trust Policy 
 - CFNetwork 
 - CFNetwork Cookies 
 - CFNetwork FTPProtocol 
 - CFNetwork Proxies 
 - CFNetwork SSL 
 - CoreAnimation 
 - CoreCrypto 
 - CoreText 
 - Data Detectors Engine 
 - Dev Tools 
 - Disk Images 
 - dyld 
 - Game Center 
 - ICU 
 - IOAcceleratorFamily 
 - IOHIDFamily 
 - IOKit 
 - IOMobileFrameBuffer 
 - IOStorageFamily 
 - iTunes Store 
 - JavaScriptCore 
 - Kernel 
 - libc 
 - libpthread 
 - Mail 
 - Multipeer Connectivity 
 - NetworkExtension 
 - OpenSSL 
 - PluginKit 
 - removefile 
 - Safari 
 - Safari Safe Browsing 
 - Security 
 - Siri 
 - SpringBoard 
 - SQLite 
 - tidy 
 - WebKit 
 - WebKit Canvas 
 - WebKit Page Loading

The version of Safari installed on the remote host is prior to 9.0. It is, therefore, affected by multiple vulnerabilities in the following components :

 - Safari
 - Safari Downloads
 - Safari Extensions
 - Safari Safe Browsing
 - WebKit
 - WebKit CSS
 - WebKit JavaScript Bindings
 - WebKit Page Loading
 - WebKit Plug-ins

The remote host is running a version of Mac OS X that is 10.6.8 or later but prior to 10.11. It is, therefore, affected by multiple vulnerabilities in the following components :

  - Address Book
  - AirScan
  - apache_mod_php
  - Apple Online Store Kit
  - AppleEvents
  - Audio
  - bash
  - Certificate Trust Policy
  - CFNetwork Cookies
  - CFNetwork FTPProtocol
  - CFNetwork HTTPProtocol
  - CFNetwork Proxies
  - CFNetwork SSL
  - CoreCrypto
  - CoreText
  - Dev Tools
  - Disk Images
  - dyld
  - EFI
  - Finder
  - Game Center
  - Heimdal
  - ICU
  - Install Framework Legacy
  - Intel Graphics Driver
  - IOAudioFamily
  - IOGraphics
  - IOHIDFamily
  - IOStorageFamily
  - Kernel
  - libc
  - libpthread
  - libxpc
  - Login Window
  - lukemftpd
  - Mail
  - Multipeer Connectivity
  - NetworkExtension
  - Notes
  - OpenSSH
  - OpenSSL
  - procmail
  - remote_cmds
  - removefile
  - Ruby
  - Safari
  - Safari Downloads
  - Safari Extensions
  - Safari Safe Browsing
  - Security
  - SMB
  - SQLite
  - Telephony
  - Terminal
  - tidy
  - Time Machine
  - WebKit
  - WebKit CSS
  - WebKit JavaScript Bindings
  - WebKit Page Loading
  - WebKit Plug-ins

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

The version of Apple Safari installed on the remote Mac OS X host is prior to 9.0. It is, therefore, affected by multiple vulnerabilities in the following components :

  - Safari
  - Safari Downloads
  - Safari Extensions
  - Safari Safe Browsing
  - WebKit
  - WebKit CSS
  - WebKit JavaScript Bindings
  - WebKit Page Loading
  - WebKit Plug-ins

The mobile device is running a version of iOS prior to version 9.0. It is, therefore, affected by vulnerabilities in the following components :

  - Apple Pay
  - AppleKeyStore
  - Application Store
  - Audio
  - Certificate Trust Policy
  - CFNetwork
  - CFNetwork Cookies
  - CFNetwork FTPProtocol
  - CFNetwork Proxies
  - CFNetwork SSL
  - CommonCrypto 
  - CoreAnimation
  - CoreCrypto
  - CoreText
  - Data Detectors Engine
  - Dev Tools
  - Disk Images
  - dyld
  - Game Center
  - ICU
  - IOAcceleratorFamily
  - IOHIDFamily
  - IOKit
  - IOMobileFrameBuffer
  - IOStorageFamily
  - iTunes Store
  - JavaScriptCore
  - Kernel
  - libc
  - libpthread
  - Mail
  - Multipeer Connectivity
  - NetworkExtension
  - OpenSSL
  - PluginKit
  - removefile
  - Safari
  - Safari Safe Browsing
  - Security
  - Siri
  - SpringBoard
  - SQLite
  - tidy
  - WebKit
  - WebKit Canvas
  - WebKit Page Loading

ID	Name	Product	Family	Severity
89950	openSUSE Security Update : webkit2gtk3 (openSUSE-2016-340)	Nessus	SuSE Local Security Checks	medium
8979	Apple iOS < 9.0 Multiple Vulnerabilities	Nessus Network Monitor	Mobile Devices	high
8976	Safari < 9.0 Multiple Vulnerabilities	Nessus Network Monitor	Web Clients	medium
86270	Mac OS X < 10.11 Multiple Vulnerabilities (GHOST)	Nessus	MacOS X Local Security Checks	critical
86252	Mac OS X : Apple Safari < 9.0 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
85987	Apple iOS < 9.0 Multiple Vulnerabilities	Nessus	Mobile Devices	critical

CVE-2015-5825

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins