Detections
Analytics

Debian DSA-4515-1 : webkit2gtk - security update

high Nessus Plugin ID 128511

Language:

Synopsis

The remote Debian host is missing a security-related update.

Description

Several vulnerabilities have been discovered in the webkit2gtk web engine :

 - CVE-2019-8644 G. Geshev discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8649 Sergei Glazunov discovered an issue that may lead to universal cross site scripting.

 - CVE-2019-8658 akayn discovered an issue that may lead to universal cross site scripting.

 - CVE-2019-8666 Zongming Wang and Zhe Jin discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8669 akayn discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8671 Apple discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8672 Samuel Gross discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8673 Soyeon Park and Wen Xu discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8676 Soyeon Park and Wen Xu discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8677 Jihui Lu discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8678 An anonymous researcher, Anthony Lai, Ken Wong, Jeonghoon Shin, Johnny Yu, Chris Chan, Phil Mok, Alan Ho, and Byron Wai discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8679 Jihui Lu discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8680 Jihui Lu discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8681 G. Geshev discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8683 lokihardt discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8684 lokihardt discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8686 G. Geshev discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8687 Apple discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8688 Insu Yun discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8689 lokihardt discovered memory corruption issues that can lead to arbitrary code execution.

 - CVE-2019-8690 Sergei Glazunov discovered an issue that may lead to universal cross site scripting.

You can see more details on the WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004.

Solution

Upgrade the webkit2gtk packages.

For the stable distribution (buster), these problems have been fixed in version 2.24.4-1~deb10u1.

See Also

https://security-tracker.debian.org/tracker/CVE-2019-8644

https://security-tracker.debian.org/tracker/CVE-2019-8649

https://security-tracker.debian.org/tracker/CVE-2019-8658

https://security-tracker.debian.org/tracker/CVE-2019-8666

https://security-tracker.debian.org/tracker/CVE-2019-8669

https://security-tracker.debian.org/tracker/CVE-2019-8671

https://security-tracker.debian.org/tracker/CVE-2019-8672

https://security-tracker.debian.org/tracker/CVE-2019-8673

https://security-tracker.debian.org/tracker/CVE-2019-8676

https://security-tracker.debian.org/tracker/CVE-2019-8677

https://security-tracker.debian.org/tracker/CVE-2019-8678

https://security-tracker.debian.org/tracker/CVE-2019-8679

https://security-tracker.debian.org/tracker/CVE-2019-8680

https://security-tracker.debian.org/tracker/CVE-2019-8681

https://security-tracker.debian.org/tracker/CVE-2019-8683

https://security-tracker.debian.org/tracker/CVE-2019-8684

https://security-tracker.debian.org/tracker/CVE-2019-8686

https://security-tracker.debian.org/tracker/CVE-2019-8687

https://security-tracker.debian.org/tracker/CVE-2019-8688

https://security-tracker.debian.org/tracker/CVE-2019-8689

https://security-tracker.debian.org/tracker/CVE-2019-8690

https://security-tracker.debian.org/tracker/source-package/webkit2gtk

https://packages.debian.org/source/buster/webkit2gtk

https://www.debian.org/security/2019/dsa-4515

Plugin Details

Severity: High

ID: 128511

File Name: debian_DSA-4515.nasl

Version: 1.6

Type: local

Agent: unix

Published: 9/5/2019

Updated: 2/1/2021

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 8.1

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 8.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:webkit2gtk

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/4/2019

Vulnerability Publication Date: 12/18/2019

Reference Information

CVE: CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8690

DSA: 4515