openSUSE Security Update : webkit2gtk3 (openSUSE-2016-340)

Medium Nessus Plugin ID 89950

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.9

Synopsis

The remote openSUSE host is missing a security update.

Description

This update for webkit2gtk3 fixes the following issues :

- Update to version 2.10.7 :

+ Fix the build with GTK+ < 3.16.

- Changes from version 2.10.6 :

+ Fix a deadlock in the Web Process when JavaScript garbage collector was running for a web worker thread that made google maps to hang.

+ Fix media controls displaying without controls attribute.

+ Fix a Web Process crash when quickly attempting many DnD operations.

- Changes from version 2.10.5 :

+ Disable DNS prefetch when a proxy is configured.

+ Reduce the maximum simultaneous network connections to match other browsers.

+ Make WebKitWebView always propagate motion-notify-event signal.

+ Add a way to force accelerating compositing mode at runtime using an environment variable.

+ Fix input elements and scrollbars rendering with GTK+ 3.19.

+ Fix rendering of lines when using solid colors.

+ Fix UI process crashes related to not having a main resource response when the load is committed for pages restored from the history cache.

+ Fix a WebProcess crash when loading large contents with custom URI schemes API.

+ Fix a crash in the UI process when the WebView is destroyed while the screensaver DBus proxy is being created.

+ Fix WebProcess crashes due to BadDrawable X errors in accelerated compositing mode.

+ Fix crashes on PPC64 due to mprotect() on address not aligned to the page size.

+ Fix std::bad_function_call exception raised in dispatchDecidePolicyForNavigationAction.

+ Fix downloads of data URLs.

+ Fix runtime critical warnings when closing a page containing windowed plugins.

+ Fix several crashes and rendering issues.

+ Translation updates: French, German, Italian, Turkish.

+ Security fixes: CVE-2015-7096, CVE-2015-7098.

- Update to version 2.10.4, notable changes :

+ New HTTP disk cache for the Network Process.

+ New Web Inspector UI.

+ Automatic ScreenServer inhibition when playing fullscreen videos.

+ Initial Editor API.

+ Performance improvements.

- This update addresses the following security issues:
CVE-2015-1122, CVE-2015-1152, CVE-2015-1155, CVE-2015-3660, CVE-2015-3730, CVE-2015-3738, CVE-2015-3740, CVE-2015-3742, CVE-2015-3744, CVE-2015-3746, CVE-2015-3750, CVE-2015-3751, CVE-2015-3754, CVE-2015-3755, CVE-2015-5804, CVE-2015-5805, CVE-2015-5807, CVE-2015-5810, CVE-2015-5813, CVE-2015-5814, CVE-2015-5815, CVE-2015-5817, CVE-2015-5818, CVE-2015-5825, CVE-2015-5827, CVE-2015-5828, CVE-2015-5929, CVE-2015-5930, CVE-2015-5931, CVE-2015-7002, CVE-2015-7013, CVE-2015-7014, CVE-2015-7048, CVE-2015-7095, CVE-2015-7097, CVE-2015-7099, CVE-2015-7100, CVE-2015-7102, CVE-2015-7103, CVE-2015-7104

- Add BuildRequires: hyphen-devel to pick up hyphenation support. Note this is broken upstream.

- Build with -DENABLE_DATABASE_PROCESS=OFF and

-DENABLE_INDEXED_DATABASE=OFF to avoid an issue with GCC 4.8.

Solution

Update the affected webkit2gtk3 packages.

Plugin Details

Severity: Medium

ID: 89950

File Name: openSUSE-2016-340.nasl

Version: 2.2

Type: local

Agent: unix

Published: 2016/03/16

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 5.9

CVSS v2.0

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18, p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit, p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo, p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo-32bit, p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37, p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit, p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo, p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo-32bit, p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang, p-cpe:/a:novell:opensuse:typelib-1_0-JavaScriptCore-4_0, p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2-4_0, p-cpe:/a:novell:opensuse:typelib-1_0-WebKit2WebExtension-4_0, p-cpe:/a:novell:opensuse:webkit-jsc-4, p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo, p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles, p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo, p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource, p-cpe:/a:novell:opensuse:webkit2gtk3-devel, cpe:/o:novell:opensuse:42.1

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list, Host/cpu

Patch Publication Date: 2016/03/15

Reference Information

CVE: CVE-2015-1122, CVE-2015-1152, CVE-2015-1155, CVE-2015-3660, CVE-2015-3730, CVE-2015-3738, CVE-2015-3740, CVE-2015-3742, CVE-2015-3744, CVE-2015-3746, CVE-2015-3750, CVE-2015-3751, CVE-2015-3754, CVE-2015-3755, CVE-2015-5804, CVE-2015-5805, CVE-2015-5807, CVE-2015-5810, CVE-2015-5813, CVE-2015-5814, CVE-2015-5815, CVE-2015-5817, CVE-2015-5818, CVE-2015-5825, CVE-2015-5827, CVE-2015-5828, CVE-2015-5929, CVE-2015-5930, CVE-2015-5931, CVE-2015-7002, CVE-2015-7013, CVE-2015-7014, CVE-2015-7048, CVE-2015-7095, CVE-2015-7096, CVE-2015-7097, CVE-2015-7098, CVE-2015-7099, CVE-2015-7100, CVE-2015-7102, CVE-2015-7103, CVE-2015-7104