lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 10 Jan 2018 17:36:24 +0100
From: Carlos Alberto Lopez Perez <clopez@...lia.com>
To: "webkit-gtk@...ts.webkit.org" <webkit-gtk@...ts.webkit.org>
Cc: security@...kit.org, distributor-list@...me.org,
  oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: WebKitGTK+ Security Advisory WSA-2018-0001

------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               WSA-2018-0001
------------------------------------------------------------------------

Date reported      : January 10, 2018
Advisory ID        : WSA-2018-0001
Advisory URL       : https://webkitgtk.org/security/WSA-2018-0001.html
CVE identifiers    : CVE-2017-5753, CVE-2017-5715.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2017-5753
    Versions affected: WebKitGTK+ before 2.18.5.
    Credit to Jann Horn of Google Project Zero; and Paul Kocher in
    collaboration with Daniel Genkin of University of Pennsylvania and
    University of Maryland, Daniel Gruss of Graz University of
    Technology, Werner Haas of Cyberus Technology, Mike Hamburg of
    Rambus (Cryptography Research Division), Moritz Lipp of Graz
    University of Technology, Stefan Mangard of Graz University of
    Technology, Thomas Prescher of Cyberus Technology, Michael Schwarz
    of Graz University of Technology, and Yuval Yarom of University of
    Adelaide and Data61.
    Impact: Systems with microprocessors utilizing speculative execution
    and branch prediction may allow unauthorized disclosure of
    information to an attacker via a side-channel analysis. This variant
    of the Spectre vulnerability triggers the speculative execution by
    performing a bounds-check bypass. Description: Security improvements
    are included to mitigate the effects.

CVE-2017-5715
    Versions affected: WebKitGTK+ before 2.18.5.
    Credit to Jann Horn of Google Project Zero; and Paul Kocher in
    collaboration with Daniel Genkin of University of Pennsylvania and
    University of Maryland, Daniel Gruss of Graz University of
    Technology, Werner Haas of Cyberus Technology, Mike Hamburg of
    Rambus (Cryptography Research Division), Moritz Lipp of Graz
    University of Technology, Stefan Mangard of Graz University of
    Technology, Thomas Prescher of Cyberus Technology, Michael Schwarz
    of Graz University of Technology, and Yuval Yarom of University of
    Adelaide and Data61.
    Impact: Systems with microprocessors utilizing speculative execution
    and branch prediction may allow unauthorized disclosure of
    information to an attacker via a side-channel analysis. This variant
    of the Spectre vulnerability triggers the speculative execution by
    utilizing branch target injection. Description: Security
    improvements are included to mitigate the effects.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
January 10, 2018



Download attachment "signature.asc" of type "application/pgp-signature" (898 bytes)

Powered by blists - more mailing lists