lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <1525704784.21704.0@mail.igalia.com>
Date: Mon, 07 May 2018 09:53:04 -0500
From: Michael Catanzaro <mcatanzaro@...lia.com>
To: webkit-gtk@...ts.webkit.org
Cc: security@...kit.org, distributor-list@...me.org,
  oss-security@...ts.openwall.com, bugtraq@...urityfocus.com
Subject: WebKitGTK+ Security Advisory WSA-2018-0004

------------------------------------------------------------------------
WebKitGTK+ Security Advisory                               WSA-2018-0004
------------------------------------------------------------------------

Date reported      : May 07, 2018
Advisory ID        : WSA-2018-0004
Advisory URL       : https://webkitgtk.org/security/WSA-2018-0004.html
CVE identifiers    : CVE-2018-4121, CVE-2018-4200, CVE-2018-4204.

Several vulnerabilities were discovered in WebKitGTK+.

CVE-2018-4121
    Versions affected: WebKitGTK+ before 2.20.0.
    Credit to Natalie Silvanovich of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: Multiple memory corruption
    issues were addressed with improved memory handling.

CVE-2018-4200
    Versions affected: WebKitGTK+ before 2.20.2.
    Credit to Ivan Fratric of Google Project Zero.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A memory corruption issue was
    addressed with improved state management.

CVE-2018-4204
    Versions affected: WebKitGTK+ before 2.20.1.
    Credit to Richard Zhu (fluorescence) working with Trend Micro's Zero
    Day Initiative, found by OSS-Fuzz.
    Impact: Processing maliciously crafted web content may lead to
    arbitrary code execution. Description: A memory corruption issue was
    addressed with improved memory handling.


We recommend updating to the last stable version of WebKitGTK+. It is
the best way of ensuring that you are running a safe version of
WebKitGTK+. Please check our website for information about the last
stable releases.

Further information about WebKitGTK+ Security Advisories can be found
at: https://webkitgtk.org/security.html

The WebKitGTK+ team,
May 07, 2018

Powered by blists - more mailing lists