Commit Graph

44 Commits

Author SHA1 Message Date
Adrian Perez de Castro
3e4230e6e0 package/webkitgtk: security bump to version 2.32.4
This is a minor release which provides fixes for CVE-2021-30858 and
a number of other potential security issues without an associated CVE.
Patch "0001-Add-ldp-and-stp-support-for-FP-registers-plus-some-b.patch"
is deleted as it has been included in this release.

Full release notes can be found at:

  https://webkitgtk.org/2021/09/17/webkitgtk2.32.4-released.html

An accompanying security advisory has been published at:

  https://webkitgtk.org/security/WSA-2021-0005.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2021-09-22 21:19:00 +02:00
Adrian Perez de Castro
1a19e26729 package/webkitgtk: security bump to version 2.32.3
This is a minor release which provides fixes for CVE-2021-21775,
CVE-2021-21779, CVE-2021-30663, CVE-2021-30665, CVE-2021-30689,
CVE-2021-30720, CVE-2021-30734, CVE-2021-30744, CVE-2021-30749,
CVE-2021-30795, CVE-2021-30797, and CVE-2021-30799.

Full release notes can be found at:

  https://webkitgtk.org/2021/07/23/webkitgtk2.32.3-released.html

An accompanying security advisory has been published at:

  https://webkitgtk.org/security/WSA-2021-0004.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-07-25 14:59:08 +02:00
Adrian Perez de Castro
7a2724683f package/webkitgtk: bump to version 2.32.2
Bugfix release, mainly solves a few issues with input events,
drag-and-drop, and a few crashes. Release notes:

  https://webkitgtk.org/2021/07/09/webkitgtk2.32.2-released.html

The patch for building against uClibc has been included in this release,
therefore "0001-Support-building-against-uClibc.patch" is removed.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2021-07-16 23:26:37 +02:00
Adrian Perez de Castro
deac34e1d3 package/webkitgtk: bump to version 2.32.1
Update to a new major release which bring in improvements and a few new
features. Release notes:

  https://webkitgtk.org/2021/03/26/webkitgtk2.32.0-released.html
  https://webkitgtk.org/2021/05/10/webkitgtk2.32.1-released.html

None of the new features in WebKitGTK 2.32.x need additional
dependencies.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-05-19 11:54:14 +02:00
Adrian Perez de Castro
185e1c9c62 package/webkitgtk: security bump to 2.30.6
This is a minor release which provides fixes for CVE-2020-27918,
CVE-2020-29623, CVE-2021-1765, CVE-2021-1789, CVE-2021-1799,
CVE-2021-1801, and CVE-2021-1870.

Full release notes can be found at:

  https://webkitgtk.org/2021/03/18/webkitgtk2.30.6-released.html

An accompanying security advisory has been published at:

  https://webkitgtk.org/security/WSA-2021-0002.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2021-03-28 10:22:54 +02:00
Peter Korsgaard
157dc4e3cf package/webkitgtk: security bump to version 2.30.5
Fixes the following security issue:

- CVE-2020-13558: Processing maliciously crafted web content may lead to
  arbitrary code execution.  Description: A use after free issue in the
  AudioSourceProviderGStreamer class was addressed with improved memory
  management

For more details, see the advisory:
https://webkitgtk.org/security/WSA-2021-0001.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Acked-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2021-02-16 21:51:20 +01:00
Adrian Perez de Castro
d50c6c3ebe package/webkitgtk: security bump to version 2.30.4
This is a minor release which provides a fix for CVE-2020-13543.

Full release notes:

  https://webkitgtk.org/2020/12/15/webkitgtk2.30.4-released.html

A detailed security advisory can be found at:

  https://webkitgtk.org/security/WSA-2020-0009.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-12-23 14:33:27 +01:00
Adrian Perez de Castro
4485b58356 package/webkitgtk: bump to version 2.30.3
This is a minor release which solved a build issues and fixes a number
of rendering issues. Release notes:

  https://webkitgtk.org/2020/11/20/webkitgtk2.30.3-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-11-22 15:25:45 +01:00
Adrian Perez de Castro
f09e3b065b package/webkitgtk: bump to version 2.30.2
This is a minor release which fixes a few build and networking issues.
Release notes:

  https://webkitgtk.org/2020/10/23/webkitgtk2.30.2-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-10-25 10:01:26 +01:00
Adrian Perez de Castro
24a92fad2e package/webkitgtk: bump to version 2.30.1
This is a minor release which fixes a regression found in 2.30.0.
Release notes:

  https://webkitgtk.org/2020/09/21/webkitgtk2.30.1-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-30 21:48:04 +02:00
Adrian Perez de Castro
b2df73ef84 package/webkitgtk: bump to version 2.30.0
This is a new major release which bring in many improvements and new
features. For a complete list, please refer to the release notes:

  https://webkitgtk.org/2020/09/11/webkitgtk2.30.0-released.html

None of the new features need additional dependencies.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-09-19 15:23:32 +02:00
Adrian Perez de Castro
0b4d5678f1 package/webkitgtk: security bump to version 2.28.4
This is a minor release which provides fixes for CVE-2020-9862,
CVE-2020-9893, CVE-2020-9894, CVE-2020-9895, CVE-2020-9915, and
CVE-2020-9925.

Full release notes can be found at:

  https://webkitgtk.org/2020/07/28/webkitgtk2.28.4-released.html

A detailed security advisory can be found at:

  https://webkitgtk.org/security/WSA-2020-0007.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-07-31 09:12:00 +02:00
Adrian Perez de Castro
fa1185412e package/webkitgtk: security bump to version 2.28.3
This is a minor release which provides fixes for CVE-2020-9800,
CVE-2020-9802, CVE-2020-9803, CVE-2020-9805, CVE-2020-9806,
CVE-2020-9807, CVE-2020-9843, CVE-2020-9850, and CVE-2020-13753.

Updating from 2.28.2 also brings in the usual batch of fixes, including
important improvements to threading in the media player. Full release
notes can be found at:

  https://webkitgtk.org/2020/07/09/webkitgtk2.28.3-released.html

A detailed security advisory can be found at:

  https://webkitgtk.org/security/WSA-2020-0006.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-07-11 16:00:00 +02:00
Adrian Perez de Castro
080f4251ad package/webkitgtk: security bump to version 2.28.2
This is a minor release which provides fixes for CVE-2020-11793,
CVE-2020-3887, CVE-2020-3894, and CVE-2020-3899.

Updating from 2.28.0 also brings a few rendering fixes, a build fix
on MIPS64, a build fix for GStreamer 1.12, and solves a couple of
crashes. The full release notes covering 2.28.1 and 2.28.2 can be
found at:

  https://webkitgtk.org/2020/04/13/webkitgtk2.28.1-released.html
  https://webkitgtk.org/2020/04/24/webkitgtk2.28.2-released.html

A detailed security advisory can be found at:

  https://webkitgtk.org/security/WSA-2020-0004.html

Note that the above does not cover all the CVEs, and a new advisory
including them is expected to be published in the next days.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-04-26 22:19:02 +02:00
Adrian Perez de Castro
e028d52b7e package/wpewebkit: security bump to version 2.28.2
This is a minor release which provides fixes for CVE-2020-11793,
CVE-2020-3887, CVE-2020-3894, and CVE-2020-3899.

Updating from 2.28.0 also brings a few rendering fixes, a build fix
on MIPS64, a build fix for GStreamer 1.12, and solves a couple of
crashes. The full release notes covering 2.28.1 and 2.28.2 can be
found at:

  https://wpewebkit.org/release/wpewebkit-2.28.1.html
  https://wpewebkit.org/release/wpewebkit-2.28.2.html

A detailed security advisory can be found at:

  https://wpewebkit.org/security/WSA-2020-0004.html

Note that the above does not cover all the CVEs, and a new advisory
including them is expected to be published in the next days.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[yann.morin.1998@free.fr: two spaces in hash file]
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
2020-04-26 21:55:16 +02:00
Adrian Perez de Castro
6ebd152853 package/webkitgtk: bump to version 2.28.0
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2020-04-08 21:12:41 +02:00
Peter Korsgaard
97ce61f633 package/webkitgtk: security bump to version 2.26.4
Fixes the following security issues:

- CVE-2020-3862: Impact: A malicious website may be able to cause a denial
  of service.  Description: A denial of service issue was addressed with
  improved memory handling.

- CVE-2020-3864: Impact: A DOM object context may not have had a unique
  security origin.  Description: A logic issue was addressed with improved
  validation.

- CVE-2020-3865: Impact: A top-level DOM object context may have incorrectly
  been considered secure.  Description: A logic issue was addressed with
  improved validation.

- CVE-2020-3867: Impact: Processing maliciously crafted web content may lead
  to universal cross site scripting.  Description: A logic issue was
  addressed with improved state management.

- CVE-2020-3868: Impact: Processing maliciously crafted web content may lead
  to arbitrary code execution.  Description: Multiple memory corruption
  issues were addressed with improved memory handling.

For more details, see the advisory:
https://webkitgtk.org/security/WSA-2020-0002.html

While we are at it, adjust the white space in the .hash function to match
the new agreements.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-16 12:54:41 +01:00
Peter Korsgaard
35df7bdb07 package/webkitgtk: security bump to version 2.26.3
Fixes the following security issues:

- CVE-2019-8835: Multiple memory corruption issues were addressed with
  improved memory handling

- CVE-2019-8844: Multiple memory corruption issues were addressed with
  improved memory handling

- CVE-2019-8846: A use after free issue was addressed with improved memory
  management

For details, see the advisory:
https://webkitgtk.org/security/WSA-2020-0001.html

Drop now upstreamed patch.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-01-28 23:26:30 +01:00
Adrian Perez de Castro
3b8c95a08d package/webkitgtk: security bump to version 2.26.2
This is a minor release which includes fixes for CVE-2019-8812 and
CVE-2019-8814.

This release also fixes the build with WebDriver disabled and without
X11, so "0001-GTK-ANGLE-s-eglplatform.h-is-build-broken-with-DENAB.patch"
and "0002-WPE-GTK-Build-fails-with-ENABLE_WEBDRIVER-OFF.patch" are not
needed anymore (and therefore removed). There is also a performance
improvement for a regression related to fallback font selection, and a
couple of small fixes. The full release notes are available at:

  https://webkitgtk.org/2019/11/06/webkitgtk2.26.2-released.html

The detailed security advisory can be found at:

  https://webkitgtk.org/security/WSA-2019-0006.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-11-23 11:56:41 +01:00
Adrian Perez de Castro
6cf04ab783 package/webkitgtk: bump to version 2.26.1
Release notes:

  https://webkitgtk.org/2019/09/23/webkitgtk2.26.1-released.html

This is a bugfix release which fixes a few issues detected in 2.26.0
and includes media playback improvements as well.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-09-25 22:10:35 +02:00
Adrian Perez de Castro
38b740ec6f package/webkitgtk: bump to version 2.26.0
This is a new major release which brings in many improvements and new
features. For a complete list, please refer to the release notes:

  https://webkitgtk.org/2019/09/09/webkitgtk2.26.0-released.html

A small patch is added which fixes a build failure when X11 headers
are not available (for example, when building a Wayland-only system)

The new support for the WPE renderer on Wayland and the new Bubblewrap
sandbox need additional dependencies and therefore are explicitly
disabled at the moment.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-09-19 22:08:57 +02:00
Adrian Perez de Castro
046b09f776 package/webkitgtk: security bump to version 2.24.4
This is a minor release which includes fixes for CVE-2019-8644,
CVE-2019-8649, CVE-2019-8658, CVE-2019-8669, CVE-2019-8676,
CVE-2019-8678, CVE-2019-8680, CVE-2019-8683, CVE-2019-8684, and
CVE-2019-8688.

This release also contains many build fixes, a few media playback
improvements, and a Web compatibility fix. For a complete list,
the full release notes at:

  https://webkitgtk.org/2019/08/28/webkitgtk2.24.4-released.html

The detailed security advisory can be found at:

  https://webkitgtk.org/security/WSA-2019-0004.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-08-30 16:34:39 +02:00
Adrian Perez de Castro
3ff05d9094 package/webkitgtk: bump to version 2.24.3
Version 2.24.3 is a minor update which contains many bugfixes.
>From the announcement:

  - Fix previous/next gestures in RTL mode.
  - Fix rendering artifacts in popular sites (YouTube, GitHub, etc.)
  - Fix media playback annoyances (volume randomly changing, HLS streams
    starting too slowly, some audio streams would not play, etc.)
  - Fix build with audio and video disabled.

  https://webkitgtk.org/2019/07/02/webkitgtk2.24.3-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-07-05 08:20:48 +02:00
Adrian Perez de Castro
6ca120e10a package/webkitgtk: security bump to version 2.24.2
This is a new major release which brings in many improvements and new
features. For a complete list, please refer to the release notes:

  https://webkitgtk.org/2019/03/13/webkitgtk2.24.0-released.html
  https://webkitgtk.org/2019/04/09/webkitgtk2.24.1-released.html
  https://webkitgtk.org/2019/05/17/webkitgtk2.24.2-released.html

Updating to version 2.24.2 also includes fixes for CVE-2019-6201,
CVE-2019-6251, CVE-2019-7285, CVE-2019-7292, CVE-2019-8503,
CVE-2019-8506, CVE-2019-8515, CVE-2019-8518, CVE-2019-8523,
CVE-2019-8524, CVE-2019-8535, CVE-2019-8536, CVE-2019-8544,
CVE-2019-8551, CVE-2019-8558, CVE-2019-8559, CVE-2019-8563,
CVE-2019-11070, CVE-2019-6237, CVE-2019-8571, CVE-2019-8583,
CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594,
CVE-2019-8595, CVE-2019-8596, CVE-2019-8597, CVE-2019-8601,
CVE-2019-8607, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610,
CVE-2019-8615, CVE-2019-8611, CVE-2019-8619, CVE-2019-8622, and
CVE-2019-8623.

The detailed security advisories can be found at:

  https://webkitgtk.org/security/WSA-2019-0002.html
  https://webkitgtk.org/security/WSA-2019-0003.html

The BR2_PACKAGE_WEBKITGTK_ARCH_SUPPORTS_JIT configuration symbol is not
needed anymore, because the logic to decide whether the JavaScriptCore
JIT spport can be enabled has been improved upstream.

One of the new features in 2.24.x is the support for JPEG2000 images,
which is implemented using the OpenJPEG library. Therefore now
BR2_PACKAGE_OPENJPEG is selected.

This adds one small patch which did not make it to the 2.24.2 release
which solves a build issue when the building the GStreamer GL elements
is disabled.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-05-24 16:36:24 +02:00
Peter Korsgaard
d484ba63b5 package/webkitgtk: bump version to 2.22.7
2.22.7 contains a number of bugfixes. From the announcement:

 - Fix rendering of glyphs in Hebrew (and possibly other languages) when
   Unicode NFC normalization is used.

 - Fix several crashes and race conditions.

https://webkitgtk.org/2019/03/01/webkitgtk2.22.7-released.html

Change SITE to https as the webserver uses HSTS.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2019-04-03 21:40:29 +02:00
Adrian Perez de Castro
971afefaab package/webkitgtk: security bump to version 2.22.6
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE identifiers: CVE-2019-6212,
CVE-2019-6215, CVE-2019-6216, CVE-2019-6217, CVE-2019-6226,
CVE-2019-6227, CVE-2019-6229, CVE-2019-6233, and CVE-2019-6234.
Additionally, it contains a few minor fixes.

Release notes can be found in the announcement:

  https://webkitgtk.org/2019/02/09/webkitgtk2.22.6-released.html

More details on the issues covered by securit fixes can be found
in the corresponding security advisory:

  https://webkitgtk.org/security/WSA-2019-0001.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2019-02-10 10:52:26 +01:00
Adrian Perez de Castro
6bbfaf1d40 package/webkitgtk: security bump to version 2.22.5
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE identifiers: CVE-2018-4437,
CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, and
CVE-2018-4464. Additionally, it fixes a couple of build failures in
unusual build configurations.

Release notes can be found in the announcement:

  https://webkitgtk.org/2018/12/13/webkitgtk2.22.5-released.html

More details on the issues covered by security fixes can be found
in the corresponding security advisory:

  https://webkitgtk.org/security/WSA-2018-0009.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-12-14 21:19:54 +01:00
Adrian Perez de Castro
7a827a17dc package/webkitgtk: bump to version 2.22.4
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for  CVE-2018-4345, CVE-2018-4372,
CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4378,
CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, and CVE-2018-4416.
Additionally, it fixes a few build failures, and a crash when using
certain version of Cairo.

Release notes can be found in the announcement:

  https://webkitgtk.org/2018/11/21/webkitgtk2.22.4-released.html

More details on the issues covered by security fixes can be found
in the corresponding security advisory:

  https://webkitgtk.org/security/WSA-2018-0008.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-11-25 23:50:21 +01:00
Adrian Perez de Castro
0def20865d webkitgtk: bump to version 2.22.3
Release notes:

    https://webkitgtk.org/2018/10/29/webkitgtk2.22.3-released.html

Patch "0001-ARM-Building-FELightingNEON.cpp-fails-due-to-missing.patch"
is removed because it is included in the new release.

This is a maintenance release which further improves playback of video
when using media source extensions (MSE), specially for WebM content,
and provides a few correctness fixes.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-10-31 11:30:36 +01:00
Adrian Perez de Castro
bd1bde0dc8 webkitgtk: bump to version 2.22.2
Release notes:

    https://webkitgtk.org/2018/09/03/webkitgtk2.22.0-released.html
    https://webkitgtk.org/2018/09/20/webkitgtk2.22.1-released.html
    https://webkitgtk.org/2018/09/21/webkitgtk2.22.2-released.html

No corresponding security advisories for 2.22.x have been published.
Nevertheless, due to skipping over versions in the 2.20.x series,
the following 2.20.x advisories apply:

    https://webkitgtk.org/security/WSA-2018-0003.html
    https://webkitgtk.org/security/WSA-2018-0004.html
    https://webkitgtk.org/security/WSA-2018-0005.html
    https://webkitgtk.org/security/WSA-2018-0006.html

This also bumps the required GCC version, due to the WebKit code
now using more modern C++ features which were introduced in version
6.x of the compiler. The dependency is propagated to the midori
package as well. Last but not least, BR2_PACKAGE_WEBP_DEMUX and
BR2_PACKAGE_GST1_PLUGINS_BAD_PLUGIN_MPEGTSDEMUX are selected as
they are unconditionally needed by the newer WebKitGTK+ releases
when multimedia support is enabled.

An upstream patch for 32-bit ARM which did not make it to be included
in this new version is included as well, and can be removed once it
gets picked in a new release.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
2018-09-25 22:46:24 +02:00
Adrian Perez de Castro
54798893b8 webkitgtk: security bump to version 2.18.6
This is a maintenance release of the current stable WebKitGTK+ version,
which contains security fixes for CVE-2018-4088, CVE-2017-13885,
CVE-2017-7165, CVE-2017-13884, CVE-2017-7160, CVE-2017-7153,
CVE-2017-7153, CVE-2017-7161, and CVE-2018-4096. Additionally, it solves
a GStreamer deadlock when stopping video playback, and contains fixes
and improvements for the WebDriver implementation.

Release notes can be found in the announcement:

  https://webkitgtk.org/2018/01/24/webkitgtk2.18.6-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-26 09:05:59 +01:00
Adrian Perez de Castro
4c5bc08ba3 webkitgtk: security bump to version 2.18.5
This is a maintenance release of the current stable WebKitGTK+ version,
which contains mitigations for CVE-2017-5753 and CVE-2017-5715, the
vulnerabilities known as the "Spectre" attack. It also contains a fix
which allows building the reference documentation with newer gtk-doc
versions.

Release notes can be found in the announcement:

  https://webkitgtk.org/2018/01/10/webkitgtk2.18.5-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-01-10 19:53:58 +01:00
Adrian Perez de Castro
fbf6a483e0 webkitgtk: security bimp to version 2.18.4
This is a maintenance release of the current stable WebKitGTK+ version,
which contains fixes for CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, and
CVE-2017-13856.  Additionally, this release brings improvements in the
WebDriver spec-compliance, plugs several memory leaks in its GStreamer based
multimedia backend, and fixes a bug when handling cookie removal.

Release notes can be found in the announcement:

  https://webkitgtk.org/2017/12/19/webkitgtk2.18.4-released.html

More details about the security fixes are provided in the following
WebKitGTK+ Security Advisory report:

  https://webkitgtk.org/security/WSA-2017-0010.html

Last but not least, this new release includes the fix for honoring the
CMAKE_BUILD_TYPE value from CMake toolchain files and the corresponding
patch is removed.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-12-21 16:28:22 +01:00
Adrian Perez de Castro
e7f82694cf webkitgtk: Add license hashes
Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-12-13 08:27:56 +01:00
Adrian Perez de Castro
5ff18880e9 webkitgtk: security bump to version 2.18.3
This is a maintenance release of the current stable WebKitGTK+ version,
which contains a minor rendering fix, another for the WebDriver
implementation, and security fixes for CVE-2017-13798, CVE-2017-13788,
and CVE-2017-13803.

Release notes:

    https://webkitgtk.org/2017/11/10/webkitgtk2.18.3-released.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-11-10 18:24:01 +01:00
Adrian Perez de Castro
e3459fd9c5 webkitgtk: security bump to version 2.18.2
This is a maintenance release of the current stable WebKitGTK+ version,
which contains bugfixes; mostly for crashes and rendering issues, plus
one important fix for the layout or Arabic text.

Release notes:

    https://webkitgtk.org/2017/10/27/webkitgtk2.18.2-released.html

Even though an acconpanying security advisory has not been published
for this release, the release contains fixes for several crashes (one
of them for the decoder of the very common GIF image format), which
arguably can be considered potential security issues.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-10-27 20:46:58 +02:00
Adrian Perez de Castro
6d623e7277 webkitgtk: security bump to version 2.18.1
This is a maintenance release of the current stable WebKitGTK+ version,
which contains bugfixes (many of them related to rendering, plus one
important fix for touch input) and many security fixes.

Release notes:

    https://webkitgtk.org/2017/10/18/webkitgtk2.18.1-released.html

Fixes CVE-2017-7081, CVE-2017-7087, CVE-2017-7089, CVE-2017-7090,
CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094,
CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099,
CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107,
CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120,
CVE-2017-7142:

    https://webkitgtk.org/security/WSA-2017-0008.html

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2017-10-21 12:39:42 +02:00
Adrian Perez de Castro
905b1ab5c2 webkitgtk: update to version 2.18.0
Release notes:
    https://webkitgtk.org/2017/09/11/webkitgtk2.18.0-released.html

No corresponding WebKit Security Advisory (WSA) has been published.

All patches have been applied upstream.

This also bumps the required target GCC version, due to the WebKit code
now using more modern C++ features which were introduced in version
5.x of the compiler.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
[Arnout:
 - propagate dependency to midori;
 - mention in commit message why patches were removed.]
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
2017-09-24 14:32:32 +02:00
Peter Korsgaard
b5582d54a4 webkitgtk: security bump to version 2.16.6
Fixes the following security issues:

CVE-2017-7018 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7030 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7034 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7037 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7039 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7046 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7048 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7055 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7056 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7061 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
tvOS before 10.2.2 is affected.  The issue involves the "WebKit" component.
It allows remote attackers to execute arbitrary code or cause a denial of
service (memory corruption and application crash) via a crafted web site.

CVE-2017-7064 - An issue was discovered in certain Apple products.  iOS
before 10.3.3 is affected.  Safari before 10.1.2 is affected.  iCloud before
6.2.2 on Windows is affected.  iTunes before 12.6.2 on Windows is affected.
The issue involves the "WebKit" component.  It allows attackers to bypass
intended memory-read restrictions via a crafted app.

For more details, see the announcement:
https://webkitgtk.org/2017/07/24/webkitgtk2.16.6-released.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Reviewed-by: "Adrian Perez de Castro" <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-26 16:48:30 +02:00
Adrián Pérez de Castro
23c0872442 webkitgtk: bump to version 2.16.5
This simply updates to the latest stable release. WebKitGTK+ versions
in the 2.1x series avoid bumping the dependencies in order to allow
distributions to provide updates, therefore no new dependencies are
needed.

Signed-off-by: Adrian Perez de Castro <aperez@igalia.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2017-07-05 17:17:53 +02:00
Gustavo Zacarias
2bc1cc7cc1 webkitgtk: bump to version 2.12.5
Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-09-06 21:30:55 +02:00
Gustavo Zacarias
d50477b52b webkitgtk: security bump to version 2.12.4
Fixes:
CVE-2016-4590 - mishandles about: URLs, which allows remote attackers to
bypass the Same Origin Policy via a crafted web site.

CVE-2016-4591 - mishandles the location variable, which allows remote
attackers to access the local filesystem via unspecified vectors.

CVE-2016-4622 - allows remote attackers to execute arbitrary code or
cause a denial of service (memory corruption) via a crafted web site, a
different vulnerability than CVE-2016-4589, CVE-2016-4623, and
CVE-2016-4624.

CVE-2016-4624 - allows remote attackers to execute arbitrary code or
cause a denial of service (memory corruption) via a crafted web site, a
different vulnerability than CVE-2016-4589, CVE-2016-4622, and
CVE-2016-4623.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-08-28 15:50:33 +02:00
Gustavo Zacarias
9b429a90fa webkitgtk: security bump to version 2.12.3
Fixes:
CVE-2016-1856 - allows remote attackers to execute arbitrary code or
cause a denial of service (memory corruption) via a crafted web site
CVE-2016-1857 - allows remote attackers to execute arbitrary code or
cause a denial of service (memory corruption) via a crafted web site

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2016-05-24 21:48:13 +02:00
Gustavo Zacarias
1f5bb44544 webkitgtk: new package
Add the latest 2.12.x upstream stable branch.

Both 2.4.x and 2.12.x can live side-by-side, however only the latest
stable branch/releases are security-maintained, so add it unslotted.

Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
2016-04-30 19:08:14 +02:00