On Wed, 8 Sep 2010 13:48:10 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
* [2010-09-08 11:08:13 -0600] Kevin Fenzi wrote:
>On Thu, 2 Sep 2010 21:05:16 -0600
>Vincent Danen <vdanen(a)redhat.com> wrote:
>
>> Yup, that would be the one. I would wait for it. I'm hoping that
>> tomorrow I can get the details that I have left to upstream to roll
>> the 1.2.4 release possibly this weekend or early next week.
>
>ok. 1.2.4 is out.
>
>I will whip up a build later today for f13/f12. ;)
>
>Can you confirm that the bugs/cve's it fixes are:
>
>+* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
>+- Update to 1.2.4.
>+- Fixes: CVE-2010-1766 CVE-2010-1772 CVE-2010-1773
>+- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
>+- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
>+- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
>+- Fixes bugs: 606303 606304 615728 615729 631583
The NEWS file indicates the following:
What's new in WebKitGTK+ 1.2.4?
- New stable release, API and ABI compatible with previous 1.2.x
versions;
- The patches to fix the following CVEs are included with help from
Vincent Danen and other members of the Red Hat security team:
CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
What's new in WebKitGTK+ 1.2.3?
- New stable release, API and ABI compatible with previous 1.2.x
versions;
- Includes a fix to build WebKit with ICU 4.4.1
- The patches to fix the following CVEs are included, thanks to the
work done by Michael Gilbert <michael.s.gilbert(a)gmail.com> for
the Debian security team:
CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
CVE-2010-1772 CVE-2010-1773 CVE-2010-1774
Update: CVE-2010-2264 was also addressed in this release, but
failed to be listed at release time.
So you're missing a boatload of CVEs.
Fun. ;(
CVE-2010-1766 isn't listed and looking at MITRE's
description, it was
fixed in r56380 but 1.2.0 is based on r56916 so isn't applicable.
That's my fault tho, I'm cleaning up vug 606304 to remove that CVE and
put a note in the top-level bug.
ok.
So, now I have:
* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
- Update to 1.2.4 which fixes:
- Fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
- Fixes: CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
- Fixes: CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
- Fixes: CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
- Fixes: CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
- Fixes: CVE-2010-1772 CVE-2010-1773 CVE-2010-1774
- Update to 1.2.3 which fixes:
- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
- Fixes bugs: 606303 606304 615728 615729 631583 631948 631946 631942
- Fixes bugs: 631939
Look right?
>I still don't see a 1.3.4 yet, so I guess f14/rawhide will
wait a bit
>more.
I don't know what the plan with the unstable 1.3.x series is.
Right. Will wait a bit more, but might push a 1.3.3 in a few days if .4
doesn't show.
Thanks for helping sort this update out. ;(
kevin