* [2010-09-08 14:44:57 -0600] Kevin Fenzi wrote:
On Wed, 8 Sep 2010 13:48:10 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
> * [2010-09-08 11:08:13 -0600] Kevin Fenzi wrote:
>
> >On Thu, 2 Sep 2010 21:05:16 -0600
> >Vincent Danen <vdanen(a)redhat.com> wrote:
> >
> >> Yup, that would be the one. I would wait for it. I'm hoping that
> >> tomorrow I can get the details that I have left to upstream to roll
> >> the 1.2.4 release possibly this weekend or early next week.
> >
> >ok. 1.2.4 is out.
> >
> >I will whip up a build later today for f13/f12. ;)
> >
> >Can you confirm that the bugs/cve's it fixes are:
> >
> >+* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
> >+- Update to 1.2.4.
> >+- Fixes: CVE-2010-1766 CVE-2010-1772 CVE-2010-1773
> >+- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
> >+- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
> >+- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
> >+- Fixes bugs: 606303 606304 615728 615729 631583
>
> The NEWS file indicates the following:
>
>
> What's new in WebKitGTK+ 1.2.4?
>
> - New stable release, API and ABI compatible with previous 1.2.x
> versions;
> - The patches to fix the following CVEs are included with help from
> Vincent Danen and other members of the Red Hat security team:
>
> CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
> CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
> CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
>
> What's new in WebKitGTK+ 1.2.3?
>
> - New stable release, API and ABI compatible with previous 1.2.x
> versions;
> - Includes a fix to build WebKit with ICU 4.4.1
> - The patches to fix the following CVEs are included, thanks to the
> work done by Michael Gilbert <michael.s.gilbert(a)gmail.com> for
> the Debian security team:
>
> CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
> CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
> CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
> CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
> CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
> CVE-2010-1772 CVE-2010-1773 CVE-2010-1774
>
> Update: CVE-2010-2264 was also addressed in this release, but
> failed to be listed at release time.
>
> So you're missing a boatload of CVEs.
Fun. ;(
And you almost have it...
> CVE-2010-1766 isn't listed and looking at MITRE's
description, it was
> fixed in r56380 but 1.2.0 is based on r56916 so isn't applicable.
> That's my fault tho, I'm cleaning up vug 606304 to remove that CVE and
> put a note in the top-level bug.
ok.
So, now I have:
* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
- Update to 1.2.4 which fixes:
These CVEs are fixed in 1.2.3.
- Fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
- Fixes: CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
- Fixes: CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
- Fixes: CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
- Fixes: CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
- Fixes: CVE-2010-1772 CVE-2010-1773 CVE-2010-1774
Also add CVE-2010-2264 here.
- Update to 1.2.3 which fixes:
And these CVEs are fixed in 1.2.4.
- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
s/CVE-2010-1781/CVE-2010/1780/; that was a typo upstream.
- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
- Fixes bugs: 606303 606304 615728 615729 631583 631948 631946 631942
- Fixes bugs: 631939
Look right?
Almost. =)
> >I still don't see a 1.3.4 yet, so I guess f14/rawhide
will wait a bit
> >more.
>
> I don't know what the plan with the unstable 1.3.x series is.
Right. Will wait a bit more, but might push a 1.3.3 in a few days if .4
doesn't show.
Thanks for helping sort this update out. ;(
You're welcome. =)
--
Vincent Danen / Red Hat Security Response Team