4:07 p.m.
Greetings.
I mailed pgordon a while back and have not yet heard anything back. ;(
Would anyone object to me updating webkitgtk to fix the current pending
security issues?
Currently we have:
f12: 1.2.0
f13: 1.2.0
f14: 1.3.2
rawhide: 1.3.2
I'd like to update f12/f13 to 1.2.3 and the others I guess to 1.3.3.
Not sure why we moved f14/devel to the development stream, does anyone
know?
I'd like to do this soon as it's been way too long already... but I can
hold off if there is a good reason. (ie, if a newer release is just
about to happen upstream or something).
Thoughts?
kevin
4:17 p.m.
* [2010-09-02 15:07:10 -0600] Kevin Fenzi wrote:
Greetings.
I mailed pgordon a while back and have not yet heard anything back. ;(
Would anyone object to me updating webkitgtk to fix the current pending
security issues?
Currently we have:
f12: 1.2.0
f13: 1.2.0
f14: 1.3.2
rawhide: 1.3.2
I'd like to update f12/f13 to 1.2.3 and the others I guess to 1.3.3.
Not sure why we moved f14/devel to the development stream, does anyone
know?
I'd like to do this soon as it's been way too long already... but I can
hold off if there is a good reason. (ie, if a newer release is just
about to happen upstream or something).
Thoughts?
There should be a new upstream release in the next week or two as soon
as we get a few things straightened out. I was hoping to have that done
last week, but a few other things got in the way and I think upstream is
waiting on some analysis from me. You _could_ do it now, but I think
waiting a week or two would be better (a lot of fixes will be in 1.2.4).
For f14/rawhide you might as well upgrade, I'm not sure what is
happening upstream there.
--
Vincent Danen / Red Hat Security Response Team
4:57 p.m.
On Thu, 2 Sep 2010 15:17:16 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
There should be a new upstream release in the next week or two as
soon
as we get a few things straightened out. I was hoping to have that
done last week, but a few other things got in the way and I think
upstream is waiting on some analysis from me. You _could_ do it now,
but I think waiting a week or two would be better (a lot of fixes
will be in 1.2.4).
ok. Sounds good.
For f14/rawhide you might as well upgrade, I'm not sure what is
happening upstream there.
Looks like there is a 1.3.4 prepping to release soon too:
2010-08-31 Gustavo Noronha Silva <gustavo.noronha(a)collabora.co.uk>
...snip...
Preparations for the 1.3.4 release. Bump webkit version to 543.7,
as well.
So, I might as well wait for that.
kevin
10:05 p.m.
* [2010-09-02 15:57:36 -0600] Kevin Fenzi wrote:
On Thu, 2 Sep 2010 15:17:16 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
> There should be a new upstream release in the next week or two as soon
> as we get a few things straightened out. I was hoping to have that
> done last week, but a few other things got in the way and I think
> upstream is waiting on some analysis from me. You _could_ do it now,
> but I think waiting a week or two would be better (a lot of fixes
> will be in 1.2.4).
ok. Sounds good.
> For f14/rawhide you might as well upgrade, I'm not sure what is
> happening upstream there.
Looks like there is a 1.3.4 prepping to release soon too:
2010-08-31 Gustavo Noronha Silva <gustavo.noronha(a)collabora.co.uk>
...snip...
Preparations for the 1.3.4 release. Bump webkit version to 543.7,
as well.
So, I might as well wait for that.
Yup, that would be the one. I would wait for it. I'm hoping that
tomorrow I can get the details that I have left to upstream to roll the
1.2.4 release possibly this weekend or early next week.
--
Vincent Danen / Red Hat Security Response Team
12:08 p.m.
On Thu, 2 Sep 2010 21:05:16 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
Yup, that would be the one. I would wait for it. I'm hoping
that
tomorrow I can get the details that I have left to upstream to roll
the 1.2.4 release possibly this weekend or early next week.
ok. 1.2.4 is out.
I will whip up a build later today for f13/f12. ;)
Can you confirm that the bugs/cve's it fixes are:
+* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
+- Update to 1.2.4.
+- Fixes: CVE-2010-1766 CVE-2010-1772 CVE-2010-1773
+- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
+- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
+- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
+- Fixes bugs: 606303 606304 615728 615729 631583
I still don't see a 1.3.4 yet, so I guess f14/rawhide will wait a bit
more.
kevin
2:48 p.m.
* [2010-09-08 11:08:13 -0600] Kevin Fenzi wrote:
On Thu, 2 Sep 2010 21:05:16 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
> Yup, that would be the one. I would wait for it. I'm hoping that
> tomorrow I can get the details that I have left to upstream to roll
> the 1.2.4 release possibly this weekend or early next week.
ok. 1.2.4 is out.
I will whip up a build later today for f13/f12. ;)
Can you confirm that the bugs/cve's it fixes are:
+* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
+- Update to 1.2.4.
+- Fixes: CVE-2010-1766 CVE-2010-1772 CVE-2010-1773
+- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
+- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
+- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
+- Fixes bugs: 606303 606304 615728 615729 631583
The NEWS file indicates the following:
What's new in WebKitGTK+ 1.2.4?
- New stable release, API and ABI compatible with previous 1.2.x
versions;
- The patches to fix the following CVEs are included with help from
Vincent Danen and other members of the Red Hat security team:
CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
What's new in WebKitGTK+ 1.2.3?
- New stable release, API and ABI compatible with previous 1.2.x
versions;
- Includes a fix to build WebKit with ICU 4.4.1
- The patches to fix the following CVEs are included, thanks to the
work done by Michael Gilbert <michael.s.gilbert(a)gmail.com> for the
Debian security team:
CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
CVE-2010-1772 CVE-2010-1773 CVE-2010-1774
Update: CVE-2010-2264 was also addressed in this release, but
failed to be listed at release time.
So you're missing a boatload of CVEs.
CVE-2010-1766 isn't listed and looking at MITRE's description, it was
fixed in r56380 but 1.2.0 is based on r56916 so isn't applicable.
That's my fault tho, I'm cleaning up vug 606304 to remove that CVE and
put a note in the top-level bug.
I still don't see a 1.3.4 yet, so I guess f14/rawhide will wait a
bit
more.
I don't know what the plan with the unstable 1.3.x series is.
--
Vincent Danen / Red Hat Security Response Team
3:44 p.m.
On Wed, 8 Sep 2010 13:48:10 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
* [2010-09-08 11:08:13 -0600] Kevin Fenzi wrote:
>On Thu, 2 Sep 2010 21:05:16 -0600
>Vincent Danen <vdanen(a)redhat.com> wrote:
>
>> Yup, that would be the one. I would wait for it. I'm hoping that
>> tomorrow I can get the details that I have left to upstream to roll
>> the 1.2.4 release possibly this weekend or early next week.
>
>ok. 1.2.4 is out.
>
>I will whip up a build later today for f13/f12. ;)
>
>Can you confirm that the bugs/cve's it fixes are:
>
>+* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
>+- Update to 1.2.4.
>+- Fixes: CVE-2010-1766 CVE-2010-1772 CVE-2010-1773
>+- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
>+- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
>+- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
>+- Fixes bugs: 606303 606304 615728 615729 631583
The NEWS file indicates the following:
What's new in WebKitGTK+ 1.2.4?
- New stable release, API and ABI compatible with previous 1.2.x
versions;
- The patches to fix the following CVEs are included with help from
Vincent Danen and other members of the Red Hat security team:
CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
What's new in WebKitGTK+ 1.2.3?
- New stable release, API and ABI compatible with previous 1.2.x
versions;
- Includes a fix to build WebKit with ICU 4.4.1
- The patches to fix the following CVEs are included, thanks to the
work done by Michael Gilbert <michael.s.gilbert(a)gmail.com> for
the Debian security team:
CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
CVE-2010-1772 CVE-2010-1773 CVE-2010-1774
Update: CVE-2010-2264 was also addressed in this release, but
failed to be listed at release time.
So you're missing a boatload of CVEs.
Fun. ;(
CVE-2010-1766 isn't listed and looking at MITRE's
description, it was
fixed in r56380 but 1.2.0 is based on r56916 so isn't applicable.
That's my fault tho, I'm cleaning up vug 606304 to remove that CVE and
put a note in the top-level bug.
ok.
So, now I have:
* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
- Update to 1.2.4 which fixes:
- Fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
- Fixes: CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
- Fixes: CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
- Fixes: CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
- Fixes: CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
- Fixes: CVE-2010-1772 CVE-2010-1773 CVE-2010-1774
- Update to 1.2.3 which fixes:
- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
- Fixes bugs: 606303 606304 615728 615729 631583 631948 631946 631942
- Fixes bugs: 631939
Look right?
>I still don't see a 1.3.4 yet, so I guess f14/rawhide will
wait a bit
>more.
I don't know what the plan with the unstable 1.3.x series is.
Right. Will wait a bit more, but might push a 1.3.3 in a few days if .4
doesn't show.
Thanks for helping sort this update out. ;(
kevin
5:38 p.m.
* [2010-09-08 14:44:57 -0600] Kevin Fenzi wrote:
On Wed, 8 Sep 2010 13:48:10 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
> * [2010-09-08 11:08:13 -0600] Kevin Fenzi wrote:
>
> >On Thu, 2 Sep 2010 21:05:16 -0600
> >Vincent Danen <vdanen(a)redhat.com> wrote:
> >
> >> Yup, that would be the one. I would wait for it. I'm hoping that
> >> tomorrow I can get the details that I have left to upstream to roll
> >> the 1.2.4 release possibly this weekend or early next week.
> >
> >ok. 1.2.4 is out.
> >
> >I will whip up a build later today for f13/f12. ;)
> >
> >Can you confirm that the bugs/cve's it fixes are:
> >
> >+* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
> >+- Update to 1.2.4.
> >+- Fixes: CVE-2010-1766 CVE-2010-1772 CVE-2010-1773
> >+- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
> >+- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
> >+- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
> >+- Fixes bugs: 606303 606304 615728 615729 631583
>
> The NEWS file indicates the following:
>
>
> What's new in WebKitGTK+ 1.2.4?
>
> - New stable release, API and ABI compatible with previous 1.2.x
> versions;
> - The patches to fix the following CVEs are included with help from
> Vincent Danen and other members of the Red Hat security team:
>
> CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
> CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
> CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
>
> What's new in WebKitGTK+ 1.2.3?
>
> - New stable release, API and ABI compatible with previous 1.2.x
> versions;
> - Includes a fix to build WebKit with ICU 4.4.1
> - The patches to fix the following CVEs are included, thanks to the
> work done by Michael Gilbert <michael.s.gilbert(a)gmail.com> for
> the Debian security team:
>
> CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
> CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
> CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
> CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
> CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
> CVE-2010-1772 CVE-2010-1773 CVE-2010-1774
>
> Update: CVE-2010-2264 was also addressed in this release, but
> failed to be listed at release time.
>
> So you're missing a boatload of CVEs.
Fun. ;(
And you almost have it...
> CVE-2010-1766 isn't listed and looking at MITRE's
description, it was
> fixed in r56380 but 1.2.0 is based on r56916 so isn't applicable.
> That's my fault tho, I'm cleaning up vug 606304 to remove that CVE and
> put a note in the top-level bug.
ok.
So, now I have:
* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
- Update to 1.2.4 which fixes:
These CVEs are fixed in 1.2.3.
- Fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
- Fixes: CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
- Fixes: CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
- Fixes: CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
- Fixes: CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
- Fixes: CVE-2010-1772 CVE-2010-1773 CVE-2010-1774
Also add CVE-2010-2264 here.
- Update to 1.2.3 which fixes:
And these CVEs are fixed in 1.2.4.
- Fixes: CVE-2010-1781 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
s/CVE-2010-1781/CVE-2010/1780/; that was a typo upstream.
- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
- Fixes bugs: 606303 606304 615728 615729 631583 631948 631946 631942
- Fixes bugs: 631939
Look right?
Almost. =)
> >I still don't see a 1.3.4 yet, so I guess f14/rawhide
will wait a bit
> >more.
>
> I don't know what the plan with the unstable 1.3.x series is.
Right. Will wait a bit more, but might push a 1.3.3 in a few days if .4
doesn't show.
Thanks for helping sort this update out. ;(
You're welcome. =)
--
Vincent Danen / Red Hat Security Response Team
5:42 p.m.
ok.
I now have:
* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
- Update to 1.2.4 which fixes:
- Fixes: CVE-2010-1780 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
- Update to 1.2.3 which fixes:
- Fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
- Fixes: CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
- Fixes: CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
- Fixes: CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
- Fixes: CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
- Fixes: CVE-2010-1772 CVE-2010-1773 CVE-2010-1774 CVE-2010-2264
- Fixes bugs: 606303 606304 615728 615729 631583 631948 631946 631942
- Fixes bugs: 631939
Sorry for swapping the .4 and .3 entries there. ;(
I think I have all the bugzilla bugs too, but another quick check would
be good.
kevin
8:08 p.m.
* [2010-09-08 16:42:34 -0600] Kevin Fenzi wrote:
ok.
I now have:
* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
- Update to 1.2.4 which fixes:
- Fixes: CVE-2010-1780 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
- Update to 1.2.3 which fixes:
- Fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
- Fixes: CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
- Fixes: CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
- Fixes: CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
- Fixes: CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
- Fixes: CVE-2010-1772 CVE-2010-1773 CVE-2010-1774 CVE-2010-2264
Everything before this looks correct.
- Fixes bugs: 606303 606304 615728 615729 631583 631948 631946 631942
- Fixes bugs: 631939
Remove 631948, 631946, 631942, and 631949 - those issues are not yet
corrected upstream (they're corrected in webkit svn, but not in
webkitgtk). They'll be fixed in 1.2.5 I think (as a hint, the CVE names
they reference (CVE-2010-18*) are nowhere in the above list).
Sorry for swapping the .4 and .3 entries there. ;(
I think I have all the bugzilla bugs too, but another quick check would
be good.
Once those four bugs are removed, I think it's good. =)
--
Vincent Danen / Red Hat Security Response Team
10:21 p.m.
On Wed, 8 Sep 2010 19:08:39 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
* [2010-09-08 16:42:34 -0600] Kevin Fenzi wrote:
>ok.
>
>I now have:
>
>* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
>- Update to 1.2.4 which fixes:
>- Fixes: CVE-2010-1780 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
>- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
>- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
>- Update to 1.2.3 which fixes:
>- Fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
>- Fixes: CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
>- Fixes: CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
>- Fixes: CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
>- Fixes: CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
>- Fixes: CVE-2010-1772 CVE-2010-1773 CVE-2010-1774 CVE-2010-2264
Everything before this looks correct.
>- Fixes bugs: 606303 606304 615728 615729 631583 631948 631946 631942
>- Fixes bugs: 631939
Remove 631948, 631946, 631942, and 631949 - those issues are not yet
corrected upstream (they're corrected in webkit svn, but not in
webkitgtk). They'll be fixed in 1.2.5 I think (as a hint, the CVE
names they reference (CVE-2010-18*) are nowhere in the above list).
Ah yes, it's been a crazy day. :(
Sorry about that.
Once those four bugs are removed, I think it's good. =)
ok. Will push the updates now.
Thanks.
kevin
10:45 p.m.
* [2010-09-08 21:21:48 -0600] Kevin Fenzi wrote:
On Wed, 8 Sep 2010 19:08:39 -0600
Vincent Danen <vdanen(a)redhat.com> wrote:
> * [2010-09-08 16:42:34 -0600] Kevin Fenzi wrote:
>
> >ok.
> >
> >I now have:
> >
> >* Wed Sep 08 2010 Kevin Fenzi <kevin(a)tummy.com> - 1.2.4-1
> >- Update to 1.2.4 which fixes:
> >- Fixes: CVE-2010-1780 CVE-2010-1782 CVE-2010-1784 CVE-2010-1785
> >- Fixes: CVE-2010-1786 CVE-2010-1787 CVE-2010-1788 CVE-2010-1790
> >- Fixes: CVE-2010-1792 CVE-2010-1793 CVE-2010-2648
> >- Update to 1.2.3 which fixes:
> >- Fixes: CVE-2010-1386 CVE-2010-1392 CVE-2010-1405 CVE-2010-1407
> >- Fixes: CVE-2010-1416 CVE-2010-1417 CVE-2010-1665 CVE-2010-1418
> >- Fixes: CVE-2010-1421 CVE-2010-1422 CVE-2010-1501 CVE-2010-1767
> >- Fixes: CVE-2010-1664 CVE-2010-1758 CVE-2010-1759 CVE-2010-1760
> >- Fixes: CVE-2010-1761 CVE-2010-1762 CVE-2010-1770 CVE-2010-1771
> >- Fixes: CVE-2010-1772 CVE-2010-1773 CVE-2010-1774 CVE-2010-2264
>
> Everything before this looks correct.
>
> >- Fixes bugs: 606303 606304 615728 615729 631583 631948 631946 631942
> >- Fixes bugs: 631939
>
> Remove 631948, 631946, 631942, and 631949 - those issues are not yet
> corrected upstream (they're corrected in webkit svn, but not in
> webkitgtk). They'll be fixed in 1.2.5 I think (as a hint, the CVE
> names they reference (CVE-2010-18*) are nowhere in the above list).
Ah yes, it's been a crazy day. :(
Sorry about that.
No worries. I've had my fair share of webkit today too. Enough to
drive anyone crazy. =)
> Once those four bugs are removed, I think it's good. =)
ok. Will push the updates now.
Thanks.
You're welcome. Thanks for being on top of it. =)
--
Vincent Danen / Red Hat Security Response Team
5:52 p.m.
On Thu, 2010-09-02 at 15:07 -0600, Kevin Fenzi wrote:
Greetings.
I mailed pgordon a while back and have not yet heard anything back. ;(
Would anyone object to me updating webkitgtk to fix the current pending
security issues?
Currently we have:
f12: 1.2.0
f13: 1.2.0
f14: 1.3.2
rawhide: 1.3.2
I'd like to update f12/f13 to 1.2.3 and the others I guess to 1.3.3.
Sounds good, thanks.
Not sure why we moved f14/devel to the development stream, does
anyone
know?
This probably happened because I needed the 1.3 stream to build
webkitgtk3, back when we were still aiming for GNOME3 in F14.
4971
days inactive
4978
days old
webkit@lists.fedoraproject.org
12 comments
3 participants
participants (3)
-
Kevin Fenzi -
Matthias Clasen -
Vincent Danen