-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- -------------------------------------------------------------------------
Debian Security Advisory DSA-5468-1                   security@debian.org
https://www.debian.org/security/                           Alberto Garcia
August 05, 2023                       https://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : webkit2gtk
CVE ID         : CVE-2023-38133 CVE-2023-38572 CVE-2023-38592 CVE-2023-38594
                 CVE-2023-38595 CVE-2023-38597 CVE-2023-38599 CVE-2023-38600
                 CVE-2023-38611

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2023-38133

    YeongHyeon Choi discovered that processing web content may
    disclose sensitive information.

CVE-2023-38572

    Narendra Bhati discovered that a website may be able to bypass the
    Same Origin Policy.

CVE-2023-38592

    Narendra Bhati, Valentino Dalla Valle, Pedro Bernardo, Marco
    Squarcina, and Lorenzo Veronese discovered that processing web
    content may lead to arbitrary code execution.

CVE-2023-38594

    Yuhao Hu discovered that processing web content may lead to
    arbitrary code execution.

CVE-2023-38595

    An anonymous researcher, Jiming Wang, and Jikai Ren discovered
    that processing web content may lead to arbitrary code execution.

CVE-2023-38597

    Junsung Lee discovered that processing web content may lead to
    arbitrary code execution.

CVE-2023-38599

    Hritvik Taneja, Jason Kim, Jie Jeff Xu, Stephan van Schaik, Daniel
    Genkin, and Yuval Yarom discovered that a website may be able to
    track sensitive user information.

CVE-2023-38600

    An anonymous researcher discovered that processing web content may
    lead to arbitrary code execution.

CVE-2023-38611

    Francisco Alonso discovered that processing web content may lead
    to arbitrary code execution.

For the oldstable distribution (bullseye), these problems have been fixed
in version 2.40.5-1~deb11u1.

For the stable distribution (bookworm), these problems have been fixed in
version 2.40.5-1~deb12u1.

We recommend that you upgrade your webkit2gtk packages.

For the detailed security status of webkit2gtk please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/webkit2gtk

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEYrwugQBKzlHMYFizAAyEYu0C2AIFAmTOj+AACgkQAAyEYu0C
2AK4hw/+IqYa65blruup8jZigzY38U60+U+yzSa1MTtV04Nfv5UUMHw/AuSDi/ap
U5Vcee/oAb8pFeaZFODPY4k6vHUSjc4iL21zG4X0nYvNL7S9KZOS8TlxLVbbDElu
VLv3La7yB++vzv64DdU/ZuRkbuqowImesSxV8PFMaeJCWzMGX1Ck4jqqOPewmOAl
EEc9sFQHavZIdsC7kYGYcJi5UDgHUdG7K1JwKmDyQ+cW4CiTHIpGshpBnOyz7Kx9
AxTMscAqkigJznjY5kzWe5koFzZY7WTGmxmy7fjepEzB/Zdbl2+FRgFl3UHrd6kj
90blbnyTT6C+/PXkMR8dbeC2y7yTWZoeyyedRu2m700IdZVR19DKCwNj2TaFXD28
GKLe7fYKusyvPx63JVmHk6p9wokInOyimn+4Ldwv6q2CUAMXOLpia9hEjljrE1nj
CNbgyJFsgJTbW069GhkABySNKeQbFd4OCZxemb6jcJsXn3pRWoK/32B8tu/srzJo
OtdcuHC2TEyQS1EzgzJ25WrvcGkgTaz0eoemcXMdvp31xqWpmJEJoQ95Q/lwskq3
5e0mOH3AabSDVioImrBNtjnDcPP7Sy8Mq70pv+qx6fQZZnnFUD7YLr8D4KcayUSP
8M6hBjOj1qAJnXb2N2Cw2YRwYhcsFXQ9d7qbC7C03bEFIsSIx0A=VbdY
-----END PGP SIGNATURE-----