Security update for webkit2gtk3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:0646-1 Final 1 1 2020-05-10T18:17:16Z current 2020-05-10T18:17:16Z 2020-05-10T18:17:16Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for webkit2gtk3 This update for webkit2gtk3 fixes the following issues: Security issue fixed: - CVE-2020-3899: Fixed a memory consumption issue that could have led to remote code execution (bsc#1170643). Non-security issues fixed: - Update to version 2.28.2 (bsc#1170643): + Fix excessive CPU usage due to GdkFrameClock not being stopped. + Fix UI process crash when EGL_WL_bind_wayland_display extension is not available. + Fix position of select popup menus in X11. + Fix playing of Youtube 'live stream'/H264 URLs. + Fix a crash under X11 when cairo uses xcb. + Fix several crashes and rendering issues. This update was imported from the SUSE:SLE-15:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-646 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WGCT2IKPMMBWAIPGXTCQMWSCAIVC5NV5/ E-Mail link for openSUSE-SU-2020:0646-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1170643 SUSE Bug 1170643 https://www.suse.com/security/cve/CVE-2020-3899/ SUSE CVE CVE-2020-3899 page openSUSE Leap 15.1 libjavascriptcoregtk-4_0-18-2.28.2-lp151.2.18.1 libjavascriptcoregtk-4_0-18-32bit-2.28.2-lp151.2.18.1 libwebkit2gtk-4_0-37-2.28.2-lp151.2.18.1 libwebkit2gtk-4_0-37-32bit-2.28.2-lp151.2.18.1 libwebkit2gtk3-lang-2.28.2-lp151.2.18.1 typelib-1_0-JavaScriptCore-4_0-2.28.2-lp151.2.18.1 typelib-1_0-WebKit2-4_0-2.28.2-lp151.2.18.1 typelib-1_0-WebKit2WebExtension-4_0-2.28.2-lp151.2.18.1 webkit-jsc-4-2.28.2-lp151.2.18.1 webkit2gtk-4_0-injected-bundles-2.28.2-lp151.2.18.1 webkit2gtk3-devel-2.28.2-lp151.2.18.1 webkit2gtk3-minibrowser-2.28.2-lp151.2.18.1 libjavascriptcoregtk-4_0-18-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 libjavascriptcoregtk-4_0-18-32bit-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 libwebkit2gtk-4_0-37-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 libwebkit2gtk-4_0-37-32bit-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 libwebkit2gtk3-lang-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 typelib-1_0-JavaScriptCore-4_0-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 typelib-1_0-WebKit2-4_0-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 typelib-1_0-WebKit2WebExtension-4_0-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 webkit-jsc-4-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 webkit2gtk-4_0-injected-bundles-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 webkit2gtk3-devel-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 webkit2gtk3-minibrowser-2.28.2-lp151.2.18.1 as a component of openSUSE Leap 15.1 A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A remote attacker may be able to cause arbitrary code execution. CVE-2020-3899 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:libjavascriptcoregtk-4_0-18-32bit-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:libwebkit2gtk-4_0-37-32bit-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:libwebkit2gtk3-lang-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:typelib-1_0-JavaScriptCore-4_0-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:typelib-1_0-WebKit2-4_0-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:typelib-1_0-WebKit2WebExtension-4_0-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:webkit-jsc-4-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:webkit2gtk-4_0-injected-bundles-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:webkit2gtk3-devel-2.28.2-lp151.2.18.1 openSUSE Leap 15.1:webkit2gtk3-minibrowser-2.28.2-lp151.2.18.1 important 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WGCT2IKPMMBWAIPGXTCQMWSCAIVC5NV5/ https://www.suse.com/security/cve/CVE-2020-3899.html CVE-2020-3899 https://bugzilla.suse.com/1170643 SUSE Bug 1170643