Security update for webkit2gtk3 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2021:1369-1 Final 1 1 2021-10-18T12:13:24Z current 2021-10-18T12:13:24Z 2021-10-18T12:13:24Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for webkit2gtk3 This update for webkit2gtk3 fixes the following issues: - Update to version 2.32.4 - CVE-2021-30858: Fixed a security bug that could allow maliciously crafted web content to achieve arbitrary code execution. (bsc#1190701) - CVE-2021-21806: Fixed an exploitable use-after-free vulnerability via specially crafted HTML web page. (bsc#1188697) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2021-1369 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X4HF2CMDLYL7MPNIXI64QMEMC75KZUZA/ E-Mail link for openSUSE-SU-2021:1369-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1188697 SUSE Bug 1188697 https://bugzilla.suse.com/1190701 SUSE Bug 1190701 https://www.suse.com/security/cve/CVE-2021-21806/ SUSE CVE CVE-2021-21806 page https://www.suse.com/security/cve/CVE-2021-30858/ SUSE CVE CVE-2021-30858 page openSUSE Leap 15.2 libjavascriptcoregtk-4_0-18-2.32.4-lp152.2.19.1 libjavascriptcoregtk-4_0-18-32bit-2.32.4-lp152.2.19.1 libwebkit2gtk-4_0-37-2.32.4-lp152.2.19.1 libwebkit2gtk-4_0-37-32bit-2.32.4-lp152.2.19.1 libwebkit2gtk3-lang-2.32.4-lp152.2.19.1 typelib-1_0-JavaScriptCore-4_0-2.32.4-lp152.2.19.1 typelib-1_0-WebKit2-4_0-2.32.4-lp152.2.19.1 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-lp152.2.19.1 webkit-jsc-4-2.32.4-lp152.2.19.1 webkit2gtk-4_0-injected-bundles-2.32.4-lp152.2.19.1 webkit2gtk3-devel-2.32.4-lp152.2.19.1 webkit2gtk3-minibrowser-2.32.4-lp152.2.19.1 libjavascriptcoregtk-4_0-18-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 libjavascriptcoregtk-4_0-18-32bit-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 libwebkit2gtk-4_0-37-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 libwebkit2gtk-4_0-37-32bit-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 libwebkit2gtk3-lang-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 typelib-1_0-JavaScriptCore-4_0-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 typelib-1_0-WebKit2-4_0-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 typelib-1_0-WebKit2WebExtension-4_0-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 webkit-jsc-4-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 webkit2gtk-4_0-injected-bundles-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 webkit2gtk3-devel-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 webkit2gtk3-minibrowser-2.32.4-lp152.2.19.1 as a component of openSUSE Leap 15.2 An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.3 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability. CVE-2021-21806 openSUSE Leap 15.2:libjavascriptcoregtk-4_0-18-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:libjavascriptcoregtk-4_0-18-32bit-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:libwebkit2gtk-4_0-37-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:libwebkit2gtk-4_0-37-32bit-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:libwebkit2gtk3-lang-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:typelib-1_0-JavaScriptCore-4_0-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:typelib-1_0-WebKit2-4_0-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:typelib-1_0-WebKit2WebExtension-4_0-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:webkit-jsc-4-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:webkit2gtk-4_0-injected-bundles-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:webkit2gtk3-devel-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:webkit2gtk3-minibrowser-2.32.4-lp152.2.19.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X4HF2CMDLYL7MPNIXI64QMEMC75KZUZA/ https://www.suse.com/security/cve/CVE-2021-21806.html CVE-2021-21806 https://bugzilla.suse.com/1188294 SUSE Bug 1188294 https://bugzilla.suse.com/1188697 SUSE Bug 1188697 A use after free issue was addressed with improved memory management. This issue is fixed in iOS 14.8 and iPadOS 14.8, macOS Big Sur 11.6. Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited. CVE-2021-30858 openSUSE Leap 15.2:libjavascriptcoregtk-4_0-18-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:libjavascriptcoregtk-4_0-18-32bit-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:libwebkit2gtk-4_0-37-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:libwebkit2gtk-4_0-37-32bit-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:libwebkit2gtk3-lang-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:typelib-1_0-JavaScriptCore-4_0-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:typelib-1_0-WebKit2-4_0-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:typelib-1_0-WebKit2WebExtension-4_0-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:webkit-jsc-4-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:webkit2gtk-4_0-injected-bundles-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:webkit2gtk3-devel-2.32.4-lp152.2.19.1 openSUSE Leap 15.2:webkit2gtk3-minibrowser-2.32.4-lp152.2.19.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/X4HF2CMDLYL7MPNIXI64QMEMC75KZUZA/ https://www.suse.com/security/cve/CVE-2021-30858.html CVE-2021-30858 https://bugzilla.suse.com/1190701 SUSE Bug 1190701 https://bugzilla.suse.com/1191298 SUSE Bug 1191298 https://bugzilla.suse.com/1191301 SUSE Bug 1191301