--- Begin Message ---
- From: Carlos Alberto Lopez Perez <clopez igalia com>
- To: webkit-gtk lists webkit org
- Cc: oss-security lists openwall com, bugtraq securityfocus com
- Subject: [webkit-gtk] WebKitGTK+ Security Advisory WSA-2016-0002
- Date: Fri, 11 Mar 2016 15:25:39 +0100
------------------------------------------------------------------------ WebKitGTK+ Security Advisory WSA-2016-0002 ------------------------------------------------------------------------ Date reported : March 11, 2016 Advisory ID : WSA-2016-0002 Advisory URL : http://webkitgtk.org/security/WSA-2016-0002.html CVE identifiers : CVE-2016-1723, CVE-2016-1724, CVE-2016-1725, CVE-2016-1726, CVE-2016-1727, CVE-2016-1728. Several vulnerabilities were discovered on WebKitGTK+. CVE-2016-1723 Versions affected: WebKitGTK+ before 2.10.5. Credit to Apple. WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1725 and CVE-2016-1726. CVE-2016-1724 Versions affected: WebKitGTK+ before 2.10.5. Credit to Apple. WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1727. CVE-2016-1725 Versions affected: WebKitGTK+ before 2.10.5. Credit to Apple. WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1726. CVE-2016-1726 Versions affected: WebKitGTK+ before 2.10.8. Credit to Apple. WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725. CVE-2016-1727 Versions affected: WebKitGTK+ before 2.10.5. Credit to Apple. WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1724. CVE-2016-1728 Versions affected: WebKitGTK+ before 2.10.5. Credit to an anonymous researcher coordinated via Joe Vennix. The Cascading Style Sheets (CSS) implementation in Apple iOS before 9.2.1 and Safari before 9.0.3 mishandles the "a:visited button" selector during height processing, which makes it easier for remote attackers to obtain sensitive browser-history information via a crafted web site. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: http://webkitgtk.org/security.html The WebKitGTK+ team, March 11, 2016Attachment: signature.asc
Description: OpenPGP digital signature_______________________________________________ webkit-gtk mailing list webkit-gtk lists webkit org https://lists.webkit.org/mailman/listinfo/webkit-gtk
--- End Message ---