------------------------------------------------------------------------ WebKitGTK+ Security Advisory WSA-2018-0001 ------------------------------------------------------------------------ Date reported : January 10, 2018 Advisory ID : WSA-2018-0001 Advisory URL : https://webkitgtk.org/security/WSA-2018-0001.html CVE identifiers : CVE-2017-5753, CVE-2017-5715. Several vulnerabilities were discovered in WebKitGTK+. CVE-2017-5753 Versions affected: WebKitGTK+ before 2.18.5. Credit to Jann Horn of Google Project Zero; and Paul Kocher in collaboration with Daniel Genkin of University of Pennsylvania and University of Maryland, Daniel Gruss of Graz University of Technology, Werner Haas of Cyberus Technology, Mike Hamburg of Rambus (Cryptography Research Division), Moritz Lipp of Graz University of Technology, Stefan Mangard of Graz University of Technology, Thomas Prescher of Cyberus Technology, Michael Schwarz of Graz University of Technology, and Yuval Yarom of University of Adelaide and Data61. Impact: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker via a side-channel analysis. This variant of the Spectre vulnerability triggers the speculative execution by performing a bounds-check bypass. Description: Security improvements are included to mitigate the effects. CVE-2017-5715 Versions affected: WebKitGTK+ before 2.18.5. Credit to Jann Horn of Google Project Zero; and Paul Kocher in collaboration with Daniel Genkin of University of Pennsylvania and University of Maryland, Daniel Gruss of Graz University of Technology, Werner Haas of Cyberus Technology, Mike Hamburg of Rambus (Cryptography Research Division), Moritz Lipp of Graz University of Technology, Stefan Mangard of Graz University of Technology, Thomas Prescher of Cyberus Technology, Michael Schwarz of Graz University of Technology, and Yuval Yarom of University of Adelaide and Data61. Impact: Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of information to an attacker via a side-channel analysis. This variant of the Spectre vulnerability triggers the speculative execution by utilizing branch target injection. Description: Security improvements are included to mitigate the effects. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html The WebKitGTK+ team, January 10, 2018
Attachment:
signature.asc
Description: OpenPGP digital signature