安全公告详情

NS-SA-2021-0059

2021-03-09 14:30:31

简介

moderate: webkit2gtk3/python3 security update

严重级别

moderate

主题

An update for webkit2gtk3/python3 is now available for NewStart CGSL MAIN 6.02.
NewStart Security has rated this update as having a security impact of moderate. A Common Vunlnerability Scoring System(CVSS)base score, which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.

详细描述

webkit2gtk3: This package provides debug information for package webkit2gtk3-jsc-devel. Debug information is useful when developing applications that use this package or when debugging this package.
python3: This is the internal interpreter of the Python language for the system. To use Python yourself, please install one of the available Python 3 packages, for example python36.


Security Fix(es):
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8835)
webkit2gtk3: WebKitGTK through 2.26.4 and WPE WebKit through 2.26.4 (which are the versions right before 2.28.0) contains a memory corruption issue (use-after-free) that may lead to arbitrary code execution. This issue has been fixed in 2.28.0 with improved memory handling.(CVE-2020-10018)
webkit2gtk3: A use after free issue was addressed with improved memory management. This issue is fixed in tvOS 13.3, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8846)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in tvOS 13.3, watchOS 6.1.1, iCloud for Windows 10.9, iOS 13.3 and iPadOS 13.3, Safari 13.0.4, iTunes 12.10.3 for Windows, iCloud for Windows 7.16. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8844)
webkit2gtk3: A use-after-free flaw exists in WebKitGTK. This flaw allows remote attackers to execute arbitrary code or cause a denial of service.(CVE-2020-11793)
webkit2gtk3: A denial of service issue was addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. A malicious website may be able to cause a denial of service.(CVE-2020-3862)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2020-3865)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iCloud for Windows 11.0. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8710)
webkit2gtk3: A logic issue was addressed with improved state management. This issue is fixed in tvOS 13, iTunes for Windows 12.10.1, iCloud for Windows 10.7, iCloud for Windows 7.14. Processing maliciously crafted web content may lead to universal cross site scripting.(CVE-2019-8625)
webkit2gtk3: A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A file URL may be incorrectly processed.(CVE-2020-3885)
webkit2gtk3: A race condition was addressed with additional validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. An application may be able to read restricted memory.(CVE-2020-3894)
webkit2gtk3: A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2020-3895)
webkit2gtk3: A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A remote attacker may be able to cause arbitrary code execution.(CVE-2020-3897)
webkit2gtk3: A memory consumption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. A remote attacker may be able to cause arbitrary code execution.(CVE-2020-3899)
webkit2gtk3: A memory corruption issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2020-3900)
webkit2gtk3: A type confusion issue was addressed with improved memory handling. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, watchOS 6.2, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2020-3901)
webkit2gtk3: An input validation issue was addressed with improved input validation. This issue is fixed in iOS 13.4 and iPadOS 13.4, tvOS 13.4, Safari 13.1, iTunes for Windows 12.10.5, iCloud for Windows 10.9.3, iCloud for Windows 7.18. Processing maliciously crafted web content may lead to a cross site scripting attack.(CVE-2020-3902)
webkit2gtk3: A command injection issue existed in Web Inspector. This issue was addressed with improved escaping. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Copying a URL from Web Inspector may lead to command injection.(CVE-2020-9862)
webkit2gtk3: A use-after-free issue was found in webkitgtk that affected WebKitGTK versions before 2.28.4 and WPE WebKit versions before 2.28.4. This flaw allows a remote attacker to cause unexpected application termination or arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-9893)
webkit2gtk3: An out-of-bounds read flaw was found in webkitgtk that affected WebKitGTK versions before 2.28.4 and WPE WebKit versions before 2.28.4. This flaw allows a remote attacker to cause unexpected application termination or arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-9894)
webkit2gtk3: A flaw was found in webkitgtk in versions prior to 2.28.4 and in WPE WebKit in versions prior to 2.28.4. A use-after-free issue was found allowing a remote attacker to cause unexpected application termination or arbitrary code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-9895)
webkit2gtk3: An access issue existed in Content Security Policy. This issue was addressed with improved access restrictions. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing maliciously crafted web content may prevent Content Security Policy from being enforced.(CVE-2020-9915)
webkit2gtk3: A logic issue was addressed with improved state management. This issue is fixed in iOS 13.6 and iPadOS 13.6, tvOS 13.4.8, watchOS 6.2.8, Safari 13.1.2, iTunes 12.10.8 for Windows, iCloud for Windows 11.3, iCloud for Windows 7.20. Processing maliciously crafted web content may lead to universal cross site scripting.(CVE-2020-9925)
webkit2gtk3: A logic issue was found in webkitgtk that affected WebKitGTK versions before 2.28.3 and WPE WebKit versions before 2.28.3. This flaw allows an attacker to process maliciously crafted web content that may lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-9802)
webkit2gtk3: A flaw was found in webkitgtk in versions prior to 2.28.3 and in WPE WebKit in versions prior to 2.28.3. A memory corruption issue could allow processing maliciously crafted web content leading to arbitrary code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-9803)
webkit2gtk3: A logic issue was addressed with improved restrictions. This issue is fixed in iOS 13.5 and iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. Processing maliciously crafted web content may lead to universal cross site scripting.(CVE-2020-9805)
webkit2gtk3: A flaw was found in webkit gtk in versions prior to 2.28.3 and in WPE WebKit in versions prior to 2.28.3. A memory corruption issue could allow processing of maliciously crafted web content that could lead to arbitrary code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-9806)
webkit2gtk3: A memory corruption issue was found in webkitgtk that affected WebKitGTK versions before 2.28.3 and WPE WebKit versions before 2.28.3. This flaw allows an attacker to process maliciously crafted web content that may lead to arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-9807)
webkit2gtk3: An input validation issue was addressed with improved input validation. This issue is fixed in iOS 13.5 and iPadOS 13.5, tvOS 13.4.5, watchOS 6.2.5, Safari 13.1.1, iTunes 12.10.7 for Windows, iCloud for Windows 11.2, iCloud for Windows 7.19. Processing maliciously crafted web content may lead to a cross site scripting attack.(CVE-2020-9843)
webkit2gtk3: A logic issue was found in webkitgtk that affected WebKitGTK versions before 2.28.3 and WPE WebKit versions before 2.28.3. This flaw allows a remote attacker to cause arbitrary code execution. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.(CVE-2020-9850)
webkit2gtk3: A logic issue was addressed with improved validation. This issue is fixed in iCloud for Windows 7.17, iTunes 12.10.4 for Windows, iCloud for Windows 10.9.2, tvOS 13.3.1, Safari 13.0.5, iOS 13.3.1 and iPadOS 13.3.1. A DOM object context may not have had a unique security origin.(CVE-2020-3864)
webkit2gtk3: A logic issue was addressed with improved state management. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to universal cross site scripting.(CVE-2020-3867)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.3.1 and iPadOS 13.3.1, tvOS 13.3.1, Safari 13.0.5, iTunes for Windows 12.10.4, iCloud for Windows 11.0, iCloud for Windows 7.17. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2020-3868)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in watchOS 6.1. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8743)
webkit2gtk3: A logic issue was addressed with improved state management. This issue is fixed in watchOS 6.1. Processing maliciously crafted web content may lead to universal cross site scripting.(CVE-2019-8764)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in watchOS 6.1, iCloud for Windows 11.0. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8766)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8782)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8783)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, watchOS 6.1, Safari 13.0.3, iTunes for Windows 12.10.2. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8808)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, watchOS 6.1, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8811)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, watchOS 6.1, Safari 13.0.3, iTunes for Windows 12.10.2. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8812)
webkit2gtk3: A logic issue was addressed with improved state management. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0. Processing maliciously crafted web content may lead to universal cross site scripting.(CVE-2019-8813)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8814)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8815)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, watchOS 6.1, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8816)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8819)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, watchOS 6.1, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8820)
webkit2gtk3: Multiple memory corruption issues were addressed with improved memory handling. This issue is fixed in iOS 13.2 and iPadOS 13.2, tvOS 13.2, Safari 13.0.3, iTunes for Windows 12.10.2, iCloud for Windows 11.0, iCloud for Windows 7.15. Processing maliciously crafted web content may lead to arbitrary code execution.(CVE-2019-8823)
webkit2gtk3: No description is available for this CVE.(CVE-2019-8720)
webkit2gtk3: An issue existed in the drawing of web page elements. The issue was addressed with improved logic. This issue is fixed in iOS 13.1 and iPadOS 13.1, macOS Catalina 10.15. Visiting a maliciously crafted website may reveal browsing history.(CVE-2019-8769)
webkit2gtk3: This issue was addressed with improved iframe sandbox enforcement. This issue is fixed in Safari 13.0.1, iOS 13. Maliciously crafted web content may violate iframe sandboxing policy.(CVE-2019-8771)
webkit2gtk3: bugfix
python3: A vulnerability was found in the way the ipaddress python module computes hash values in the IPv4Interface and IPv6Interface classes. This flaw allows an attacker to create many dictionary entries, due to the performance of a dictionary containing the IPv4Interface or IPv6Interface objects, possibly resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-14422)
python3: Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.(CVE-2020-8492)
python3: In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.(CVE-2019-20907)
python3: A reflected cross-site scripting (XSS) vulnerability was found in Python XML-RPC server. The `server_title` field is not sufficiently sanitized allowing malicious JavaScript to be injected. Successful exploitation would allow a remote attacker to execute JavaScript code within the context of the affected user.(CVE-2019-16935)
python3: bugfix


Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
http://security.gd-linux.com/how_to_apply_patch.html
Remember the build tag is 6.02.50B5.

影响组件

  • webkit2gtk3
  • python3

影响产品

  • CGSL MAIN 6.02

更新包

{"fix":[{"product":"CGSL MAIN 6.02","pkgs":[{"binary":["webkit2gtk3-jsc-devel-debuginfo-2.28.4-1.el8.x86_64.rpm","webkit2gtk3-debuginfo-2.28.4-1.el8.x86_64.rpm","webkit2gtk3-jsc-debuginfo-2.28.4-1.el8.x86_64.rpm","webkit2gtk3-doc-2.28.4-1.el8.noarch.rpm","webkit2gtk3-debugsource-2.28.4-1.el8.x86_64.rpm","webkit2gtk3-devel-debuginfo-2.28.4-1.el8.x86_64.rpm","webkit2gtk3-jsc-2.28.4-1.el8.x86_64.rpm","webkit2gtk3-devel-2.28.4-1.el8.x86_64.rpm","webkit2gtk3-2.28.4-1.el8.x86_64.rpm","webkit2gtk3-jsc-devel-2.28.4-1.el8.x86_64.rpm"],"source":"webkit2gtk3-2.28.4-1.el8.src.rpm"},{"binary":["platform-python-3.6.8-31.el8.x86_64.rpm","python3-libs-3.6.8-31.el8.x86_64.rpm","python3-test-3.6.8-31.el8.x86_64.rpm","python3-devel-3.6.8-31.el8.x86_64.rpm","python3-debugsource-3.6.8-31.el8.x86_64.rpm","python3-debuginfo-3.6.8-31.el8.x86_64.rpm","platform-python-debug-3.6.8-31.el8.x86_64.rpm","platform-python-devel-3.6.8-31.el8.x86_64.rpm","python3-tkinter-3.6.8-31.el8.x86_64.rpm","python3-idle-3.6.8-31.el8.x86_64.rpm"],"source":"python3-3.6.8-31.el8.src.rpm"}]}]}

CVE

参考