Hi, On 2016-09-13 05:14 PM, Adam Dingle wrote: > This article from Michael Catanzaro is sobering: > > https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ > > It essentially makes two points: > > 1. WebKit 1 contains many security vulnerabilities that will probably never be > fixed, and yet some apps (e.g. Geary, GnuCash) still depend on it. > > 2. For WebKit 2, the WebKit team fixes vulnerabilities only in its latest > stable > and unstable versions, yet many distributions including Ubuntu don't generally > upgrade users to these versions, and don't backport security fixes to previous > versions (which would be hard). > > Considering this second point, Xenial (16.04 LTS) contains libwebkit2gtk-4.0 > version 2.10.9-1ubuntu1, which was apparently last updated in March 2016. It > is > presumably vulnerable to all the security bugs in WebKitGTK's more recent > security advisories, which include numerous arbitrary code execution > vulnerabilities: > > https://webkitgtk.org/security/WSA-2016-0004.html > https://webkitgtk.org/security/WSA-2016-0005.html > > As Michael points out, this is concerning because many apps (including > Epiphany, > which I often use for browsing) use WebKit. He writes: > > Some of the more notable users include Anjuta, Banshee, Bijiben (GNOME > Notes), > Devhelp, Empathy, Evolution, Geany, Geary, GIMP, gitg, GNOME Builder, GNOME > Documents, GNOME Initial Setup, GNOME Online Accounts, GnuCash, gThumb, > Liferea, > Midori, Rhythmbox, Shotwell, Sushi, and Yelp (GNOME Help). > > It appears that Ubuntu has three policy choices: > > 1) Upgrade users of existing Ubuntu releases such as Xenial to newer stable > WebKit 2 versions (e.g. 2.12.5, where all known vulnerabilities are fixed). > The > cost of this is potential breakage if a new version of WebKit 2 isn't > completely > compatible with the old. As Michael points out, WebKit 2 "ensures that each > release maintains both API and ABI compatibility", but of course bugs are > possible and he admits that "there is some risk" that an update could break > something. > > 2) Backport all security fixes to older WebKit versions such as 2.10. This is > almost certainly impractical. > > 3) Keep users at existing WebKit 2 versions with known vulnerabilities (e.g. > 2.10.9 in Xenial). > > Has Ubuntu consciously chosen policy (3) over (1)? If so, this feels unwise > to > me. I think the breakage in (1) would probably be minimal since I've often > built a newer WebKit 2 on an existing Ubuntu release and it has always worked > fine in existing apps as far as I can tell. >
I will be publishing 2.12.5 as a security update for xenial tomorrow or thursday. I was going to publish 2.12.4, but there was a regression in it. Marc. -- ubuntu-desktop mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-desktop
