Detections
Analytics
openSUSE Security Update : webkit2gtk3 (openSUSE-2018-118) (Meltdown) (Spectre)
high Nessus Plugin ID 106549
Language:
Synopsis
The remote openSUSE host is missing a security update.Description
This update for webkit2gtk3 fixes the following issues :Update to version 2.18.5 :
+ Disable SharedArrayBuffers from Web API.
+ Reduce the precision of 'high' resolution time to 1ms.
+ bsc#1075419 - Security fixes: includes improvements to mitigate the effects of Spectre and Meltdown (CVE-2017-5753 and CVE-2017-5715).
Update to version 2.18.4 :
+ Make WebDriver implementation more spec compliant.
+ Fix a bug when trying to remove cookies before a web process is spawned.
+ WebKitWebDriver process no longer links to libjavascriptcoregtk.
+ Fix several memory leaks in GStreamer media backend.
+ bsc#1073654 - Security fixes: CVE-2017-13866, CVE-2017-13870, CVE-2017-7156, CVE-2017-13856.
Update to version 2.18.3 :
+ Improve calculation of font metrics to prevent scrollbars from being shown unnecessarily in some cases.
+ Fix handling of null capabilities in WebDriver implementation.
+ Security fixes: CVE-2017-13798, CVE-2017-13788, CVE-2017-13803.
Update to version 2.18.2 :
+ Fix rendering of arabic text.
+ Fix a crash in the web process when decoding GIF images.
+ Fix rendering of wind in Windy.com.
+ Fix several crashes and rendering issues.
Update to version 2.18.1 :
+ Improve performance of GIF animations.
+ Fix garbled display in GMail.
+ Fix rendering of several material design icons when using the web font.
+ Fix flickering when resizing the window in Wayland.
+ Prevent default kerberos authentication credentials from being used in ephemeral sessions.
+ Fix a crash when webkit_web_resource_get_data() is cancelled.
+ Correctly handle touchmove and touchend events in WebKitWebView.
+ Fix the build with enchant 2.1.1.
+ Fix the build in HPPA and Alpha.
+ Fix several crashes and rendering issues.
+ Security fixes: CVE-2017-7081, CVE-2017-7087, CVE-2017-7089, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120, CVE-2017-7142.
- Enable gold linker on s390/s390x on SLE15/Tumbleweed.
This update was imported from the SUSE:SLE-12-SP2:Update update project.
Solution
Update the affected webkit2gtk3 packages.See Also
https://bugzilla.opensuse.org/show_bug.cgi?id=1020950
https://bugzilla.opensuse.org/show_bug.cgi?id=1024749
https://bugzilla.opensuse.org/show_bug.cgi?id=1050469
https://bugzilla.opensuse.org/show_bug.cgi?id=1066892
https://bugzilla.opensuse.org/show_bug.cgi?id=1069925
Plugin Details
Severity: High
ID: 106549
File Name: openSUSE-2018-118.nasl
Version: 3.8
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 2/1/2018
Updated: 1/19/2021
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: High
Score: 8.4
CVSS v2
Risk Factor: High
Base Score: 9.3
Temporal Score: 8.1
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 8.4
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:H/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18, p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-32bit, p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo, p-cpe:/a:novell:opensuse:libjavascriptcoregtk-4_0-18-debuginfo-32bit, p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37, p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-32bit, p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo, p-cpe:/a:novell:opensuse:libwebkit2gtk-4_0-37-debuginfo-32bit, p-cpe:/a:novell:opensuse:libwebkit2gtk3-lang, p-cpe:/a:novell:opensuse:typelib-1_0-javascriptcore-4_0, p-cpe:/a:novell:opensuse:typelib-1_0-webkit2-4_0, p-cpe:/a:novell:opensuse:typelib-1_0-webkit2webextension-4_0, p-cpe:/a:novell:opensuse:webkit-jsc-4, p-cpe:/a:novell:opensuse:webkit-jsc-4-debuginfo, p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles, p-cpe:/a:novell:opensuse:webkit2gtk-4_0-injected-bundles-debuginfo, p-cpe:/a:novell:opensuse:webkit2gtk3-debugsource, p-cpe:/a:novell:opensuse:webkit2gtk3-devel, p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2, p-cpe:/a:novell:opensuse:webkit2gtk3-plugin-process-gtk2-debuginfo, cpe:/o:novell:opensuse:42.3
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 1/31/2018
Vulnerability Publication Date: 2/20/2017
Exploitable With
CANVAS (CANVAS)
Reference Information
CVE: CVE-2016-4692, CVE-2016-4743, CVE-2016-7586, CVE-2016-7587, CVE-2016-7589, CVE-2016-7592, CVE-2016-7598, CVE-2016-7599, CVE-2016-7610, CVE-2016-7623, CVE-2016-7632, CVE-2016-7635, CVE-2016-7639, CVE-2016-7641, CVE-2016-7645, CVE-2016-7652, CVE-2016-7654, CVE-2016-7656, CVE-2017-13788, CVE-2017-13798, CVE-2017-13803, CVE-2017-13856, CVE-2017-13866, CVE-2017-13870, CVE-2017-2350, CVE-2017-2354, CVE-2017-2355, CVE-2017-2356, CVE-2017-2362, CVE-2017-2363, CVE-2017-2364, CVE-2017-2365, CVE-2017-2366, CVE-2017-2369, CVE-2017-2371, CVE-2017-2373, CVE-2017-2496, CVE-2017-2510, CVE-2017-2539, CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2017-7006, CVE-2017-7011, CVE-2017-7012, CVE-2017-7018, CVE-2017-7019, CVE-2017-7020, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7038, CVE-2017-7039, CVE-2017-7040, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7046, CVE-2017-7048, CVE-2017-7049, CVE-2017-7052, CVE-2017-7055, CVE-2017-7056, CVE-2017-7059, CVE-2017-7061, CVE-2017-7064, CVE-2017-7081, CVE-2017-7087, CVE-2017-7089, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120, CVE-2017-7142, CVE-2017-7156, CVE-2017-7157
IAVA: 2018-A-0019, 2018-A-0020