-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Thu, 10 Dec 2009 20:41:40 +0100 Source: webkit Binary: libwebkit-1.0-1 libwebkit-dev libwebkit-1.0-1-dbg Architecture: source all i386 Version: 1.0.1-4+lenny2 Distribution: stable-security Urgency: high Maintainer: Debian WebKit Maintainers <pkg-webkit-maintainers@lists.alioth.debian.org> Changed-By: Giuseppe Iuculano <iuculano@debian.org> Description: libwebkit-1.0-1 - Web content engine library for Gtk+ libwebkit-1.0-1-dbg - Web content engine library for Gtk+ - Debugging symbols libwebkit-dev - Web content engine library for Gtk+ - Development files Closes: 532724 532725 534946 535793 538346 Changes: webkit (1.0.1-4+lenny2) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fixed FTBFS on arm and powerpc: include limits.h for a definition of ULONG_MAX introduced in CVE-2009-1687 patch. . webkit (1.0.1-4+lenny1) stable-security; urgency=high . * Non-maintainer upload by the Security Team. * Fixed CVE-2009-0945: NULL-pointer dereference in the SVGList interface implementation (Closes: #532724, #532725) * Fixed CVE-2009-1687: Integer overflow in JavaScript garbage collector * Fixed CVE-2009-1690: Incorrect handling <head> element content once the <head> element was removed * Fixed CVE-2009-1698: incorrect handling CSS "style" attribute content * Fixed CVE-2009-1711: denial of service or arbitrary code execution via Attr DOM objects improper memory initialization. (Closes: #534946) * Fixed CVE-2009-1712: arbitrary code execution via remote loading of local java applets. (Closes: #535793) * Fixed CVE-2009-1725: improper handling of numeric character references (Closes: #538346) * Patch based on work done by Marc Deslauriers <marc.deslauriers@ubuntu.com> in Ubuntu, thanks. * Fixed CVE-2009-1714: Cross-site scripting (XSS) vulnerability in Web Inspector * Fixed CVE-2009-1710: Remote attackers can spoof the browser's display of the host name, security indicators, and unspecified other UI elements via a custom cursor in conjunction with a modified CSS3 hotspot property. * Fixed CVE-2009-1697: CRLF injection vulnerability allows remote attackers to inject HTTP headers and bypass the Same Origin Policy via a crafted HTML document * Fixed CVE-2009-1695: Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via vectors involving access to frame contents after completion of a page transition. * Fixed CVE-2009-1693 and CVE-2009-1694: does not properly handle redirects, which allows remote attackers to read images from arbitrary web sites via vectors involving a CANVAS element and redirection * Fixed CVE-2009-1681: does not prevent web sites from loading third-party content into a subframe, which allows remote attackers to bypass the Same Origin Policy and conduct "clickjacking" attacks via a crafted HTML document. * Fixed CVE-2009-1684: Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via an event handler that triggers script execution in the context of the next loaded document. * Fixed CVE-2009-1692: denial of service (memory consumption or device reset) via a web page containing an HTMLSelectElement object with a large length attribute, related to the length property of a Select object. Checksums-Sha1: 84c6fe9a45dd53cf5211bedc5139bb06e445b9a1 1447 webkit_1.0.1-4+lenny2.dsc bd7b8dec8eb2d1f3545bd92230ad27d5671285ce 13418752 webkit_1.0.1.orig.tar.gz bf989e21bf7d7bb829173ee8058ba0c24f2e64b4 35369 webkit_1.0.1-4+lenny2.diff.gz cb59b66fbeffc65cb4231c7f92f4d61a4d9845bc 35164 libwebkit-dev_1.0.1-4+lenny2_all.deb 695bab1bfa0906d7fe99ce27aa906314cbb5db66 3016584 libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb df4d5eb6f2529c22b9dd3b34508233223fc25340 62161744 libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb Checksums-Sha256: 480a9137c4620c92a6cfe110f1734b8136e3c2c924900b6f34dd80b046163cb7 1447 webkit_1.0.1-4+lenny2.dsc 9601ed57978e7f1221f770c24933d2037fdb93e4b412716d842b993507f0b856 13418752 webkit_1.0.1.orig.tar.gz 333c2c20ae64227e1a263672e5c3bac2b2e51a8679f2dd865c272483667cc5d8 35369 webkit_1.0.1-4+lenny2.diff.gz a1605d1cd8f8a68796601147399f1eefb60af04d89ec82b62ce1ebdbde492841 35164 libwebkit-dev_1.0.1-4+lenny2_all.deb 1c8c66171d2c772b358ec1136a90f53e27a551282e9e4ed74e3493d3f2048784 3016584 libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb 009003feebd18778168dcfd364d08d9c76001df5fe61977602da374cbe3d7e73 62161744 libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb Files: b5f01d6428f01d79bfe18338064452ab 1447 web optional webkit_1.0.1-4+lenny2.dsc 4de68a5773998bea14e8939aa341c466 13418752 web optional webkit_1.0.1.orig.tar.gz 506c8f2fef73a9fc856264f11a3ad27e 35369 web optional webkit_1.0.1-4+lenny2.diff.gz df682bbcd13389c2f50002c2aaf7347b 35164 libdevel extra libwebkit-dev_1.0.1-4+lenny2_all.deb b854f5294527adac80e9776efed37cd7 3016584 libs optional libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb f89fc6ac6d1110cabe47dd9184c9a9ca 62161744 libdevel extra libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAkshY3wACgkQNxpp46476arTNgCfRAlwh209c24VVDe6Hh48odrJ lxwAoI4WKX2nyLrHy+xvsnTXRA5ZF2ga =/kz8 -----END PGP SIGNATURE----- Accepted: libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb to main/w/webkit/libwebkit-1.0-1-dbg_1.0.1-4+lenny2_i386.deb libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb to main/w/webkit/libwebkit-1.0-1_1.0.1-4+lenny2_i386.deb libwebkit-dev_1.0.1-4+lenny2_all.deb to main/w/webkit/libwebkit-dev_1.0.1-4+lenny2_all.deb webkit_1.0.1-4+lenny2.diff.gz to main/w/webkit/webkit_1.0.1-4+lenny2.diff.gz webkit_1.0.1-4+lenny2.dsc to main/w/webkit/webkit_1.0.1-4+lenny2.dsc
