oss-sec mailing list archives
Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001
From: John Helmert III <ajak () gentoo org>
Date: Mon, 24 Jan 2022 08:13:15 -0600
On Sun, Jan 23, 2022 at 02:15:30PM -0500, Leo Famulari wrote:
On Sat, Jan 22, 2022 at 10:02:46PM -0600, John Helmert III wrote:With this big of a gap between releases and security advisories, it seems that users and distributors will be unaware of the necessity of updating due to security fixes, sometimes for weeks after the release. Why not always publish advisories close to new releases?Since (almost?) every WebKitGTK update includes fixes for bugs that allow remote execution of arbitrary code, I'd expect that distributors are well aware that every update is critical. And given the complexity of a fully-featured browser engine, it probably cannot be any other way: it's the same story for Firefox and Chrome.
I don't think it makes much sense for every downstream to make these kinds of assumptions. Besides, this doesn't seem to be what's happening in practice. For example, WSA-2021-0006 was released on October 26, 2021 with vulnerabilities addressed in 2.34.0, released on September 22, but RedHat's bugs for it were only opened in the days after the *security advisory's* release, not the software release. It doesn't help that most most distribution security tooling seems to be oriented around CVEs, which aren't released for WebKit until after the associated advisory. It probably also doesn't help that a lot of WebKit vulnerabilities also affect Apple products, given many times WebKit advisories are delayed until after the associated CVEs are made public by Apple security advisories.
Attachment:
signature.asc
Description:
Current thread:
- WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Carlos Alberto Lopez Perez (Jan 21)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III (Jan 23)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari (Jan 24)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III (Jan 24)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari (Jan 29)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Sam James (Jan 30)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 Leo Famulari (Jan 24)
- Re: WebKitGTK and WPE WebKit Security Advisory WSA-2022-0001 John Helmert III (Jan 23)