RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1476707 - Rebase webkitgtk4 from 2.14 to 2.16 for RHEL 7.5
Summary: Rebase webkitgtk4 from 2.14 to 2.16 for RHEL 7.5
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: webkitgtk4
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Tomas Popela
QA Contact: Desktop QE
Jana Heves
URL:
Whiteboard:
Depends On:
Blocks: 1477211 1477926 1479818
TreeView+ depends on / blocked
 
Reported: 2017-07-31 09:11 UTC by Tomas Popela
Modified: 2018-04-10 10:33 UTC (History)
5 users (show)

Fixed In Version: webkitgtk4-2.16.6-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_webkitgtk4_ rebased to version 2.16 The _webkitgtk4_ package has been upgraded to version 2.16, which provides a number of enhancements over the previous version. Notable enhancements include: * To reduce memory consumption, hardware acceleration is now enabled on demand. * _webkitgtk4_ contains a new WebKitSetting plug-in to set the hardware acceleration policy. * CSS Grid Layout is enabled by default. * Private browsing has been improved by adding a new API to create ephemeral web views. * A new API has been provided to handle website data. * Two new debugging tools are now available: memory sampler and resource usage overlay. * GTK+ font settings are now honored. * Theme rendering performance is improved when using GTK+ version 3.20 and higher.
Clone Of:
Environment:
Last Closed: 2018-04-10 10:32:31 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0703 0 None None None 2018-04-10 10:33:07 UTC

Description Tomas Popela 2017-07-31 09:11:31 UTC 
As subject says, rebase webkitgtk4 from 2.14 to the latest 2.16 release for RHEL 7.5 to get rid of various downstream patches that were committed to upstream and clean patches that were backported from 2.16 to 2.14.

WebKitGTK+ Security Advisories:

https://www.webkitgtk.org/security/WSA-2017-0003.html
https://www.webkitgtk.org/security/WSA-2017-0004.html
https://www.webkitgtk.org/security/WSA-2017-0005.html
https://www.webkitgtk.org/security/WSA-2017-0006.html


Here are the CVEs fixed in 2.16 so far:

CVE-2016-9642, CVE-2017-2376, CVE-2017-2386, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2433, CVE-2017-2445, CVE-2017-2447, CVE-2017-2455, CVE-2017-2457, CVE-2017-2464, CVE-2017-2469, CVE-2017-2539, CVE-2017-2496, CVE-2017-2504, CVE-2017-2505, CVE-2017-2506, CVE-2017-2508, CVE-2017-2510, CVE-2017-2514, CVE-2017-2515, CVE-2017-2521, CVE-2017-2525, CVE-2017-2526, CVE-2017-2528, CVE-2017-2530, CVE-2017-2531, CVE-2017-2536, CVE-2017-2539, CVE-2017-2544, CVE-2017-2547, CVE-2017-2549, CVE-2017-6980, CVE-2017-6984, CVE-2017-2538, CVE-2017-2424, CVE-2017-7006, CVE-2017-7011, CVE-2017-7012, CVE-2017-7018, CVE-2017-7019, CVE-2017-7020, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7038, CVE-2017-7039, CVE-2017-7040, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7046, CVE-2017-7048, CVE-2017-7049, CVE-2017-7052, CVE-2017-7055, CVE-2017-7056, CVE-2017-7059, CVE-2017-7061, CVE-2017-7064


Here is a changelog:

2.16.0:
* Hardware acceleration is now enabled on demand to drastically reduce memory consumption.
* CSS Grid Layout is enabled by default.
* New WebKitSetting to set the hardware acceleration policy.
* UI process API to configure network proxy settings.
* Improved private browsing by adding new API to create ephemeral web views.
* New API to handle website data.
* Debug tools: memory sampler and resource usage overlay

2.16.1:
* Fix no-third-party cookies policy in case of redirections.
* Keep URL fragments after server redirections.
* Honor GTK+ font settings.
* Ensure depth and stencil renderbuffers are created on GLESv2.
* Prevent new navigations from onbeforeunload handler and document unload.
* Disallow beforeunload alerts from web pages users have never interacted with.
* Fix several crashes and rendering issues.

2.16.2:

* Update user agent quirks to make Youtube and new Google login page work. (already backported for RHEL 7.4)
* Fix rendering of animated PNGs.
* Fix playing of some live streams.
* Update several web inspector icons.
* Fix the build with NPAPI plugins enabled but X11 disabled.
* Fix the build with OpenGL disabled.
* Fix several crashes and rendering issues.

2.16.3:

* Fix URL shown in the title of beforeunload dialogs.
* Focus first input field of HTTP authentication dialog.
* Fix rendering glitches in HiDPI in long GitHub Gist pages when focusing the comments textarea.
* Remove Firefox user agent quirk for Google domains.
* Remove LATEST_RECORD_VERSION from GnuTLS priority string.
* Fix several crashes and rendering issues.

2.16.4:
* Fix web process deadlock when seeking youtube videos.
* Fix blob downloads.
* Improve theme rendering performance when using GTK+ >= 3.20.
* Fix positioning of popup menus in Wayland.
* Fix several crashes and rendering issues.

2.16.5:
* Fix a web process crash when page finishes loading in several web sites.
* Fix the menu of select elements not showing in some cases under Wayland.

2.16.6
* Fix rendering of spin buttons with GTK+ >= 3.20 when the entry width is too short.
* Fix the build when Wayland target is enabled and X11 disabled.
* Fix several crashes and rendering issues.
Comment 2 Tomas Popela 2017-09-04 14:04:15 UTC 
There is one more security advisory:

https://www.webkitgtk.org/security/WSA-2017-0007.html

mentioning two new CVEs

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000121 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000122
Comment 7 Tomas Popela 2018-01-09 08:47:32 UTC 
Jani can you please swap the second and third bullet in the docs? Thank you
Comment 10 errata-xmlrpc 2018-04-10 10:32:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0703
Note You need to log in before you can comment on or make changes to this bug.