Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1476707

Summary: Rebase webkitgtk4 from 2.14 to 2.16 for RHEL 7.5
Product: Red Hat Enterprise Linux 7 Reporter: Tomas Popela <tpopela>
Component: webkitgtk4Assignee: Tomas Popela <tpopela>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact: Jana Heves <jsvarova>
Priority: unspecified    
Version: 7.5CC: jan.public, jkoten, jsvarova, tpelka, tpopela
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: webkitgtk4-2.16.6-1.el7 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_webkitgtk4_ rebased to version 2.16 The _webkitgtk4_ package has been upgraded to version 2.16, which provides a number of enhancements over the previous version. Notable enhancements include: * To reduce memory consumption, hardware acceleration is now enabled on demand. * _webkitgtk4_ contains a new WebKitSetting plug-in to set the hardware acceleration policy. * CSS Grid Layout is enabled by default. * Private browsing has been improved by adding a new API to create ephemeral web views. * A new API has been provided to handle website data. * Two new debugging tools are now available: memory sampler and resource usage overlay. * GTK+ font settings are now honored. * Theme rendering performance is improved when using GTK+ version 3.20 and higher.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 10:32:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1477211, 1477926, 1479818    

Description Tomas Popela 2017-07-31 09:11:31 UTC 
As subject says, rebase webkitgtk4 from 2.14 to the latest 2.16 release for RHEL 7.5 to get rid of various downstream patches that were committed to upstream and clean patches that were backported from 2.16 to 2.14.

WebKitGTK+ Security Advisories:

https://www.webkitgtk.org/security/WSA-2017-0003.html
https://www.webkitgtk.org/security/WSA-2017-0004.html
https://www.webkitgtk.org/security/WSA-2017-0005.html
https://www.webkitgtk.org/security/WSA-2017-0006.html


Here are the CVEs fixed in 2.16 so far:

CVE-2016-9642, CVE-2017-2376, CVE-2017-2386, CVE-2017-2395, CVE-2017-2396, CVE-2017-2405, CVE-2017-2433, CVE-2017-2445, CVE-2017-2447, CVE-2017-2455, CVE-2017-2457, CVE-2017-2464, CVE-2017-2469, CVE-2017-2539, CVE-2017-2496, CVE-2017-2504, CVE-2017-2505, CVE-2017-2506, CVE-2017-2508, CVE-2017-2510, CVE-2017-2514, CVE-2017-2515, CVE-2017-2521, CVE-2017-2525, CVE-2017-2526, CVE-2017-2528, CVE-2017-2530, CVE-2017-2531, CVE-2017-2536, CVE-2017-2539, CVE-2017-2544, CVE-2017-2547, CVE-2017-2549, CVE-2017-6980, CVE-2017-6984, CVE-2017-2538, CVE-2017-2424, CVE-2017-7006, CVE-2017-7011, CVE-2017-7012, CVE-2017-7018, CVE-2017-7019, CVE-2017-7020, CVE-2017-7030, CVE-2017-7034, CVE-2017-7037, CVE-2017-7038, CVE-2017-7039, CVE-2017-7040, CVE-2017-7041, CVE-2017-7042, CVE-2017-7043, CVE-2017-7046, CVE-2017-7048, CVE-2017-7049, CVE-2017-7052, CVE-2017-7055, CVE-2017-7056, CVE-2017-7059, CVE-2017-7061, CVE-2017-7064


Here is a changelog:

2.16.0:
* Hardware acceleration is now enabled on demand to drastically reduce memory consumption.
* CSS Grid Layout is enabled by default.
* New WebKitSetting to set the hardware acceleration policy.
* UI process API to configure network proxy settings.
* Improved private browsing by adding new API to create ephemeral web views.
* New API to handle website data.
* Debug tools: memory sampler and resource usage overlay

2.16.1:
* Fix no-third-party cookies policy in case of redirections.
* Keep URL fragments after server redirections.
* Honor GTK+ font settings.
* Ensure depth and stencil renderbuffers are created on GLESv2.
* Prevent new navigations from onbeforeunload handler and document unload.
* Disallow beforeunload alerts from web pages users have never interacted with.
* Fix several crashes and rendering issues.

2.16.2:

* Update user agent quirks to make Youtube and new Google login page work. (already backported for RHEL 7.4)
* Fix rendering of animated PNGs.
* Fix playing of some live streams.
* Update several web inspector icons.
* Fix the build with NPAPI plugins enabled but X11 disabled.
* Fix the build with OpenGL disabled.
* Fix several crashes and rendering issues.

2.16.3:

* Fix URL shown in the title of beforeunload dialogs.
* Focus first input field of HTTP authentication dialog.
* Fix rendering glitches in HiDPI in long GitHub Gist pages when focusing the comments textarea.
* Remove Firefox user agent quirk for Google domains.
* Remove LATEST_RECORD_VERSION from GnuTLS priority string.
* Fix several crashes and rendering issues.

2.16.4:
* Fix web process deadlock when seeking youtube videos.
* Fix blob downloads.
* Improve theme rendering performance when using GTK+ >= 3.20.
* Fix positioning of popup menus in Wayland.
* Fix several crashes and rendering issues.

2.16.5:
* Fix a web process crash when page finishes loading in several web sites.
* Fix the menu of select elements not showing in some cases under Wayland.

2.16.6
* Fix rendering of spin buttons with GTK+ >= 3.20 when the entry width is too short.
* Fix the build when Wayland target is enabled and X11 disabled.
* Fix several crashes and rendering issues.
Comment 2 Tomas Popela 2017-09-04 14:04:15 UTC 
There is one more security advisory:

https://www.webkitgtk.org/security/WSA-2017-0007.html

mentioning two new CVEs

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000121 and https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000122
Comment 7 Tomas Popela 2018-01-09 08:47:32 UTC 
Jani can you please swap the second and third bullet in the docs? Thank you
Comment 10 errata-xmlrpc 2018-04-10 10:32:31 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0703