WebKitGTK+ Security Advisory WSA-2016-0002

Several vulnerabilities were discovered on WebKitGTK+.

  • CVE-2016-1723
    • Versions affected: WebKitGTK+ before 2.10.5.
    • Credit to Apple.
    • WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1725 and CVE-2016-1726.
  • CVE-2016-1724
    • Versions affected: WebKitGTK+ before 2.10.5.
    • Credit to Apple.
    • WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1727.
  • CVE-2016-1725
    • Versions affected: WebKitGTK+ before 2.10.5.
    • Credit to Apple.
    • WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1726.
  • CVE-2016-1726
    • Versions affected: WebKitGTK+ before 2.10.8.
    • Credit to Apple.
    • WebKit, as used in Apple iOS before 9.2.1 and Safari before 9.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1723 and CVE-2016-1725.
  • CVE-2016-1727
    • Versions affected: WebKitGTK+ before 2.10.5.
    • Credit to Apple.
    • WebKit, as used in Apple iOS before 9.2.1, Safari before 9.0.3, and tvOS before 9.1.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-1724.
  • CVE-2016-1728
    • Versions affected: WebKitGTK+ before 2.10.5.
    • Credit to an anonymous researcher coordinated via Joe Vennix.
    • The Cascading Style Sheets (CSS) implementation in Apple iOS before 9.2.1 and Safari before 9.0.3 mishandles the “a:visited button” selector during height processing, which makes it easier for remote attackers to obtain sensitive browser-history information via a crafted web site.

We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases.

Further information about WebKitGTK+ Security Advisories can be found at: http://webkitgtk.org/security.html