** Description changed: - I'm filing this placeholder bug for the epiphany security issues. I am - not currently working on this bug. + Impact + ------ + Multiple cross-site scripting (XSS) vulnerabilities were fixed in December 2021. (Sorry for the delay.) https://discourse.gnome.org/t/epiphany- cve-2021-45085-cve-2021-45086-cve-2021-45087-cve-2021-45088/8367 + + Testing Done + ------------ + I completed a build and install test. + + After installing, I was able to watch a video on YouTube (I needed to + install gstreamer1.0-plugins-bad first). + + I was able to use Reader Mode on a blog site. + + And I was able to load https://ubuntu.com/ normally. + + I was unable to get the POC at https://gitlab.gnome.org/GNOME/epiphany/-/issues/1612 + to work for me on Ubuntu 20.04 LTS. + + Other Info + ---------- + I cherry-picked the December 2021 commits from + https://gitlab.gnome.org/GNOME/epiphany/-/commits/gnome-3-36 + + I skipped the "Disable Reader Mode" and "Revert Disable Reader Mode" + commits since they cancel each other out. + + There are some interesting translation and bugfix commits after 3.36.4 + before the December commits. I didn't initially include them since they + aren't needed for this security fix. But I can include them if you want. + + I also cherry-picked the (required) February 2022 build fix commit. + + Official backports were not provided for anything older than Epiphany + 3.36 so I was unable to prepare a fix for Ubuntu 18.04 LTS ("Bionic"). + That release isn't getting webkit2gtk security fixes either. + + I'm also including the fix for LP: #1969851 + + Sponsoring + ---------- + I am attaching a debdiff. Alternatively you could build from our VCS: + + gbp clone https://salsa.debian.org/gnome-team/epiphany-browser + git checkout ubuntu/focal + gbp buildpackage --git-builder="debuild -S -nc" + That will create the source package you can upload to your PPA
** Patch added: "epiphany-focal-lp1969851.debdiff" https://bugs.launchpad.net/ubuntu/+source/epiphany-browser/+bug/1955362/+attachment/5606171/+files/epiphany-focal-lp1969851.debdiff ** Changed in: epiphany-browser (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to epiphany-browser in Ubuntu. https://bugs.launchpad.net/bugs/1955362 Title: epiphany December 2021 XSS issues To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/epiphany-browser/+bug/1955362/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs