← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #155871

[Bug 1532606] [NEW] depends on libwebkitgtk3 which doesn't have security support

  Thread PreviousDate PreviousThread Next 
Public bug reported:

libgwebkitgtk and libwebkitgtk3 are not maintained upstream and contain 100s of active CVEs.
It sure would be great if users of large DEs that depend on Zenity could opt-out on those CVEs...

>   I see that zenity has a configure flag to enable/disable webkit support,
>   would it be possible to provide a zenity-nohtml package that would
>   "Provides: zenity" so I can keep my *DE installed without depending on a package that has
>   no security support?

Because zenity might not be dealing with untrusted HTML content,
I'm not flagging this one with "security"

For those that didn't know DANGEROUS packages may be shipped:
You can use the package "debian-security-support", it'll tell you automatically.

** Affects: zenity (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: zenity (Debian)
     Importance: Unknown
         Status: Unknown

** Bug watch added: Debian Bug tracker #777608
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777608

** Also affects: zenity (Debian) via
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=777608
   Importance: Unknown
       Status: Unknown

** Summary changed:

- depends on libwebkitgtk which doesn't have security support
+ depends on libwebkitgtk3 which doesn't have security support

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to zenity in Ubuntu.
https://bugs.launchpad.net/bugs/1532606

Title:
  depends on libwebkitgtk3 which doesn't have security support

Status in zenity package in Ubuntu:
  New
Status in zenity package in Debian:
  Unknown

Bug description:
  libgwebkitgtk and libwebkitgtk3 are not maintained upstream and contain 100s of active CVEs.
  It sure would be great if users of large DEs that depend on Zenity could opt-out on those CVEs...

  >   I see that zenity has a configure flag to enable/disable webkit support,
  >   would it be possible to provide a zenity-nohtml package that would
  >   "Provides: zenity" so I can keep my *DE installed without depending on a package that has
  >   no security support?

  Because zenity might not be dealing with untrusted HTML content,
  I'm not flagging this one with "security"

  For those that didn't know DANGEROUS packages may be shipped:
  You can use the package "debian-security-support", it'll tell you automatically.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zenity/+bug/1532606/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next