Fedora alert FEDORA-2026-f00460a7d9 (webkitgtk)
| From: | updates--- via package-announce <package-announce@lists.fedoraproject.org> | |
| To: | package-announce@lists.fedoraproject.org | |
| Subject: | [SECURITY] Fedora 44 Update: webkitgtk-2.52.1-1.fc44 | |
| Date: | Tue, 31 Mar 2026 00:27:45 +0000 | |
| Message-ID: | <20260331002745.EBBF37941F@bastion01.rdu3.fedoraproject.org> | |
| Archive-link: | Article |
-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2026-f00460a7d9 2026-03-31 00:16:35.926192+00:00 -------------------------------------------------------------------------------- Name : webkitgtk Product : Fedora 44 Version : 2.52.1 Release : 1.fc44 URL : https://www.webkitgtk.org/ Summary : GTK web content engine library Description : WebKitGTK is the port of the WebKit web rendering engine to the GTK platform. -------------------------------------------------------------------------------- Update Information: Update to 2.52.1: Reduce the amount of useless MPRIS notifications produced by MediaSesion when the information about media being played is incomplete. Add Sysprof marks for mouse events. Fix MediaSession icon for iheart.com not being displayed. Fix several crashes and rendering issues. Translation updates: Georgian. Update to 2.52.0: Make text look like in other browsers by blending in linear color space. Improved rendering performance by using a different tile size depending on whether GPU rendering is enabled or not. Improved composition scheduling to avoid blocking waiting for tile painting. Improved performance of accelerated 2D canvas by recording operations for batched replay. Improved async scrolling when main thread is busy by avoiding locks and rendering the scrollbars from the scrolling thread. Enabled dynamic MSAA for accelerated 2D canvas rendering. Improved text rendering performance Videos with BT2100-PQ colorspace are now tone-mapped to SDR, ensuring colours do not appear washed out. Added support for the Audio Output Devices API. Added API to handle WebXR permission requests. Added API to query the immersive session status. Added initial API for web extensions. 2.51.93: Make text look like in other browsers by blending in linear color space. Avoid composition for non visible layers with running animations. Fix several crashes and rendering issues. 2.51.92: Fix PDF rendering broken by the accelerated 2D canvas performance improvements. Fix flickering while scrolling in some edge cases. Support for rotation and mirroring in internal WebCodecs encoder. System fallback font selection no longer takes style into account. Fix several crashes and rendering issues. -------------------------------------------------------------------------------- ChangeLog: * Sat Mar 28 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 2.52.1-1 - Update to 2.52.1 * Wed Mar 25 2026 Jan Grulich <jgrulich@redhat.com> - 2.52.0-4 - Add configuration for release-monitoring * Tue Mar 24 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 2.52.0-3 - Remove Unicode-TOU from license list * Tue Mar 24 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 2.52.0-2 - Correct license of m4sugar.m4 * Sat Mar 21 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 2.52.0-1 - Update to 2.52.0 * Fri Mar 6 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 2.51.93-1 - Update to 2.51.93 * Sun Mar 1 2026 Michael Catanzaro <mcatanzaro@gnome.org> - 2.51.92-1 - Update to 2.51.92 -------------------------------------------------------------------------------- References: [ 1 ] Bug #2449069 - CVE-2025-43213 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449069 [ 2 ] Bug #2449073 - CVE-2025-43214 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449073 [ 3 ] Bug #2449086 - CVE-2025-43457 webkitgtk: Processing maliciously crafted web content may lead to an unexpected Safari crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449086 [ 4 ] Bug #2449089 - CVE-2025-43511 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449089 [ 5 ] Bug #2449092 - CVE-2025-46299 webkitgtk: Processing maliciously crafted web content may disclose internal states of the app [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449092 [ 6 ] Bug #2449095 - CVE-2026-20608 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449095 [ 7 ] Bug #2449098 - CVE-2026-20635 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449098 [ 8 ] Bug #2449102 - CVE-2026-20636 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449102 [ 9 ] Bug #2449105 - CVE-2026-20644 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449105 [ 10 ] Bug #2449108 - CVE-2026-20652 webkitgtk: A remote attacker may be able to cause a denial-of-service [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449108 [ 11 ] Bug #2449111 - CVE-2026-20676 webkitgtk: A website may be able to track users through Safari web extensions [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2449111 [ 12 ] Bug #2450634 - webkitgtk-2.50.5: WebKitWebProcess repeated SIGABRT crashes (heap corruption), upstream fixed in 2.50.6+ https://bugzilla.redhat.com/show_bug.cgi?id=2450634 [ 13 ] Bug #2453064 - CVE-2026-20643 webkitgtk: Processing maliciously crafted web content may bypass Same Origin Policy [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453064 [ 14 ] Bug #2453067 - CVE-2026-20664 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453067 [ 15 ] Bug #2453070 - CVE-2026-20665 webkitgtk: Processing maliciously crafted web content may prevent Content Security Policy from being enforced [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453070 [ 16 ] Bug #2453073 - CVE-2026-20691 webkitgtk: A maliciously crafted webpage may be able to fingerprint the user [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453073 [ 17 ] Bug #2453076 - CVE-2026-28857 webkitgtk: Processing maliciously crafted web content may lead to an unexpected process crash [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453076 [ 18 ] Bug #2453079 - CVE-2026-28859 webkitgtk: A malicious website may be able to process restricted web content outside the sandbox [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453079 [ 19 ] Bug #2453082 - CVE-2026-28871 webkitgtk: Visiting a maliciously crafted website may lead to a cross-site scripting attack [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2453082 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2026-f00460a7d9' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgr... All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list -- package-announce@lists.fedoraproject.org To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-cond... List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/package-ann... Do not reply to spam, report it: https://forge.fedoraproject.org/infra/tickets/issues/new