Merge bugfix release webkitgtk 2.4.11-1 (universe) from Debian unstable (main)

Bug #1571071 reported by Amr Ibrahim
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
webkitgtk (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Please merge bugfix release webkitgtk 2.4.11-1 (universe) from Debian unstable (main)

=================
WebKitGTK+ 2.4.11
=================

  - Fix a crash when changing elment attributes with DOM bindings.
  - Fix the build on ARM64.
  - Translation updates: Chinese, Japanese.
-------------------------------------------

Explanation of the Ubuntu delta:
  * SECURITY UPDATE: Updated to 2.4.10 to fix multiple security issues
    (LP: #1556964)
    - CVE-2015-1120, CVE-2015-1076, CVE-2015-1071, CVE-2015-1081,
      CVE-2015-1122, CVE-2015-1155, CVE-2014-1748, CVE-2015-3752,
      CVE-2015-5809, CVE-2015-5928, CVE-2015-3749, CVE-2015-3659,
      CVE-2015-3748, CVE-2015-3743, CVE-2015-3731, CVE-2015-3745,
      CVE-2015-5822, CVE-2015-3658, CVE-2015-3741, CVE-2015-3727,
      CVE-2015-5801, CVE-2015-5788, CVE-2015-3747, CVE-2015-5794,
      CVE-2015-1127, CVE-2015-1153, CVE-2015-1083
  * Dropped upstreamed patches:
    - fix-gtkdoc-error.patch, atomic_build_fix.patch, ppc64-align.patch,
      fix-cloop.patch, use-abi64-for-mips64el.patch.
  * Merge with Debian, remaining changes:
    - bugzilla_clear_surface.patch: Take patch to fix upstream bug#123480
      which was a crash affecting software-center in Ubuntu.
    - Stick on geoclue 1 for now, the new version isn't in main and a
      transition plan needs to be worked out, for example for how to integrate
      the Ubuntu GeoIP service.
    - still build libwebkit2gtk-3.0 in Ubuntu
----------------------------------------------

Changelog entries since current xenial version 2.4.10-0ubuntu1:

webkitgtk (2.4.11-1) unstable; urgency=medium

  * New upstream release.
  * debian/patches/fix-arm64-build.patch:
    + Remove, this has been fixed upstream.
  * debian/patches/fix-ftbfs-m68k.patch:
    + Refresh.
  * debian/{control,rules}:
    + Build depend on libegl1-mesa-dev and libgles2-mesa-dev on arm64.

 -- Alberto Garcia <email address hidden> Sun, 10 Apr 2016 20:19:20 +0300

webkitgtk (2.4.10-1) unstable; urgency=high

  * New upstream release.
    + This contains the following security fixes: CVE-2015-1120,
      CVE-2015-1076, CVE-2015-1071, CVE-2015-1081, CVE-2015-1122,
      CVE-2015-1155, CVE-2014-1748, CVE-2015-3752, CVE-2015-5809,
      CVE-2015-5928, CVE-2015-3749, CVE-2015-3659, CVE-2015-3748,
      CVE-2015-3743, CVE-2015-3731, CVE-2015-3745, CVE-2015-5822,
      CVE-2015-3658, CVE-2015-3741, CVE-2015-3727, CVE-2015-5801,
      CVE-2015-5788, CVE-2015-3747, CVE-2015-5794, CVE-2015-1127,
      CVE-2015-1153, CVE-2015-1083.
  * debian/patches/fix-cloop.patch,
    debian/patches/fix-gtkdoc-error.patch,
    debian/patches/ppc64-align.patch,
    debian/patches/use-abi64-for-mips64el.patch:
    + Delete these patches, they are no longer needed.
  * debian/patches/atomic_build_fix.patch,
    debian/patches/x32_support.patch:
    + Refresh.
  * debian/patches/fix-ftbfs-m68k.patch:
    + Fix FTBFS in m68k (Closes: #696236).
  * debian/control:
    + Bump Standards-Version to 3.9.7; no changes needed.
    + Use secure URIs for the Vcs-* fields.
  * debian/rules:
    + Enable all hardening flags.
    + Remove EXTRA_DH_ARGUMENTS, this is no longer being used.
  * debian/copyright:
    + Update copyright years.
  * debian/source/lintian-overrides:
    + Update overrides so the latest lintian doesn't give more
      source-is-missing false positives.
  * Remove the libwebkitgtk-*common* and libwebkit-dev packages:
    + debian/control:
      - Remove package entries and add Breaks and Replaces fields to
        libwebkitgtk-{1,3}.0-0 and libwebkitgtk*-dev.
    + debian/libwebkitgtk-*common*.install:
      - Remove and move all files to libwebkitgtk-{1,3}.0-0.install and
        libwebkitgtk-3.0-dev.install.
    + debian/rules:
      - Remove dh_install rules from binary-indep.
  * Move documentation to a separate libwebkitgtk-doc package:
    + debian/libwebkitgtk-3.0-dev.{install,links},
      debian/libwebkitgtk-dev.{install,links},
      debian/libwebkitgtk-doc.{install,links}:
      debian/rules:
      - Don't install the documentation in the -dev packages and do it in
        libwebkitgtk-doc instead.
    + debian/libwebkitgtk-doc.doc-base:
      - Add doc-base control file.
    + debian/control:
      - Add package entry.
  * Migrate to automatic -dbgsym packages:
    + debian/control:
      - Remove the entries for all -dbg packages.
    + debian/rules:
      - Replace --dbg-package with --ddeb-migration in dh_strip, but don't
        make it fail if debhelper < 9.20151219.

 -- Alberto Garcia <email address hidden> Thu, 17 Mar 2016 10:15:29 +0200

Tags: trusty xenial
Revision history for this message
Amr Ibrahim (amribrahim1987) wrote :

Please also update in Trusty.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in webkitgtk (Ubuntu):
status: New → Confirmed
tags: added: trusty upgrade-software-version xenial
Changed in webkitgtk (Ubuntu):
importance: Undecided → Critical
Revision history for this message
Logan Rosen (logan) wrote :

webkitgtk 2.4.10-1 has significant packaging changes:

  * Remove the libwebkitgtk-*common* and libwebkit-dev packages:
    + debian/control:
      - Remove package entries and add Breaks and Replaces fields to
        libwebkitgtk-{1,3}.0-0 and libwebkitgtk*-dev.
    + debian/libwebkitgtk-*common*.install:
      - Remove and move all files to libwebkitgtk-{1,3}.0-0.install and
        libwebkitgtk-3.0-dev.install.
    + debian/rules:
      - Remove dh_install rules from binary-indep.
  * Move documentation to a separate libwebkitgtk-doc package:
    + debian/libwebkitgtk-3.0-dev.{install,links},
      debian/libwebkitgtk-dev.{install,links},
      debian/libwebkitgtk-doc.{install,links}:
      debian/rules:
      - Don't install the documentation in the -dev packages and do it in
        libwebkitgtk-doc instead.
    + debian/libwebkitgtk-doc.doc-base:
      - Add doc-base control file.
    + debian/control:
      - Add package entry.

I'm not comfortable syncing this so late in the cycle, especially when it has so many reverse dependencies. And I don't see why you marked this as critical. It appears to just be some minor bug fixes.

Changed in webkitgtk (Ubuntu):
status: Confirmed → Incomplete
importance: Critical → Wishlist
Revision history for this message
Michael Gratton (mjog) wrote :

The bug introduced in 2.4.10 (which is already published in xenial-security) causes applications using it (Geary, Evolution, others?) to be crash regularly. I don't use Evolution, but for Geary it reliably causes multiple segfults a day.

2.4.11 simply fixes that bug and includes a few other other minor updates, and 2.4.10 has already been published, so I'm not sure what packaging changes could possibly be that are so extensive.

tags: added: regression-update
Revision history for this message
Daniel Holbach (dholbach) wrote :

This is being discussed in bug 1570110.

Changed in webkitgtk (Ubuntu):
status: Incomplete → New
Revision history for this message
Sebastien Bacher (seb128) wrote :

I've uploaded the new version to yakkety/xenial to fix bug #1570110 but I didn't handle the merge, that bug is still valid

Mathew Hodson (mhodson)
tags: removed: regression-update
tags: removed: upgrade-software-version
Revision history for this message
Michael Terry (mterry) wrote :

I've uploaded a merged version (2.4.11-1ubuntu1) to yakkety. When it winds its way to the release pocket, this bug will be closed automatically.

Revision history for this message
Jeremy Bícha (jbicha) wrote :

This update is entangled with the vala transition (from vala-0.30 to vala-0.32) which is held up because gnome-builder 3.18 has a fairly hard dependency on vala-0.30. gnome-builder 3.20 supports vala-0.32 but it requires GTK+ 3.20 and we're not ready for that yet.

(Why is it affected by the vala transition? Because anjuta in yakkety depends on libwebkit2gtk-3 and needs a simple rebuild against webkit2gtk. That's already happened, but anjuta in yakkety-proposed was built against the new vala).

This will also hold up a libpeas transition since gnome-builder is currently unbuildable in yakkety.

Changed in webkitgtk (Ubuntu):
status: New → Fix Committed
Revision history for this message
Sebastien Bacher (seb128) wrote :
Changed in webkitgtk (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Michael Gratton (mjog) wrote :

This hasn't been updated in trusty yet, so bugs such as #1624866 are still occurring.

Revision history for this message
Michael Gratton (mjog) wrote :
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.