# webkit2-gtk3 and  ruby-2.5 vulnerabilities!



## teo (Sep 1, 2019)

In FreeBSD this detects the system as vulnerable, any ideas? The ports have been updated.


# `pkg audit -F`

```
vulnxml file up-to-date
webkit2-gtk3-2.24.3_1 is vulnerable:
webkit2-gtk3 -- Multiple vulnerabilities
CVE: CVE-2019-8690
CVE: CVE-2019-8689
CVE: CVE-2019-8688
CVE: CVE-2019-8687
CVE: CVE-2019-8686
CVE: CVE-2019-8684
CVE: CVE-2019-8683
CVE: CVE-2019-8681
CVE: CVE-2019-8680
CVE: CVE-2019-8679
CVE: CVE-2019-8678
CVE: CVE-2019-8677
CVE: CVE-2019-8676
CVE: CVE-2019-8673
CVE: CVE-2019-8672
CVE: CVE-2019-8671
CVE: CVE-2019-8669
CVE: CVE-2019-8666
CVE: CVE-2019-8658
CVE: CVE-2019-8649
CVE: CVE-2019-8644
WWW: https://vuxml.FreeBSD.org/freebsd/e45c3669-caf2-11e9-851a-dcf3aaa3f3ff.html

ruby-2.5.5_3,1 is vulnerable:
RDoc -- multiple jQuery vulnerabilities
CVE: CVE-2015-9251
CVE: CVE-2012-6708
WWW: https://vuxml.FreeBSD.org/freebsd/ed8d5535-ca78-11e9-980b-999ff59c22ea.html

2 problem(s) in 2 installed package(s) found.
#
```

Trying to fix those vulnerabilities, and the system visualizes reinstalling the same version.
# `portmaster webkit2-gtk3-2`


```
===>>> Currently installed version: webkit2-gtk3-2.24.3_1
===>>> Port directory: /usr/ports/www/webkit2-gtk3

===>>> Gathering distinfo list for installed ports
          ........................            ..........      .............
          ........................            ..........      .............
===>>> webkit2-gtk3-2.24.3_1 >> (43)

===>>> The following actions will be taken if you choose to proceed:
Re-install webkit2-gtk3-2.24.3_1
Install devel/bison
Install print/texinfo
Install converters/p5-Text-Unidecode
        ..................       .................      .................
        ..................       .................      .................

===>>> Proceed? y/n [y] n


===>>> If you would like to upgrade or install some, but not
all of the above try adding '-i' to the command line.
#
```


----------



## George (Sep 1, 2019)

Hey,
I never used portmaster. But since your log shows "port directory: /usr/ports/...", you might have to update your ports tree first.

```
portsnap fetch update
```


----------



## teo (Sep 1, 2019)

Elazar said:


> Hey,
> I never used portmaster. But since your log shows "port directory: /usr/ports/...", you might have to update your ports tree first.
> 
> ```
> ...



The first thing I did was to update the entire port collection tree.


----------



## George (Sep 1, 2019)

I guess you have to wait until a newer version gets released. 

*2.24.3_1 *is newest.




__





						FreshPorts -- www/webkit2-gtk3: Opensource browser engine using the GTK+ 3 toolkit
					

WebKitGTK+ is a full-featured port of the WebKit rendering engine, suitable for projects requiring any kind of web integration, from hybrid HTML/CSS applications to full-fledged web browsers. It offers WebKit's full functionality and is useful in a wide range of systems from desktop computers to...




					www.freshports.org


----------



## teo (Sep 1, 2019)

Elazar said:


> I guess you have to wait until a newer version gets released.
> 
> *2.24.3_1 *is newest.
> 
> ...


Who will be responsible for keeping these two dependencies up to date?


----------



## obsigna (Sep 1, 2019)

`pkg info webkit2-gtk3`
`pkg info ruby`

Lookout for the keyword maintainer and write’em a kind¹ note.

_¹The higher the kindness, the higher the probability of getting an answer._


----------



## obsigna (Sep 1, 2019)

In case you can’t or don’t want wait for the maintainers updating the ports:
`# mkdir -p /root/ports/www`
`# cd /root/ports/www`
`# cp -r /usr/ports/www/webkit2-gtk3 webkit2-gtk3`
`# cd webkit2-gtk3`
`# sed -e "s|2.24.3|2.24.4|g" -i "" Makefile`
`# sed -e "s|libjavascriptcoregtk-4.0.so.18.13.6|libjavascriptcoregtk-4.0.so.18.13.7|g" -i "" pkg-plist`
`# sed -e "s|libwebkit2gtk-4.0.so.37.37.5|libwebkit2gtk-4.0.so.37.37.6|g" -i "" pkg-plist`
`# make makesum`
`# make`
`# make deinstall`
`# make install clean`
`# pkg delete ruby`


----------



## Deleted member 30996 (Sep 3, 2019)

lang/ruby25 was updated today:


```
===>>> Upgrade of ruby-2.5.5_2,1 to ruby-2.5.6,1 complete
```


----------



## teo (Sep 9, 2019)

Any news on this www/webkit2-gtk3 vulnerability ?


----------

