[CLSA-2026:1782216821] webkit2gtk3: Fix of 16 CVEs
Type:
security
Severity:
Important
Release date:
2026-06-23 12:14:16 UTC
Description:
- CVE-2026-28907: align ContentSecurityPolicySource::pathMatches() with the CSP3 path-matching algorithm to prevent path-traversal CSP bypass (WebKit bug 308675) - CVE-2026-43660: preserve all CSP policies when a blob: URL inherits from a page that sent multiple CSP headers (WebKit bug 308906) - CVE-2026-28958: pass the initiator when computing SameSite info in FrameLoader::load to prevent SameSite=Strict cookie cross-site leakage (WebKit bug 311228)
Updated packages:
  • webkit2gtk3-2.50.6-1.el9_6.tuxcare.els4.x86_64.rpm
    sha:e8e0f2c58e1f438bc0818b6282f4bd6a7147580b1c244b9563cafe8ae3332011
  • webkit2gtk3-devel-2.50.6-1.el9_6.tuxcare.els4.x86_64.rpm
    sha:99c8fbf7a8c68fa1d660e2e5843b3840520ceaece6f656ff2fbdf5dde4e91f05
  • webkit2gtk3-jsc-2.50.6-1.el9_6.tuxcare.els4.x86_64.rpm
    sha:dfc6f6bf9703e906cad869335cfb00102242e6d9c763ed5258eeba06336b8f17
  • webkit2gtk3-jsc-devel-2.50.6-1.el9_6.tuxcare.els4.x86_64.rpm
    sha:e3972aaa59ceee32ba38e0722b3a8d1af4da2f0a8044bc014312de9fdb6a2aaa
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.