[CLSA-2026:1782808694] webkit2gtk3: Fix of 4 CVEs
Type:
security
Severity:
Important
Release date:
2026-06-30 08:38:40 UTC
Description:
- Rebase to webkitgtk 2.52.4. CVE-2025-46299 (uninitialized-memory disclosure via maliciously crafted web content; WebKit bug 299518, fixed upstream in 2.52.0 / WSA-2026-0001) has no isolatable backport -- the bug is security-restricted and the fix ships only within the 2.52.x series. Move webkit2gtk3 onto the 2.52.x security baseline, matching RHEL 9.6 (RHSA-2026:11329) and the almalinux9.2esu sibling. - CVEs still open on this branch that are resolved by this rebase: CVE-2025-46299, CVE-2026-20664, CVE-2026-28857, CVE-2026-28859. - Drop the CVE-2026-* backport patches (Patch100..Patch117); all are fixed upstream in 2.52.x and now provided by the 2.52.4 tarball. - Adopt the 2.52.x packaging/compat patch set (libsoup2, glib-2-68, icu-67, g-ir-scanner-nonfatal, fix-system-malloc-llint-extractor, and the compiler-neutral fix-* source fixes). Build natively with the AlmaLinux 9.6 clang + cmake 3.26.5 toolchain; no gcc-toolset-12 or linked cmake required. - Exclude i686: WebKit 2.52 fails CMake atomic-variable detection on 32-bit x86 (matches almalinux9.2esu).
Updated packages:
  • webkit2gtk3-2.52.4-1.el9_6.tuxcare.els5.x86_64.rpm
    sha:a8b55a9d34cb45c2bab559780a0caea7f8d91a7254b1c4cc4156a6a57fd129ea
  • webkit2gtk3-devel-2.52.4-1.el9_6.tuxcare.els5.x86_64.rpm
    sha:83ffd62cbce406a58ec04eb04bd4e0bce3280b49979fad486f100422f995ee2c
  • webkit2gtk3-jsc-2.52.4-1.el9_6.tuxcare.els5.x86_64.rpm
    sha:288ce486542476f4b6feeb18975fac3df23af3124a9261df038cfbbf329af7dd
  • webkit2gtk3-jsc-devel-2.52.4-1.el9_6.tuxcare.els5.x86_64.rpm
    sha:b95dffed3f01f42bf83932bf8a92c2e09528e4df4bb8c4daf5162aff433a1cd7
Notes:
This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.