Release date:
2026-06-30 08:38:40 UTC
Description:
- Rebase to webkitgtk 2.52.4. CVE-2025-46299 (uninitialized-memory
disclosure via maliciously crafted web content; WebKit bug 299518, fixed
upstream in 2.52.0 / WSA-2026-0001) has no isolatable backport -- the bug
is security-restricted and the fix ships only within the 2.52.x series.
Move webkit2gtk3 onto the 2.52.x security baseline, matching RHEL 9.6
(RHSA-2026:11329) and the almalinux9.2esu sibling.
- CVEs still open on this branch that are resolved by this rebase:
CVE-2025-46299, CVE-2026-20664, CVE-2026-28857, CVE-2026-28859.
- Drop the CVE-2026-* backport patches (Patch100..Patch117); all are fixed
upstream in 2.52.x and now provided by the 2.52.4 tarball.
- Adopt the 2.52.x packaging/compat patch set (libsoup2, glib-2-68, icu-67,
g-ir-scanner-nonfatal, fix-system-malloc-llint-extractor, and the
compiler-neutral fix-* source fixes). Build natively with the AlmaLinux 9.6
clang + cmake 3.26.5 toolchain; no gcc-toolset-12 or linked cmake required.
- Exclude i686: WebKit 2.52 fails CMake atomic-variable detection on 32-bit
x86 (matches almalinux9.2esu).
Updated packages:
-
webkit2gtk3-2.52.4-1.el9_6.tuxcare.els5.x86_64.rpm
sha:a8b55a9d34cb45c2bab559780a0caea7f8d91a7254b1c4cc4156a6a57fd129ea
-
webkit2gtk3-devel-2.52.4-1.el9_6.tuxcare.els5.x86_64.rpm
sha:83ffd62cbce406a58ec04eb04bd4e0bce3280b49979fad486f100422f995ee2c
-
webkit2gtk3-jsc-2.52.4-1.el9_6.tuxcare.els5.x86_64.rpm
sha:288ce486542476f4b6feeb18975fac3df23af3124a9261df038cfbbf329af7dd
-
webkit2gtk3-jsc-devel-2.52.4-1.el9_6.tuxcare.els5.x86_64.rpm
sha:b95dffed3f01f42bf83932bf8a92c2e09528e4df4bb8c4daf5162aff433a1cd7
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.