| | 2 | |
| | 3 | Last summer ended WK1 support in GTK+ port[[BR]] |
| | 4 | WK1 apps have three options:[[BR]] |
| | 5 | port WK1 apps to WK2 (best option, about 1/2 done)[[BR]] |
| | 6 | bring WK1 back and maintain it again (requires too much man power)[[BR]] |
| | 7 | merge security fixes back to old branch (becomes harder and harder over time)[[BR]] |
| | 8 | Email clients hard to port because of dom operations[[BR]] |
| | 9 | [[BR]] |
| | 10 | CVEs from Apple don’t include information about how to exploit the vulnerability[[BR]] |
| | 11 | Igalia made a security advisory, has one member of the security team (Carlos Garcia)[[BR]] |
| | 12 | http://webkitgtk.org/security/WSA-2015-0001.html[[BR]] |
| | 13 | Apple does not release information about security fixes to security team members, no way to make another one[[BR]] |
| | 14 | Who from Apple sent this information in the past? Don’t know. Igalia will contact Alex Christensen with this information[[BR]] |
| | 15 | WebKitGTK+ releases every 6 months, fixes security bugs, but also adds 6 months of new security bugs[[BR]] |
| | 16 | To convince Fedora to upgrade to WebKitGTK+2.8, they need a list of CVEs[[BR]] |
| | 17 | Debian won’t accept updates either without documentation of CVEs[[BR]] |
| | 18 | BadSSL.com will show warning that headers were sent before a secure connection is established[[BR]] |
| | 19 | cookies are leaked to unverified attackers - not just libsoup problem - CVE-2015-2330[[BR]] |
| | 20 | Bug in gcc 4.8 caused crash in legacy indexeddb code, but distributions still use gcc4.8[[BR]] |
| | 21 | https://support.apple.com/en-us/HT205265 example of Safari security advisory[[BR]] |
| | 22 | Igalia wants a link between those CVE numbers and the bugzilla bug or merged code revision[[BR]] |
| | 23 | equivalent would be if we commented in the bugzilla with the CVE number[[BR]] |
| | 24 | Web Engines Hackfest in December in Spain[[BR]] |
| | 25 | [[BR]] |
| | 26 | GTK+ has no sandboxes right now, any security exploit has complete access to the computer (but not as root)[[BR]] |
| | 27 | seccomp filter based sandbox would need to be specific to each linux distribution because WebKitGTK+ has lots of dependencies which have different system calls[[BR]] |
| | 28 | network namespace, filesystem namespace should be used instead[[BR]] |
| | 29 | Remove non-network process compile configurations[[BR]] |
| | 30 | [[BR]] |
| | 31 | Chrome, Firefox disabling RC4 fallback January or February 2016, WebKitGTK+ disabled it last year[[BR]] |
| | 32 | americanairlines.com fails[[BR]] |
| | 33 | Safari has no security indicator when http is used, Chrome and Firefox are moving to a broken lock icon for all http instead of nothing[[BR]] |
| | 34 | [[BR]] |
| | 35 | |
