[webkit-gtk] How to fix CVEs of webkitgtk 2.36.x

Michael Catanzaro mcatanzaro at redhat.com
Wed Mar 22 04:00:55 PDT 2023

On Wed, Mar 22 2023 at 11:26:56 AM +0200, Adrian Perez de Castro 
<aperez at igalia.com> wrote:
> Recently advisories published by Apple include the Bugzilla issue 
> numbers
> (e.g. [1]), so with some work you can find out which commits 
> correspond to
> the fixes.

It finally occurs to me that since Apple now publishes the bug 
information, we could start publishing revision information. We'd want 
to fix [1] first.

> WebKitGTK 2.38.x is backwards compatible with 2.36.x, you can safely 
> update
> without needing to change applications. In general, we always keep 
> the API and
> ABI backwards compatible.

For avoidance of doubt, WebKitGTK 2.40.x is backwards-compatible as 
well and that will remain true indefinitely, as long as you continue to 
build the same API version [2]. Adrian might be planning one last 
2.38.x release, but it's really time to move on to 2.40.

On rare occasions, an upgrade might affect the behavior of particular 
API functionality within the same API version, but this is unusual and 
is avoided whenever possible. I don't think any APIs broke between 2.36 
and 2.40, so that shouldn't be a problem for you this time. The goal is 
for upgrades to be as safe as possible.


[1] https://bugs.webkit.org/show_bug.cgi?id=249672

More information about the webkit-gtk mailing list