An update for epiphany is now available for openEuler-22.03-LTS Security Advisory openeuler-security@openeuler.org openEuler security committee openEuler-SA-2022-1627 Final 1.0 1.0 2022-05-11 Initial 2022-05-11 2022-05-11 openEuler SA Tool V1.0 2022-05-11 epiphany security update An update for epiphany is now available for openEuler-22.03-LTS. Epiphany is the web browser for the GNOME desktop. Its goal is to be simple and easy to use. Epiphany ties together many GNOME components in order to let you focus on the Web content, instead of the browser application. Security Fix(es): XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list.(CVE-2021-45085) XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server s suggested_filename is used as the pdf_name value in PDF.js.(CVE-2021-45086) XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used, as demonstrated by a a page title.(CVE-2021-45087) XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page.(CVE-2021-45088) In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered.(CVE-2022-29536) An update for epiphany is now available for openEuler-22.03-LTS. openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. High epiphany https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1627 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-45085 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-45086 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-45087 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2021-45088 https://www.openeuler.org/en/security/cve/detail.html?id=CVE-2022-29536 https://nvd.nist.gov/vuln/detail/CVE-2021-45085 https://nvd.nist.gov/vuln/detail/CVE-2021-45086 https://nvd.nist.gov/vuln/detail/CVE-2021-45087 https://nvd.nist.gov/vuln/detail/CVE-2021-45088 https://nvd.nist.gov/vuln/detail/CVE-2022-29536 openEuler-22.03-LTS epiphany-40.6-1.oe2203.aarch64.rpm epiphany-debuginfo-40.6-1.oe2203.aarch64.rpm epiphany-debugsource-40.6-1.oe2203.aarch64.rpm epiphany-runtime-40.6-1.oe2203.aarch64.rpm epiphany-40.6-1.oe2203.src.rpm epiphany-40.6-1.oe2203.x86_64.rpm epiphany-debuginfo-40.6-1.oe2203.x86_64.rpm epiphany-debugsource-40.6-1.oe2203.x86_64.rpm epiphany-runtime-40.6-1.oe2203.x86_64.rpm XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an about: page, as demonstrated by ephy-about:overview when a user visits an XSS payload page often enough to place that page on the Most Visited list. 2022-05-11 CVE-2021-45085 openEuler-22.03-LTS Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N epiphany security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1627 XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 because a server s suggested_filename is used as the pdf_name value in PDF.js. 2022-05-11 CVE-2021-45086 openEuler-22.03-LTS Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N epiphany security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1627 XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 when View Source mode or Reader mode is used, as demonstrated by a a page title. 2022-05-11 CVE-2021-45087 openEuler-22.03-LTS Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N epiphany security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1627 XSS can occur in GNOME Web (aka Epiphany) before 40.4 and 41.x before 41.1 via an error page. 2022-05-11 CVE-2021-45088 openEuler-22.03-LTS Medium 6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N epiphany security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1627 In GNOME Epiphany before 41.4 and 42.x before 42.2, an HTML document can trigger a client buffer overflow (in ephy_string_shorten in the UI process) via a long page title. The issue occurs because the number of bytes for a UTF-8 ellipsis character is not properly considered. 2022-05-11 CVE-2022-29536 openEuler-22.03-LTS High 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H epiphany security update 2022-05-11 https://www.openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2022-1627