I just learned about another new special-purpose web browser for running web apps, and was curious to see if using a browser distributed via Flatpak meant that I would be using something that was lagging in security updates (spoiler: it is).
This got me wondering: How quickly do updates for critical vulnerabilities reach users of free software operating systems?
I decided to have a look for the most recent critical bug WebKitGTK, CVE-2022-22620/WSA-2022-0003.
(The WebKit rendering engine, which Apple created by forking the KHTML engine from the KDE Project’s Konqueror browser in 2005, is used in all of Apple’s web browsing products today. The WebKitGTK project maintains an embeddable library version of it, which I believe is by far the most popular rendering engine for alternative web browsers on free software operating systems today.)
Apple’s advisories about the issue say:
This bug got a fair amount of press:
So, how did WebKitGTK distributors do?
February 10
February 17
February 19
February 28
March 3
March 4
March 5
March 11
Today, March 19
org.gnome.Platform//41
runtime which Flatpak applications on my computer are getting their webkit2gtk from remains vulnerable (that is the current commit at the time of this writing; you can click these links to see if the GNOME 40 and 41 still have the vulnerable version 2.34.5 at the time you’re reading this).All about open source! Feel free to ask questions, and share news, and interesting stuff!
Community icon from opensource.org, but we are not affiliated with them.
Thanks, I edited the post to add Guix and Nix to the timeline.
It’s worth noting that Guix also packages WPE WebKit (another embeddable version of WebKit, which shares a version numbering scheme with WebKitGTK) from the same .scm file and for some reason has still not updated that (despite having just upgraded it the previous month to address another security problem).
(WPE WebKit is used far less than WebKitGTK on desktop OSes, but it can be used for things like webkit overlays in gstreamer pipelines…)