Created attachment 228950 [details]
v1 ("git am")
libwpe, wpebackend-fdo, webkit2-gtk3 updates were tested with all three patches
applied together. Tested via 12.2/amd64 jail with passed /dev for x11-wm/cage
Note: I am waiting for inverted options build to pass. Requesting approval
because there is no way to request it after posting PR, AFAIK.
(In reply to Evgeniy Khramtsov from comment #0)
Build with inverted OPTIONS passed.
"Changes" field for www/libwpe and www/wpebackend-fdo can be replaced with links from Bugzilla URL field, because when updating from 1.10.1 -> 1.12.0 upstream announcement is incomplete (lacks changes from older versions that ports skipped).
On an unrelated note, I plan to create upstream PRs about libc++ build issues (ports 895bc805a and ports f73bc57ac) this week.
Another note, upstream is known to publish a release  first, then a security advisory  days after:
Dates "17 SEPTEMBER 2021" and "20 SEPTEMBER 2021" available in the news section:
(In reply to Evgeniy Khramtsov from comment #1)
Likely not, I can't edit comments on Bugzilla.
nc@, maybe at least reference the PR?
I committed without even knowing of your PR (all my work). Extremely sorry again.
WebKit <2.34.1 is vulnerable: https://webkitgtk.org/security/WSA-2021-0006.html
Merge-quarterly was requested 4 days before the disclosure but 2.34.1 didn't land into 2021Q4. VuXML entry is needed now, but I don't have time until weekend, so it would be nice if someone else fills it.
Created attachment 229177 [details]
VuXML entry ("git am")
(In reply to Evgeniy Khramtsov from comment #6)
Ping! Don't leave quarterly users using vulnerable WebKit without knowing!
(In reply to Evgeniy Khramtsov from comment #7)
I decided I don't care.