Changeset 6ab9228f

Timestamp:

04/10/2024 02:59:53 AM (3 weeks ago)

Author:

Ken Moffat <zarniwhoop@…>

Branches:

trunk

Children:

9ea306c

Parents:

bd96786

Message:

Add a Warning about qtwebengien vulnerabilities.

Addresses =19551

File:

• x/lib/qtwebengine.xml (modified) (1 diff)

x/lib/qtwebengine.xml

@@ -34 +34 @@
     </para>
 
-    <para>
-      This package and browsers using it may be useful if you need to use a
-      website designed for google chrome, or chromium, browsers.
-    </para>
+      <para>
+        This package and browsers using it may be useful if you need to use a
+        website designed for google chrome, or chromium, browsers.
+      </para>
+
+    <warning>
+      <para>
+        QtWebEngine uses a forked copy of chromium, and is therefore vulnerable
+        to many issues found there. The Qt developers seem to fork a newer
+        version for minor Qt versions, but because chromium moves to newer
+        versions very often, by the time the Qt developers get a forked version
+        to pass their extended tests it is always an old version and security
+        fixes from chromium (some of which have a CVE number) can take several
+        months to appear in a QtWebengine release, even if the severity has been
+        rated as Critical.
+      </para>
+
+      <para>
+        Therefore, you should be wary of using QtWebEngine in a sensitive
+        context and should always update to the next release as soon as it
+        appears in this book, even if is not flagged as a Security Update.
+        Identifying which vulnerabilities have been fixed in a particular
+        release requires pulling the appropriate 'based-NNN' branch just before
+        the previous and current releases and is often impractical. Reports of
+        fixed QTBUG items do not seem to be available and there is not any
+        documentation in the tarball for changes after the qt-5 versions.
+      </para>
+    </warning>
 
     &lfs121_checked;