Opened 3 months ago

Closed 3 months ago

Last modified 6 weeks ago

#15195 closed enhancement (fixed)

qtwebengine security fixes to match 5.15.5.

Reported by: ken@… Owned by: ken@…
Priority: elevated Milestone: 11.0
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

The commercial-customers-only release of qt-5.15.5 has now happened https://www.qt.io/blog/commercial-lts-qt-5.15.5-released

The qtwebengine changes are, of course, public and include the following CVE fixes since the upstream_fixes-2 patch:

CVE-2021-30518: Heap buffer overflow in Reader Mode
CVE-2021-30516: Heap buffer overflow in History.
CVE-2021-30515: Use after free in File API
CVE-2021-30513: Type Confusion in V8
CVE-2021-30512: Use after free in Notifications
CVE-2021-30510: Race in Aura
CVE-2021-30508: Heap buffer overflow in Media Feeds

The combined patch is now 499K. Some of the gcc-11 fixes have been applied, others have not. Will rediff build_fixes and change the instructions to apply the upstream fixes first.

Change History (5)

comment:1 by ken@…, 3 months ago

Owner: changed from blfs-book to ken@…
Status: newassigned

comment:2 by Douglas R. Reno, 3 months ago

Ouch, all 7 of those vulnerabilities are marked as 8.8 High by NVD!

[edit: 7 vulnerabilities, not 8]

Last edited 3 months ago by Douglas R. Reno (previous) (diff)

comment:4 by ken@…, 3 months ago

Resolution: fixed
Status: assignedclosed

Security Advisory SA 10.1-065 created.

comment:5 by Bruce Dubbs, 6 weeks ago

Milestone: 10.211.0

Milestone renamed

Note: See TracTickets for help on using tickets.