Opened 3 years ago

Closed 2 years ago

#15765 closed enhancement (fixed)


Reported by: ken@… Owned by: ken@…
Priority: elevated Milestone: 11.1
Component: BOOK Version: git
Severity: normal Keywords:

Description (last modified by ken@…)

Paid-for qt-5.15.7 was released on 29th October, the git commits for qtwebengine (public because of the LGPL license) are at the usual place I estimate these include 20 backported CVE fixes.

There are also one or two linux changes (syscalls, ENOSYS for clone3, Ease Harfbuzz API change with feature detection) which likely remove some of the items in the BLFS patches.

Change History (7)

comment:1 by ken@…, 3 years ago

Description: modified (diff)

I accidentally picked up fixes already in 5.15.6 when noting the chromium commits. Only 20 CVEs.

comment:2 by ken@…, 2 years ago

Well, that was the usual fun (for some masochistic definition of fun), but I've got it built on one fairly recent system and it works for me.

More testing on older and newer systems to follow before I consider it is "good enough".

Patches at - please note from README.txt that if I have to alter these the version will not change. With that warning, tests are welcome.

comment:3 by ken@…, 2 years ago

Currently testing on a 10.0 system - I had rebuilt qt-5.15.2 with the patch back in June, and then I later updated icu4c to 69.1 (for firefox-91.1) in early September. The latest qtwebengine build almost completed, but failed to link:

/usr/bin/ld: warning:, needed by /opt/qt5/lib/, may conflict with

I'm now rebuilding qt5: updating old systems is, as always, fun - but I'm hopeful it will all hang together. No doubt the people who use package management will laugh at this :grin:

comment:4 by ken@…, 2 years ago

I see that I had been late in updating that 10.0 system. All my other old systems have already been updated to icu69 from past new versions of qtwebengine, so I have only tested this with icu69.

comment:5 by ken@…, 2 years ago

I'll do a Security Advisory later after I'm sure that my edits for the book hang together (on reflection, calling the main patch 5.15.6-5.15.7 and therefore calling the build_fixes 5.15.7 was perhaps not my brightest idea, but we don't want to store a new huge tarball every two or three months).

In the meantime, the new CVE fixes are at the top of the CVE-fixes file in the patch, and upstream say that this brings in chromium security patches to 94.0.4606.61 although websites will still think this is chromium-87.

comment:6 by ken@…, 2 years ago

Done in @86e62cc004c214984563cee1d5782f3b6b8e7945, merged as 11.0-221.

comment:7 by ken@…, 2 years ago

Resolution: fixed
Status: assignedclosed

Security Advisory SA 11.0-028 created.

Note: See TracTickets for help on using tickets.