Opened 3 years ago
Closed 3 years ago
#15765 closed enhancement (fixed)
qtwebengine-5.15.7
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | elevated | Milestone: | 11.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description (last modified by ) ¶
Paid-for qt-5.15.7 was released on 29th October, the git commits for qtwebengine (public because of the LGPL license) are at the usual place https://code.qt.io/cgit/qt/qtwebengine.git/log/?h=5.15. I estimate these include 20 backported CVE fixes.
There are also one or two linux changes (syscalls, ENOSYS for clone3, Ease Harfbuzz API change with feature detection) which likely remove some of the items in the BLFS patches.
Change History (7)
comment:1 by , 3 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 3 years ago
Well, that was the usual fun (for some masochistic definition of fun), but I've got it built on one fairly recent system and it works for me.
More testing on older and newer systems to follow before I consider it is "good enough".
Patches at https://www.linuxfromscratch.org/~ken/test/ - please note from README.txt that if I have to alter these the version will not change. With that warning, tests are welcome.
comment:3 by , 3 years ago
Currently testing on a 10.0 system - I had rebuilt qt-5.15.2 with the patch back in June, and then I later updated icu4c to 69.1 (for firefox-91.1) in early September. The latest qtwebengine build almost completed, but failed to link:
/usr/bin/ld: warning: libicuuc.so.67, needed by /opt/qt5/lib/libQt5Core.so, may conflict with libicuuc.so.69
I'm now rebuilding qt5: updating old systems is, as always, fun - but I'm hopeful it will all hang together. No doubt the people who use package management will laugh at this :grin:
comment:4 by , 3 years ago
I see that I had been late in updating that 10.0 system. All my other old systems have already been updated to icu69 from past new versions of qtwebengine, so I have only tested this with icu69.
comment:5 by , 3 years ago
I'll do a Security Advisory later after I'm sure that my edits for the book hang together (on reflection, calling the main patch 5.15.6-5.15.7 and therefore calling the build_fixes 5.15.7 was perhaps not my brightest idea, but we don't want to store a new huge tarball every two or three months).
In the meantime, the new CVE fixes are at the top of the CVE-fixes file in the patch, and upstream say that this brings in chromium security patches to 94.0.4606.61 although websites will still think this is chromium-87.
comment:7 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Security Advisory SA 11.0-028 created.
I accidentally picked up fixes already in 5.15.6 when noting the chromium commits. Only 20 CVEs.