Change History (11)
comment:1 by , 12 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 12 months ago
comment:3 by , 12 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at commit 73c17c2512.
comment:4 by , 12 months ago
| Priority: | normal → elevated |
|---|---|
| Resolution: | fixed |
| Status: | closed → reopened |
ALL qtwebengine releases contain Chromium fixes, both (backported) CVEs and other security items.
Working through the branches listed at https://code.qt.io/cgit/qt/qtwebengine.git/ gives a partial indication of what was fixed. The commits in the 112-based branch show the detail, the "fun" is identifying which were in the previous release.
We moved to qtwebengine-6.6.2 in f806bbf2991848ab272a8b6749de3dd86f544e50 which similarly contains CVE fixes since 6.6.1. I'll do an advisory.
For the future, perhaps we should accept two things about qtwebengine:
- Something like the previous note about fixes lagging behind Chromium should be reinstated. When I pulled the 112-based branch a little while ago to see the full list of CVE fixes and to try to work out which were after 6.1 and therefore fixed i n6.6.2 or 6.6.3 I found one newer item after the last 'Update Chromium' commit of 6.6.3 which I had already pulled for the 5.15 snapshot.
- Every qtwebengine release will contain vulnerability fixes - we only started to get the CVE details when we had to clone qtwebengine5. I assume that CVEs in the rest of Qt6 are uncommon, it seems unnecessary (and somewhat painful) to pull the git branches to get all the details.
comment:5 by , 12 months ago
I see 6.7.0 is now in, that uses the same branch for chromium and 6.7.0 seems to be at a similar place to 6.6.3.
follow-up: 7 comment:6 by , 12 months ago
| Owner: | changed from to |
|---|---|
| Status: | reopened → new |
comment:7 by , 12 months ago
Replying to ken@…:
In fact, it is using 118-based. But 'similar' state in that most of the same security bugs and backported CVEs have been fixed in each of these branches.
comment:8 by , 12 months ago
Updated warning added in sha:r12.1-407-g6ab9228f043b
Keeping open for an advisory.
comment:9 by , 12 months ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
We do not have information for an advisory. The warning in the book is enough.
Closing the ticket.
comment:10 by , 12 months ago
I have partial information, including some critical fixes in both 6.6.3 and 6.7.0. But I have not yet compiled 6.7.0 (the usual fubar in my script).
comment:11 by , 12 months ago
Security Advisory SA-12.1-026 created. Not everyone who builds QtWebEngine will see the note until they are ready to move on to 6.7, the advisory should prompt that.
Qt 6.6.3 release is a patch release made on the top of Qt 6.6.2. As a patch release, Qt 6.6.3 does not add any new functionality but provides bug fixes and other improvements and maintains both forward and backward compatibility (source and binary) with Qt 6.6.2.
See https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.6.3/release-note.md for details.