qt6-6.7.2 qtwebengine-6.7.2

[Bruce Dubbs]

New point version.

[Bruce Dubbs]

Release note

Qt 6.7.2 release is a patch release made on the top of Qt 6.7.1. As a patch release, Qt 6.7.2 does not add any new functionality but provides bug fixes and other improvements and maintains both forward and backward compatibility (source and binary) with Qt 6.7.1.

[Bruce Dubbs]

Fixed at commit 7ef2fd3480.

[Douglas R. Reno]

QtWebEngine 6.7.2 does include several security fixes for the bundled version of Chromium. The security fixes are as follows (and can be found at ​https://code.qt.io/cgit/qt/qtwebengine.git/commit/?h=6.7.2&id=8965919584f58a0ad9bb5b3c7f6b091fc47be34a):

• CVE-2024-5493: Heap buffer overflow in WebRTC (High, rating issued by US CISA)
• CVE-2024-5494: Use after free in Dawn (High, rating issued by US CISA)
• CVE-2024-5495: Use after free in Dawn (High)
• CVE-2024-5496: Use after free in Media Session (High, rating issued by US CISA)
• CVE-2024-5499: Out of bounds write in Streams API (High, rating issued by US CISA)
• CVE-2024-5274: Type Confusion in V8 (High, rating issued by US CISA)
• CVE-2024-4948: Use after free in Dawn (High, rating issued by US CISA)

The ratings by US CISA were done by the US Computer Emergency Response Team, which normally means that the vulnerabilities are under active exploitation. I will file an SA once I'm done catching up on mail.

The rest of the release notes for Qt can be found at ​https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.7.2/release-note.md

[Douglas R. Reno]

SA-12.1-070 issued