qt6-6.9.0 qtwebengine-6.9.0

[Bruce Dubbs]

New minor version. We just did a point version 5 days ago, :(

[Bruce Dubbs]

Release notes are at ​https://www.qt.io/blog/qt-6.9-released and ​https://github.com/qt/qtreleasenotes/blob/dev/qt/6.9.0/release-note.md

Three CVEs:

CVE-2025-30348 in qtbase
CVE-2025-23050 in qtconnectivity
CVE-2024-39936 in qtbase

[Bruce Dubbs]

I think the CVEs are all for older versions of Qt before 6.8.3 which we have in the book now.

[Douglas R. Reno]

CVE-2025-23050 and CVE-2024-39936 were fixed in prior updates along the 6.8.x line, but CVE-2025-30348 appears to be new. NVD mentions that it was fixed in 6.8.0, but I think that might be incorrect as there is no mention of that vulnerability in the release notes for 6.8.0, nor on the Qt Security website. ​https://wiki.qt.io/List_of_known_vulnerabilities_in_Qt_products

[Douglas R. Reno]

Further research shows that the bug number (QTBUG-127549) was resolved in 6.8.0, but it was not assigned a CVE at the time:

Qt 6.8.0 release notes: ​https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.8.0/release-note.md

Qt Code Review: ​https://codereview.qt-project.org/c/qt/qtbase/+/586374

Qt Bug Report: ​https://bugreports.qt.io/browse/QTBUG-127549

I'm going to go check QtWebEngine now. If no new CVEs are fixed there, I will downgrade this back to normal

[Douglas R. Reno]

QtWebEngine CVEs

• CVE-2025-0434: Out of bounds memory access in V8 (High) - RCE
• CVE-2025-0445: Use after free in V8 (High) - RCE
• CVE-2025-0995: Use after free in V8 (High) - RCE

There was a lot of overlap with 6.8.3 (which is a very good thing given one of the 0days fixed in 6.8.3/WebKitGTK 2.48.0)

[Bruce Dubbs]

Fixed at commit 910063fbcd.