Bug 1466689

Summary: QtWebEngine: multiple security vulnerabilities fixed in 5.9.0
Product: [Fedora] Fedora Reporter: Kevin Kofler <kevin>
Component: qt5-qtwebengineAssignee: Kevin Kofler <kevin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 26CC: awilliam, kde-sig, kevin, kevin, mattdm, mboddu
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedFreezeException
Fixed In Version: qt5-qtwebengine-5.9.0-4.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-06 22:49:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1349189    

Description Kevin Kofler 2017-06-30 09:07:19 UTC 
QtWebEngine 5.9.0 fixes the following security issues in QtWebEngine 5.8.0: CVE-2017-5006, CVE-2017-5007, CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5011, CVE-2017-5012, CVE-2017-5013, CVE-2017-5014, CVE-2017-5015, CVE-2017-5016, CVE-2017-5017, CVE-2017-5018, CVE-2017-5019, CVE-2017-5020, CVE-2017-5021, CVE-2017-5022, CVE-2017-5023, CVE-2017-5024, CVE-2017-5025, CVE-2017-5026, CVE-2017-5027, CVE-2017-5029, CVE-2017-5032, CVE-2017-5033, CVE-2017-5034, CVE-2017-5036, CVE-2017-5039, CVE-2017-5040, CVE-2017-5044, CVE-2017-5045, CVE-2017-5046, CVE-2017-5052, CVE-2017-5053, CVE-2017-5055, CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5068, and CVE-2017-5069.

Since this package ships on the KDE (Plasma) and LXQt spins, I am hereby requesting a freeze exception for 
qt5-qtwebengine-5.9.0-4.fc26. The web browser QupZilla using QtWebEngine is the default browser on the LXQt spin and also shipped on the KDE (Plasma) spin. The KDE (Plasma) spin also ships KMail as the default mail application, which uses QtWebEngine to render HTML mail.
Comment 1 Fedora Update System 2017-06-30 09:08:23 UTC 
qt5-qtwebengine-5.9.0-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e83c26a8c9
Comment 2 Adam Williamson 2017-06-30 19:13:45 UTC 
Definitely +1 FE. Are any of those "'important' or higher impact according to the Red Hat severity classification scale"? If so, this should be a blocker.
Comment 3 Kevin Fenzi 2017-06-30 19:22:24 UTC 
+1 FE
Comment 4 Dennis Gilmore 2017-06-30 20:56:24 UTC 
+1 FE
Comment 5 Mohan Boddu 2017-06-30 20:57:30 UTC 
+1 FE
Comment 6 Adam Williamson 2017-06-30 20:58:00 UTC 
That's at least enough votes for an FE, accepting.
Comment 7 Matthew Miller 2017-07-02 16:28:20 UTC 
Confirming that qt5-qtwebengine-5.9.0-4.fc26.x86_64 is on the KDE Live spin in RC 1.3.
Comment 8 Fedora Update System 2017-07-06 22:49:51 UTC 
qt5-qtwebengine-5.9.0-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.