Bug 1560209

Summary: qt5-qtwebengine: 16 security vulnerabilities
Product: [Fedora] Fedora Reporter: Kevin Kofler <kevin>
Component: qt5-qtwebengineAssignee: Kevin Kofler <kevin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 28CC: gmarr, kevin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedFreezeException
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-26 22:59:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1469205    

Description Kevin Kofler 2018-03-24 22:21:28 UTC 
Description of problem:
An update [https://bodhi.fedoraproject.org/updates/FEDORA-2018-b844991a97] is available fixing 16 security vulnerabilities in the qt5-qtwebengine currently in F28 Beta:
* CVE-2017-15429
* CVE-2018-6033 (claimed fixed in 5.10.1, but the fix was incomplete and had no effect; the update adds the missing part to make the fix effective)
* CVE-2018-6060
* CVE-2018-6062
* CVE-2018-6064
* CVE-2018-6069
* CVE-2018-6071
* CVE-2018-6073
* CVE-2018-6076
* CVE-2018-6079
* CVE-2018-6081
* CVE-2018-6082
* Chromium (security) Bug 770734
* Chromium (security) Bug 774833
* Chromium (security) Bug 798410
* Chromium (security) Bug 789764

I am therefore proposing this update:
https://bodhi.fedoraproject.org/updates/FEDORA-2018-b844991a97
as a freeze exception.

Version-Release number of selected component (if applicable):
qt5-qtwebengine-5.10.1-2.fc28: vulnerable
qt5-qtwebengine-5.10.1-4.fc28: not vulnerable
Comment 1 Fedora Update System 2018-03-24 22:22:45 UTC 
qt5-qtwebengine-5.10.1-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b844991a97
Comment 2 Kevin Kofler 2018-03-24 22:24:42 UTC 
(Ignore the automatic bug links from Bugzilla, the quoted bugs are Chromium bugs (and last I checked, private ones), not RH/Fedora bugs.)
Comment 3 Kevin Kofler 2018-03-25 19:28:24 UTC 
I should add that the update only contains backported security fixes and no other changes:
https://src.fedoraproject.org/cgit/rpms/qt5-qtwebengine.git/commit/?h=f28&id=b58078eac9d4e672c3b73e19853e49a14f1f46b1
https://src.fedoraproject.org/cgit/rpms/qt5-qtwebengine.git/commit/?h=f28&id=4aaa03945920cc3d399277d358522ef384ac5d01
https://src.fedoraproject.org/cgit/rpms/qt5-qtwebengine.git/commit/?h=f28&id=c17b1afe2c524538c9f803234ea7d743f7b4507f
Comment 4 Kevin Kofler 2018-03-26 16:52:36 UTC 
Setting to ON_QA because this is already in updates-testing. (Bodhi set it to MODIFIED because I only added the bug reference in an edit after the push.)
Comment 5 Geoffrey Marr 2018-03-26 18:54:02 UTC 
Discussed during the 2018-03-26 blocker review meeting: [1]

The decision to classify this bug as an AcceptedFreezeException was made as it's desirable to fix these security issues in a key package on a release-blocking image.

[1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt
Comment 6 Fedora Update System 2018-03-26 22:30:01 UTC 
qt5-qtwebengine-5.10.1-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.