Bug 2262191

Summary: qt5-qtwebengine is more than 1 year behind security updates
Product: [Fedora] Fedora Reporter: Kevin Kofler <kevin>
Component: qt5-qtwebengineAssignee: Rex Dieter <rdieter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: rawhideCC: alexus_m, jgrulich, kde-sig, kevin, rdieter, robatino, teohhanhui
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://bugzilla.rpmfusion.org/show_bug.cgi?id=6851#c4
Whiteboard:
Fixed In Version: qt5-qtwebengine-5.15.16-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-02-06 01:18:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kevin Kofler 2024-02-01 03:42:58 UTC
qt5-qtwebengine is still stuck at version 5.15.12 tagged 2022-12-27, i.e., more than 13 months ago. Current is v5.15.16-lts tagged 2023-11-17. The shipped version is 4 releases out of date. Each release contains dozens of backported security fixes.

In those 13 months, qt5-qtwebengine was rebuilt 4 times for a new qt5-qtbase, but whoever did those rebuilds did not bother upgrading QtWebEngine at the same time and decided to just rebuild the same old insecure code. This does not make sense.

Also, I do not understand why there appears to be time for upgrading a dozen qt5-* packages to a new one-year-old code drop entirely irrelevant for security, but not for upgrading one single (the only) security-critical qt5-* package (qt5-qtwebengine) to the latest (not artificially delayed) LTS tag from git. This, too, just does not make sense to me.

Reproducible: Always

Steps to Reproduce:
1. rpm -q qt5-qtwebengine
Actual Results:  
5.15.12

Expected Results:  
5.15.16

It would also be helpful if RPM Fusion maintainers were notified of impending Qt and/or QtWebEngine updates so that we do not only find out when users start complaining:
https://bugzilla.rpmfusion.org/show_bug.cgi?id=6851

Comment 1 Fedora Update System 2024-02-02 11:25:30 UTC
FEDORA-2024-bf2399e5e5 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-bf2399e5e5

Comment 2 Fedora Update System 2024-02-03 00:49:12 UTC
FEDORA-2024-bf2399e5e5 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-bf2399e5e5`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-bf2399e5e5

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 3 Fedora Update System 2024-02-06 01:18:19 UTC
FEDORA-2024-bf2399e5e5 (qt5-qtwebengine-5.15.16-1.fc39) has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.