Bug 883415 (CVE-2012-5624)
| Summary: | CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | itamar, jreznik, kevin, ltinkl, rdieter, rnovacek, smparrish, than |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Qt 4.8.4 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-12-04 17:23:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 883457, 883467 | ||
| Bug Blocks: | |||
|
Description
Jan Lieskovsky
2012-12-04 14:49:48 UTC
The following builds: 1) qt-4.8.4-1.fc16 for Fedora 16, 2) qt-4.8.4-1.fc17 for Fedora 17 have been already created to correct this issue in the versions of qt package, as shipped with Fedora release of 16 and Fedora release of 17. Relevant upstream patch: [2] https://codereview.qt-project.org/#change,40034 CVE Request: [3] http://www.openwall.com/lists/oss-security/2012/12/04/7 qt3 cannot possibly be vulnerable to this, there is no QML in Qt 3. I submitted some bodhi updates, should i mark them fixing this bug or something specific against qt component? This issue did NOT affect the versions of the qt and qt4 packages, as shipped with Red Hat Enterprise Linux 5. -- This issue did NOT affect the versions of the qt3 and qt packages, as shipped with Red Hat Enterprise Linux 6. -- This issue did NOT affect the versions of the qt3 package, as shipped with Fedora release of 16 and 17. Created qt tracking bugs for this issue Affects: fedora-all [bug 883457] (In reply to comment #4) > I submitted some bodhi updates, should i mark them fixing this bug or > something specific against qt component? Hi Rex, thanks for making those. Please use rather above (c#6 / RH BZ#883457) one instead of this one (RH BZ#883415 directly) for that. Thanks, Jan. i just want to get this right, should I block *just* bug #883457 or that one *and* this bug #883415 ? the bodhi link mentioned in #883457 includes both. (In reply to comment #8) > i just want to get this right, should I block *just* bug #883457 or that one > *and* this bug #883415 ? the bodhi link mentioned in #883457 includes both. Do what's written in bug #883457#c1 (IOW include both bugs). If i am not mistaken, Bodhi should recognize the difference in them (and add comments about updates into the tracker only). Statement: Not vulnerable. This issue did not affect the versions of qt and qt4 as shipped with Red Hat Enterprise Linux 5. This issue did not affect the versions of qt3 and qt as shipped with Red Hat Enterprise Linux 6. CVE identifier of CVE-2012-5624 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/12/04/8 qt-4.8.4-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. qt-4.8.4-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. qt-4.8.4-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. |