1466689 – QtWebEngine: multiple security vulnerabilities fixed in 5.9.0

Bug 1466689 - QtWebEngine: multiple security vulnerabilities fixed in 5.9.0

Summary: QtWebEngine: multiple security vulnerabilities fixed in 5.9.0

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	qt5-qtwebengine
Sub Component:
Version:	26
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Assignee:	Kevin Kofler
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	AcceptedFreezeException
Depends On:
Blocks:	F26FinalFreezeException
TreeView+	depends on / blocked

Reported:	2017-06-30 09:07 UTC by Kevin Kofler
Modified:	2017-07-06 22:49 UTC (History)
CC List:	6 users (show)
Fixed In Version:	qt5-qtwebengine-5.9.0-4.fc26
Clone Of:
Environment:
Last Closed:	2017-07-06 22:49:51 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Kevin Kofler 2017-06-30 09:07:19 UTC

QtWebEngine 5.9.0 fixes the following security issues in QtWebEngine 5.8.0: CVE-2017-5006, CVE-2017-5007, CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5011, CVE-2017-5012, CVE-2017-5013, CVE-2017-5014, CVE-2017-5015, CVE-2017-5016, CVE-2017-5017, CVE-2017-5018, CVE-2017-5019, CVE-2017-5020, CVE-2017-5021, CVE-2017-5022, CVE-2017-5023, CVE-2017-5024, CVE-2017-5025, CVE-2017-5026, CVE-2017-5027, CVE-2017-5029, CVE-2017-5032, CVE-2017-5033, CVE-2017-5034, CVE-2017-5036, CVE-2017-5039, CVE-2017-5040, CVE-2017-5044, CVE-2017-5045, CVE-2017-5046, CVE-2017-5052, CVE-2017-5053, CVE-2017-5055, CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5068, and CVE-2017-5069.

Since this package ships on the KDE (Plasma) and LXQt spins, I am hereby requesting a freeze exception for 
qt5-qtwebengine-5.9.0-4.fc26. The web browser QupZilla using QtWebEngine is the default browser on the LXQt spin and also shipped on the KDE (Plasma) spin. The KDE (Plasma) spin also ships KMail as the default mail application, which uses QtWebEngine to render HTML mail.

Comment 1 Fedora Update System 2017-06-30 09:08:23 UTC

qt5-qtwebengine-5.9.0-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e83c26a8c9

Comment 2 Adam Williamson 2017-06-30 19:13:45 UTC

Definitely +1 FE. Are any of those "'important' or higher impact according to the Red Hat severity classification scale"? If so, this should be a blocker.

Comment 3 Kevin Fenzi 2017-06-30 19:22:24 UTC

+1 FE

Comment 4 Dennis Gilmore 2017-06-30 20:56:24 UTC

+1 FE

Comment 5 Mohan Boddu 2017-06-30 20:57:30 UTC

+1 FE

Comment 6 Adam Williamson 2017-06-30 20:58:00 UTC

That's at least enough votes for an FE, accepting.

Comment 7 Matthew Miller 2017-07-02 16:28:20 UTC

Confirming that qt5-qtwebengine-5.9.0-4.fc26.x86_64 is on the KDE Live spin in RC 1.3.

Comment 8 Fedora Update System 2017-07-06 22:49:51 UTC

qt5-qtwebengine-5.9.0-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.