Description of problem: An update [https://bodhi.fedoraproject.org/updates/FEDORA-2018-b844991a97] is available fixing 16 security vulnerabilities in the qt5-qtwebengine currently in F28 Beta: * CVE-2017-15429 * CVE-2018-6033 (claimed fixed in 5.10.1, but the fix was incomplete and had no effect; the update adds the missing part to make the fix effective) * CVE-2018-6060 * CVE-2018-6062 * CVE-2018-6064 * CVE-2018-6069 * CVE-2018-6071 * CVE-2018-6073 * CVE-2018-6076 * CVE-2018-6079 * CVE-2018-6081 * CVE-2018-6082 * Chromium (security) Bug 770734 * Chromium (security) Bug 774833 * Chromium (security) Bug 798410 * Chromium (security) Bug 789764 I am therefore proposing this update: https://bodhi.fedoraproject.org/updates/FEDORA-2018-b844991a97 as a freeze exception. Version-Release number of selected component (if applicable): qt5-qtwebengine-5.10.1-2.fc28: vulnerable qt5-qtwebengine-5.10.1-4.fc28: not vulnerable
qt5-qtwebengine-5.10.1-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-b844991a97
(Ignore the automatic bug links from Bugzilla, the quoted bugs are Chromium bugs (and last I checked, private ones), not RH/Fedora bugs.)
I should add that the update only contains backported security fixes and no other changes: https://src.fedoraproject.org/cgit/rpms/qt5-qtwebengine.git/commit/?h=f28&id=b58078eac9d4e672c3b73e19853e49a14f1f46b1 https://src.fedoraproject.org/cgit/rpms/qt5-qtwebengine.git/commit/?h=f28&id=4aaa03945920cc3d399277d358522ef384ac5d01 https://src.fedoraproject.org/cgit/rpms/qt5-qtwebengine.git/commit/?h=f28&id=c17b1afe2c524538c9f803234ea7d743f7b4507f
Setting to ON_QA because this is already in updates-testing. (Bodhi set it to MODIFIED because I only added the bug reference in an edit after the push.)
Discussed during the 2018-03-26 blocker review meeting: [1] The decision to classify this bug as an AcceptedFreezeException was made as it's desirable to fix these security issues in a key package on a release-blocking image. [1] https://meetbot.fedoraproject.org/fedora-blocker-review/2018-03-26/f28-blocker-review.2018-03-26-16.01.txt
qt5-qtwebengine-5.10.1-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.