severity 561760 important thanks Michael Gilbert wrote: > Package: qt4-x11 > Version: 4:4.5.3-4 > Severity: grave > Tags: security > > Hi, > > The following CVE (Common Vulnerabilities & Exposures) ids were > published for webkit. qt4-x11 embeds webkit, so most of these issues > are likely applicable to this package. Since there are so many > problems, I have not had time to check whether the vulnerable code is > present or has an impact. Please check this. Note that situations like
QT maintainers, I checked the status of QT in Lenny and 4.6.2 from Squeeze throughout the recent weeks: The following vulnerabilties are fixed in 4.6.2 and Lenny: CVE-2009-1691, CVE-2009-1699, CVE-2009-1711, CVE-2009-1712 CVE-2009-1713, CVE-2009-2816 (Lenny not affected), CVE-2009-2841 (Lenny not affected), CVE-2009-1688, CVE-2009-1689 CVE-2009-1695 (Lenny not affected), CVE-2009-1696 (Lenny not affected) CVE-2009-1703 (Lenny not affected) The following vulnerabilities are fixed in 4.6.2, but unfixed in Lenny: CVE-2006-2783, CVE-2008-2307, CVE-2009-1692, CVE-2009-3384 CVE-2008-3632, CVE-2009-2797, CVE-2009-1681, CVE-2009-1684 CVE-2009-1685, CVE-2009-1686, CVE-2009-1694, CVE-2009-1697 CVE-2009-1700, CVE-2009-1701, CVE-2009-1702, CVE-2009-1710 CVE-2009-1715, CVE-2009-1718, CVE-2009-1714 Since they're all limited to webkit and QtWebkit and since Lenny doesn't yet provide a browser based on QtWebKit, I don't think we need to update it (this will be different from Squeeze onwards, though. Or do you have a different opionion on that matter? The following vulnerabilities don't affect Lenny nor Squeeze: CVE-2008-0298: Doesn't affect QT (or was fixed years ago) CVE-2008-1588: This is MacOS-specific. CVE-2008-2320: This doesn't affect Webkit or QT. CVE-2009-2953: Not treated as a security issue CVE-2008-4724: Unclear, but of negligable impact CVE-2008-4231: Apparently Safari-only This leaves us with one vulnerability, which is apparently still unfixed in 4.6.2: CVE-2009-1693: Webkit commit: http://trac.webkit.org/changeset/35928 Could you please contact upstream whether this is an oversight or was left out intentionally? Since CVE-2009-1693 is of low impact, I'm lowering severity to "important", but please try to get it resolved for Squeeze. Cheers, Moritz -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100421195450.ga3...@galadriel.inutil.org
