Your message dated Tue, 29 Jan 2019 14:45:19 +0100
with message-id <82c43972-8d2e-7200-08c5-e6c41f92a...@debian.org>
and subject line Re: Bug#750141: libqt4-xml: vulnerable to billion laughs attack
has caused the Debian Bug report #750141,
regarding libqt4-xml: vulnerable to billion laughs attack (CVE-2013-4549)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
750141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750141
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libqt4-xml
Severity: serious
Tags: security
Justification: security
Qt 4.8.6 has a fix for a denial of service attack due to XML entity
expansion ("billion laughs attack"). This fix doesn't seem to be in the
wheezy packages yet.
http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
Ubuntu patched their 4.8.4;
https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
Hamish
-- System Information:
Debian Release: 7.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---
Version: 4:4.8.5+git192-g085f851+dfsg-1
On Mon, 9 Jun 2014 07:17:04 +0200 Salvatore Bonaccorso <car...@debian.org>
wrote:
> Hi,
>
> On Sun, Jun 01, 2014 at 11:30:15PM -0300, Lisandro Damián Nicanor Pérez Meyer
> wrote:
> > tag 750141 moreinfo
> > thanks
> >
> > On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
> > > Package: libqt4-xml
> > > Severity: serious
> > > Tags: security
> > > Justification: security
> > >
> > > Qt 4.8.6 has a fix for a denial of service attack due to XML entity
> > > expansion ("billion laughs attack"). This fix doesn't seem to be in the
> > > wheezy packages yet.
> > >
> > > http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
> > >
> > > Ubuntu patched their 4.8.4;
> > >
> > > https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
> >
> > Hi Hamish! I patched Qt4 for jessie at that time but IIRC (I might be
> > mixing
> > CVEs here) when I asked someone from the security team over IRC (or maybe
> > by
> > mail, I don't remember now) they told me it wasn't too important to get an
> > update in stable.
>
> Yep, perl mail It was on 2013-12-06, where Moritz had written:
>
> Hi Lisandro,
> this doesn't warrant a DSA. It can be fixed through a point update, though
> or we can line it up for a future QT DSA.
>
> Cheers,
> Moritz
>
> For the BTS, I think this was fixed in 4:4.8.5+git192-g085f851+dfsg-1.
Closing as this is fixed in unstable. Also wheezy is EOL so there's no point in
keeping this bug open anymore.
Emilio
--- End Message ---
