Am 29.01.20 um 09:52 schrieb Cristián Maureira-Fredes: > I think nobody at Qt will be so irresponsible of not notifying > security patches, and I'm certain we will work around this issue, > to maybe distributed in a better way for Open Source users.
Hi Cristián, what exactly do you consider a proper notification? I might have a wrong impression caused by the small sample size but none of the two security issues I got in touch with before this year was announced properly, I think. [1] wasn't mentioned anywhere on qt.io and I didn't notice it on [email protected], either. [2] was mentioned in a blog post, but I could not find any public steps for reproducing the issue, so one cannot test whether their software is vulnerable. Please correct me if I missed something. Cheers, Robert [1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-18281 [2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15518 _______________________________________________ Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
