Bug#1077544: qtbase-opensource-src-gles: CVE-2024-39936

[Moritz Mühlenhoff]

Source: qtbase-opensource-src-gles
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src-gles.

CVE-2024-39936[0]:
| An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before
| 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x
| before 6.7.3. Code to make security-relevant decisions about an
| established connection may execute too early, because the
| encrypted() signal has not yet been emitted and processed..

https://codereview.qt-project.org/c/qt/qtbase/+/571601
https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=b1e75376cc3adfc7da5502a277dfe9711f3e0536

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-39936
https://www.cve.org/CVERecord?id=CVE-2024-39936

Please adjust the affected versions in the BTS as needed.

Re: Debdiffs for CVE-2024-36041/plasma-workspace

[Moritz Mühlenhoff]

Am Fri, Jun 21, 2024 at 11:01:33PM +0300 schrieb Adrian Bunk:
> Hi,
> 
> attached are debdiffs for CVE-2024-36041/plasma-workspace.

DSA has been released, thanks!

Cheers,
Moritz

Re: Debdiffs for CVE-2024-36041/plasma-workspace

[Moritz Mühlenhoff]

Am Fri, Jun 21, 2024 at 11:01:33PM +0300 schrieb Adrian Bunk:
> Hi,
> 
> attached are debdiffs for CVE-2024-36041/plasma-workspace.

Thanks! Please upload to security-master.

Cheers,
Moritz

Bug#1068454: qt6-base: CVE-2024-30161

[Moritz Mühlenhoff]

Source: qt6-base
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2024-30161[0]:
| In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may
| access QNetworkReply header data via a dangling pointer.

https://codereview.qt-project.org/c/qt/qtbase/+/544314
https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=a5b00cefef12999e9a213943855abe6bc0ab5365


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-30161
https://www.cve.org/CVERecord?id=CVE-2024-30161

Please adjust the affected versions in the BTS as needed.

Bug#1064063: plasma-workspace: CVE-2024-1433

[Moritz Mühlenhoff]

Source: plasma-workspace
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for plasma-workspace.

CVE-2024-1433[0]:
| A vulnerability, which was classified as problematic, was found in
| KDE Plasma Workspace up to 5.93.0. This affects the function
| EventPluginsManager::enabledPlugins of the file
| components/calendar/eventpluginsmanager.cpp of the component Theme
| File Handler. The manipulation of the argument pluginId leads to
| path traversal. It is possible to initiate the attack remotely. The
| complexity of an attack is rather high. The exploitability is told
| to be difficult. The patch is named
| 6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01. It is recommended to apply
| a patch to fix this issue. The associated identifier of this
| vulnerability is VDB-253407. NOTE: This requires write access to
| user's home or the installation of third party global themes.

https://github.com/KDE/plasma-workspace/commit/6cdf42916369ebf4ad5bd876c4dfa0170d7b2f01


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-1433
https://www.cve.org/CVERecord?id=CVE-2024-1433

Please adjust the affected versions in the BTS as needed.

Bug#1064054: qtbase-opensource-src-gles: CVE-2024-25580

[Moritz Mühlenhoff]

Source: qtbase-opensource-src-gles
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src-gles.

CVE-2024-25580[0]:
https://bugzilla.redhat.com/show_bug.cgi?id=2264423
https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25580
https://www.cve.org/CVERecord?id=CVE-2024-25580

Please adjust the affected versions in the BTS as needed.

Bug#1064053: qtbase-opensource-src: CVE-2024-25580

[Moritz Mühlenhoff]

Source: qtbase-opensource-src
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src.

CVE-2024-25580[0]:
https://bugzilla.redhat.com/show_bug.cgi?id=2264423
https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25580
https://www.cve.org/CVERecord?id=CVE-2024-25580

Please adjust the affected versions in the BTS as needed.

Bug#1064052: qt6-base: CVE-2024-25580

[Moritz Mühlenhoff]

Source: qt6-base
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2024-25580[0]:
https://bugzilla.redhat.com/show_bug.cgi?id=2264423
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=28ecb523ce8490bff38b251b3df703c72e057519


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-25580
https://www.cve.org/CVERecord?id=CVE-2024-25580

Please adjust the affected versions in the BTS as needed.

Bug#1060695: qtbase-opensource-src-gles: CVE-2023-51714

[Moritz Mühlenhoff]

Source: qtbase-opensource-src-gles
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src-gles.

CVE-2023-51714[0]:
| An issue was discovered in the HTTP2 implementation in Qt before
| 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and
| 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an
| incorrect HPack integer overflow check.

https://codereview.qt-project.org/c/qt/qtbase/+/524864
https://codereview.qt-project.org/c/qt/qtbase/+/524865/3

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-51714
https://www.cve.org/CVERecord?id=CVE-2023-51714

Please adjust the affected versions in the BTS as needed.

Bug#1060694: qtbase-opensource-src: CVE-2023-51714

[Moritz Mühlenhoff]

Source: qtbase-opensource-src
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src.

CVE-2023-51714[0]:
| An issue was discovered in the HTTP2 implementation in Qt before
| 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and
| 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an
| incorrect HPack integer overflow check.

https://codereview.qt-project.org/c/qt/qtbase/+/524864
https://codereview.qt-project.org/c/qt/qtbase/+/524865/3

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-51714
https://www.cve.org/CVERecord?id=CVE-2023-51714

Please adjust the affected versions in the BTS as needed.

Bug#1060693: qt6-base: CVE-2023-51714

[Moritz Mühlenhoff]

Source: qt6-base
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2023-51714[0]:
| An issue was discovered in the HTTP2 implementation in Qt before
| 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and
| 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an
| incorrect HPack integer overflow check.

https://codereview.qt-project.org/c/qt/qtbase/+/524864
https://codereview.qt-project.org/c/qt/qtbase/+/524865/3

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-51714
https://www.cve.org/CVERecord?id=CVE-2023-51714

Please adjust the affected versions in the BTS as needed.

Bug#1059302: qt6-base: CVE-2023-37369

[Moritz Mühlenhoff]

Source: qt6-base
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2023-37369[0]:
| In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x
| before 6.5.2, there can be an application crash in QXmlStreamReader
| via a crafted XML string that triggers a situation in which a prefix
| is greater than a length.

https://www.qt.io/blog/security-advisory-qxmlstreamreader
https://codereview.qt-project.org/c/qt/qtbase/+/455027

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-37369
https://www.cve.org/CVERecord?id=CVE-2023-37369

Please adjust the affected versions in the BTS as needed.

Bug#1041106: qtbase-opensource-src-gles: CVE-2023-38197

[Moritz Mühlenhoff]

Source: qtbase-opensource-src-gles
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src-gles.

CVE-2023-38197[0]:
| An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and
| 6.3.x through 6.5.x before 6.5.3. There are infinite loops in
| recursive entity expansion.

https://codereview.qt-project.org/c/qt/qtbase/+/488960
 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38197
https://www.cve.org/CVERecord?id=CVE-2023-38197

Please adjust the affected versions in the BTS as needed.

Bug#1041105: qtbase-opensource-src: CVE-2023-38197

[Moritz Mühlenhoff]

Source: qtbase-opensource-src
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src.

CVE-2023-38197[0]:
| An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and
| 6.3.x through 6.5.x before 6.5.3. There are infinite loops in
| recursive entity expansion.

https://codereview.qt-project.org/c/qt/qtbase/+/488960

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38197
https://www.cve.org/CVERecord?id=CVE-2023-38197

Please adjust the affected versions in the BTS as needed.

Bug#1041104: qt6-base: CVE-2023-38197

[Moritz Mühlenhoff]

Source: qt6-base
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2023-38197[0]:
| An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and
| 6.3.x through 6.5.x before 6.5.3. There are infinite loops in
| recursive entity expansion.

https://codereview.qt-project.org/c/qt/qtbase/+/488960


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38197
https://www.cve.org/CVERecord?id=CVE-2023-38197

Please adjust the affected versions in the BTS as needed.

Bug#1036702: qtbase-opensource-src-gles: CVE-2023-32762

[Moritz Mühlenhoff]

Am Wed, May 24, 2023 at 03:50:06PM +0200 schrieb Moritz Mühlenhoff:
> Source: qtbase-opensource-src-gles
> X-Debbugs-CC: t...@security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for qtbase-opensource-src-gles.
> 
> CVE-2023-32762[0]:
> https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
> 
> Per IRC thus likely also affects the -gles variant

Confused the CVE IDs, this is for CVE-2023-32763, which is the SVG issue.
CVE-2023-32762 being about HSTS should not affect -gles.

Cheers,
Moritz

Bug#1036702: qtbase-opensource-src-gles: CVE-2023-32762

[Moritz Mühlenhoff]

Source: qtbase-opensource-src-gles
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src-gles.

CVE-2023-32762[0]:
https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305

Per IRC thus likely also affects the -gles variant

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-32762
https://www.cve.org/CVERecord?id=CVE-2023-32762

Please adjust the affected versions in the BTS as needed.

Bug#1031873: qtbase-opensource-src-gles: CVE-2023-24607

[Moritz Mühlenhoff]

Source: qtbase-opensource-src-gles
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src-gles.

CVE-2023-24607[0]:
When using the Qt SQL ODBC driver plugin, then it is possible to trigger a DOS 
with a specifically crafted string

https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-24607
https://www.cve.org/CVERecord?id=CVE-2023-24607

Please adjust the affected versions in the BTS as needed.

Bug#1031872: qtbase-opensource-src: CVE-2023-24607

[Moritz Mühlenhoff]

Source: qtbase-opensource-src
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src.

CVE-2023-24607[0]:
When using the Qt SQL ODBC driver plugin, then it is possible to trigger a DOS 
with a specifically crafted string

https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff


For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-24607
https://www.cve.org/CVERecord?id=CVE-2023-24607

Please adjust the affected versions in the BTS as needed.

Bug#1031871: qt6-base: CVE-2023-24607

[Moritz Mühlenhoff]

Source: qt6-base
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2023-24607[0]:
When using the Qt SQL ODBC driver plugin, then it is possible to trigger a DOS 
with a specifically crafted string

https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d 
(6.4)


For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-24607
https://www.cve.org/CVERecord?id=CVE-2023-24607

Please adjust the affected versions in the BTS as needed.

Bug#990527: kimageformats: CVE-2021-36083

[Moritz Mühlenhoff]

Source: kimageformats
X-Debbugs-CC: t...@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for kimageformats.

CVE-2021-36083[0]:
| KDE KImageFormats 5.70.0 through 5.81.0 has a stack-based buffer
| overflow in XCFImageFormat::loadTileRLE.

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=33742
https://github.com/google/oss-fuzz-vulns/blob/main/vulns/kimageformats/OSV-2021-695.yaml
https://invent.kde.org/frameworks/kimageformats/commit/297ed9a2fe339bfe36916b9fce628c3242e5be0f

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2021-36083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36083

Please adjust the affected versions in the BTS as needed.

Bug#875087: [phonon-backend-gstreamer] Future Qt4 removal from Buster

[Moritz Mühlenhoff]

On Sat, Sep 09, 2017 at 10:18:38PM +0200, Lisandro Damián Nicanor Pérez Meyer 
wrote:
> Source: phonon-backend-gstreamer
> Version: 4:4.9.0-1
> Severity: wishlist
> User: debian-qt-kde@lists.debian.org
> Usertags: qt4-removal
> 
> 
> Hi! As you might know we the Qt/KDE team are preparing to remove Qt4
> as [announced] in:

With the removal of src:kde4libs, there are no reverse deps of the Qt4
packages of phonon-backend-gstreamer, patch attached to drop them.

Cheers,
Moritz
diff -Naur phonon-backend-gstreamer-4.9.1.orig/debian/control phonon-backend-gstreamer-4.9.1/debian/control
--- phonon-backend-gstreamer-4.9.1.orig/debian/control	2019-07-30 07:26:24.0 +0200
+++ phonon-backend-gstreamer-4.9.1/debian/control	2019-08-29 20:18:01.483076445 +0200
@@ -13,12 +13,8 @@
libglib2.0-dev,
libgstreamer-plugins-base1.0-dev,
libgstreamer1.0-dev,
-   libphonon-dev (>= 4:4.7.1~),
libphonon4qt5-dev (>= 4:4.7.1~),
libphonon4qt5experimental-dev (>= 4:4.7.1~),
-   libphononexperimental-dev (>= 4:4.7.1~),
-   libqt4-dev (>= 4:4.8.1),
-   libqt4-opengl-dev (>= 4:4.8.1),
libqt5opengl5-dev,
libqt5x11extras5-dev (>= 5.2.0~),
libxml2-dev,
@@ -47,29 +43,6 @@
  .
  This package contains icons used by Phonon and Phonon4Qt5 backends.
 
-Package: phonon-backend-gstreamer
-Architecture: any
-Multi-Arch: same
-Provides: phonon-backend
-Pre-Depends: ${misc:Pre-Depends}
-Depends: gstreamer1.0-alsa [linux-any] | gstreamer1.0-audiosink,
- gstreamer1.0-plugins-base,
- gstreamer1.0-pulseaudio,
- phonon-backend-gstreamer-common (= ${binary:Version}),
- ${misc:Depends},
- ${shlibs:Depends}
-Recommends: gstreamer1.0-plugins-good
-Suggests: gstreamer1.0-plugins-ugly
-Description: Phonon GStreamer 1.0 backend
- This package contains GStreamer 1.0 backend for Phonon multimedia
- framework. It transparently adapts and reroutes all requests from Phonon
- applications to the GStreamer framework which in turn performs requested
- audio/video decoding/capture tasks.
- .
- You should install gstreamer1.0-plugins-good to get support for playing
- popular free multimedia formats and gstreamer1.0-plugins-ugly to get support
- for popular MPEG audio formats like MP3.
-
 Package: phonon4qt5-backend-gstreamer
 Architecture: any
 Multi-Arch: same
diff -Naur phonon-backend-gstreamer-4.9.1.orig/debian/phonon-backend-gstreamer.install phonon-backend-gstreamer-4.9.1/debian/phonon-backend-gstreamer.install
--- phonon-backend-gstreamer-4.9.1.orig/debian/phonon-backend-gstreamer.install	2016-06-06 21:29:58.0 +0200
+++ phonon-backend-gstreamer-4.9.1/debian/phonon-backend-gstreamer.install	1970-01-01 01:00:00.0 +0100
@@ -1,2 +0,0 @@
-usr/lib/*/qt4/plugins/phonon_backend/phonon_gstreamer.so
-usr/share/kde4/services/phononbackends/gstreamer.desktop
diff -Naur phonon-backend-gstreamer-4.9.1.orig/debian/rules phonon-backend-gstreamer-4.9.1/debian/rules
--- phonon-backend-gstreamer-4.9.1.orig/debian/rules	2016-06-06 21:29:58.0 +0200
+++ phonon-backend-gstreamer-4.9.1/debian/rules	2019-08-29 20:14:51.963932199 +0200
@@ -5,33 +5,27 @@
 include /usr/share/pkg-kde-tools/qt-kde-team/2/debian-qt-kde.mk
 
 override_dh_auto_configure:
-	$(overridden_command) -B obj-qt4 -- -DPLUGIN_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH)/qt4/
 	$(overridden_command) -B obj-qt5 -- \
 	  -DPLUGIN_INSTALL_DIR=/usr/lib/$(DEB_HOST_MULTIARCH)/qt5/ \
 	  -DPHONON_BUILD_PHONON4QT5=ON
 
 override_dh_auto_build:
-	$(overridden_command) -B obj-qt4
 	$(overridden_command) -B obj-qt5
 
 override_dh_auto_install:
-	$(overridden_command) -B obj-qt4
 	$(overridden_command) -B obj-qt5
 
 override_dh_install:
 	$(overridden_command) --fail-missing
 
 override_dh_auto_clean:
-	$(overridden_command) -B obj-qt4
 	$(overridden_command) -B obj-qt5
 
 override_dh_shlibdeps:
 	$(overridden_command) -- -xphonon
 
 override_dh_auto_test:
-	$(overridden_command) -B obj-qt4
 	$(overridden_command) -B obj-qt5
 
 override_dh_strip:
-	$(overridden_command) -pphonon-backend-gstreamer --dbgsym-migration='phonon-backend-gstreamer-dbg (<= 4:4.9.0-1~~)'
 	$(overridden_command) -pphonon4qt5-backend-gstreamer --dbgsym-migration='phonon4qt5-backend-gstreamer-dbg (<= 4:4.9.0-1~~)'

Bug#875092: [polkit-qt-1] Future Qt4 removal from Buster

[Moritz Mühlenhoff]

On Sat, Sep 09, 2017 at 10:19:00PM +0200, Lisandro Damián Nicanor Pérez Meyer 
wrote:
> Source: polkit-qt-1
> Usertags: qt4-removal

With the removal of src:kde4libs, the Qt4 packages can now go away, patch 
attached.

Cheers,
Moritz
diff -Naur polkit-qt-1-0.112.0.orig/debian/control polkit-qt-1-0.112.0/debian/control
--- polkit-qt-1-0.112.0.orig/debian/control	2018-11-08 07:29:36.0 +0100
+++ polkit-qt-1-0.112.0/debian/control	2019-08-28 23:37:04.361158804 +0200
@@ -8,7 +8,6 @@
debhelper (>= 11~),
libpolkit-agent-1-dev (>= 0.98),
libpolkit-gobject-1-dev (>= 0.98),
-   libqt4-dev (>= 4:4.4.0),
pkg-kde-tools (>= 0.11),
qtbase5-dev (>= 5.1.0)
 Standards-Version: 4.2.1
@@ -16,45 +15,6 @@
 Vcs-Browser: https://salsa.debian.org/qt-kde-team/extras/polkit-qt-1
 Vcs-Git: https://salsa.debian.org/qt-kde-team/extras/polkit-qt-1.git
 
-Package: libpolkit-qt-1-dev
-Section: libdevel
-Architecture: any
-Multi-Arch: same
-Depends: libpolkit-qt-1-1 (= ${binary:Version}), libqt4-dev, ${misc:Depends}
-Description: PolicyKit-qt-1 development files
- PolicyKit is an application-level toolkit for defining and handling the policy
- that allows unprivileged processes to speak to privileged processes.
- .
- It is a framework for centralizing the decision making process with respect to
- granting access to privileged operations (like calling the HAL Mount() method)
- for unprivileged (desktop) applications.
- .
- libpolkit-qt-1 provides convenience classes and methods for Qt/KDE
- applications that want to use PolicyKit-1.
- .
- This package contains the development libraries and headers.
-
-Package: libpolkit-qt-1-1
-Architecture: any
-Multi-Arch: same
-Pre-Depends: ${misc:Pre-Depends}
-Depends: libpam-systemd [linux-any],
- ${misc:Depends},
- ${shlibs:Depends}
-Description: PolicyKit-qt-1 library
- PolicyKit is an application-level toolkit for defining and handling the policy
- that allows unprivileged processes to speak to privileged processes.
- .
- It is a framework for centralizing the decision making process with respect to
- granting access to privileged operations (like calling the HAL Mount() method)
- for unprivileged (desktop) applications.
- .
- libpolkit-qt-1 provides convenience classes and methods for Qt/KDE
- applications that want to use PolicyKit.
- .
- This package contains the files necessary for running applications that use
- the libpolkit-qt-1 library.
-
 Package: libpolkit-qt5-1-dev
 Section: libdevel
 Architecture: any
diff -Naur polkit-qt-1-0.112.0.orig/debian/control~ polkit-qt-1-0.112.0/debian/control~
--- polkit-qt-1-0.112.0.orig/debian/control~	1970-01-01 01:00:00.0 +0100
+++ polkit-qt-1-0.112.0/debian/control~	2018-11-08 07:29:36.0 +0100
@@ -0,0 +1,93 @@
+Source: polkit-qt-1
+Section: libs
+Priority: optional
+Maintainer: Debian Qt/KDE Maintainers 
+Uploaders: Modestas Vainius ,
+   Maximiliano Curia ,
+Build-Depends: cmake (>= 2.8.11),
+   debhelper (>= 11~),
+   libpolkit-agent-1-dev (>= 0.98),
+   libpolkit-gobject-1-dev (>= 0.98),
+   libqt4-dev (>= 4:4.4.0),
+   pkg-kde-tools (>= 0.11),
+   qtbase5-dev (>= 5.1.0)
+Standards-Version: 4.2.1
+Homepage: https://projects.kde.org/projects/kdesupport/polkit-qt-1
+Vcs-Browser: https://salsa.debian.org/qt-kde-team/extras/polkit-qt-1
+Vcs-Git: https://salsa.debian.org/qt-kde-team/extras/polkit-qt-1.git
+
+Package: libpolkit-qt-1-dev
+Section: libdevel
+Architecture: any
+Multi-Arch: same
+Depends: libpolkit-qt-1-1 (= ${binary:Version}), libqt4-dev, ${misc:Depends}
+Description: PolicyKit-qt-1 development files
+ PolicyKit is an application-level toolkit for defining and handling the policy
+ that allows unprivileged processes to speak to privileged processes.
+ .
+ It is a framework for centralizing the decision making process with respect to
+ granting access to privileged operations (like calling the HAL Mount() method)
+ for unprivileged (desktop) applications.
+ .
+ libpolkit-qt-1 provides convenience classes and methods for Qt/KDE
+ applications that want to use PolicyKit-1.
+ .
+ This package contains the development libraries and headers.
+
+Package: libpolkit-qt-1-1
+Architecture: any
+Multi-Arch: same
+Pre-Depends: ${misc:Pre-Depends}
+Depends: libpam-systemd [linux-any],
+ ${misc:Depends},
+ ${shlibs:Depends}
+Description: PolicyKit-qt-1 library
+ PolicyKit is an application-level toolkit for defining and handling the policy
+ that allows unprivileged processes to speak to privileged processes.
+ .
+ It is a framework for centralizing the decision making process with respect to
+ granting access to privileged operations (like calling the HAL Mount() method)
+ for unprivileged (desktop) applications.
+ .
+ libpolkit-qt-1 provides convenience classes and methods for Qt/KDE
+ applications that want to use 

Bug#875130: [qimageblitz] Future Qt4 removal from Buster

[Moritz Mühlenhoff]

On Sat, Sep 09, 2017 at 11:01:46PM +0200, Lisandro Damián Nicanor Pérez Meyer 
wrote:
> Source: qimageblitz
> Version: 1:0.0.6-5
> Severity: wishlist
> User: debian-qt-kde@lists.debian.org
> Usertags: qt4-removal
> 
> 
> Hi! As you might know we the Qt/KDE team are preparing to remove Qt4
> as [announced] in:

Per the comment on the wiki this was kept around for kopete, which
has been removed until a stable qt5 port appears, so good to remove now?

Cheers,
Moritz

Bug#874908: [grantlee] Future Qt4 removal from Buster

[Moritz Mühlenhoff]

On Sun, Jul 07, 2019 at 11:40:59AM -0300, Lisandro Damián Nicanor Pérez Meyer 
wrote:
> Hi Moritz!
> 
> On Fri, 5 Jul 2019 at 15:33, Moritz Mühlenhoff  wrote:
> >
> > On Sat, Sep 09, 2017 at 09:05:49PM +0200, Lisandro Damián Nicanor Pérez 
> > Meyer wrote:
> > > Source: grantlee
> > > Version: 0.4.0-4
> > > Severity: wishlist
> > > User: debian-qt-kde@lists.debian.org
> > > Usertags: qt4-removal
> >
> > The changelog mentions that as of 5.0.0 upstream switched to Qt5.
> 
> Currently the archive has both versions. The Qt4 one will get removed
> once it has no rdeps or Qt4 is finally ditched.

With the removal of kdepim4 there are no reverse dependencies left,
so I've just filed a removal request.

Cheers,
Moritz

Bug#934267: kconfig: CVE-2019-14744

[Moritz Mühlenhoff]

On Thu, Aug 08, 2019 at 11:29:25PM +0200, Salvatore Bonaccorso wrote:
> Source: kconfig
> Version: 5.54.0-1
> Severity: grave
> Tags: patch security upstream
> Justification: user security hole
> Control: found -1 5.28.0-2
> Control: clone -1 -2
> Control: reassign -2 src:kde4libs 4:4.14.38-3
> Control: retitle -2 kde4libs: CVE-2019-14744
> Control: found -2 4:4.14.26-2
> 
> Hi,
> 
> The following vulnerability was published for kconfig.
> 
> CVE-2019-14744[0]:
> | In KDE Frameworks KConfig before 5.61.0, malicious desktop files and
> | configuration files lead to code execution with minimal user
> | interaction. This relates to libKF5ConfigCore.so, and the mishandling
> | of .desktop and .directory files, as demonstrated by a shell command
> | on an Icon line in a .desktop file.

JFTR, I've prepared updates for Stretch/Buster, which should go out tomorrow.

Cheers,
Moritz

Bug#874908: [grantlee] Future Qt4 removal from Buster

[Moritz Mühlenhoff]

On Sat, Sep 09, 2017 at 09:05:49PM +0200, Lisandro Damián Nicanor Pérez Meyer 
wrote:
> Source: grantlee
> Version: 0.4.0-4
> Severity: wishlist
> User: debian-qt-kde@lists.debian.org
> Usertags: qt4-removal

The changelog mentions that as of 5.0.0 upstream switched to Qt5.

Cheers,
Moritz

Bug#876905: qtwebkit should not be release with buster

[Moritz Mühlenhoff]

On Fri, Mar 22, 2019 at 05:45:56PM -0300, Lisandro Damián Nicanor Pérez Meyer 
wrote:
> El jue., 21 mar. 2019 09:33, Thierry fa...@linux.ibm.com <
> thie...@linux.ibm.com> escribió:
> 
> > On Tue, 26 Sep 2017 22:15:12 +0300 Adrian Bunk  wrote:
> > > Source: qtwebkit
> > > Version: 2.3.4.dfsg-9.1
> > > Severity: serious
> > > Tags: buster sid
> > >
> > > qtwebkit should not be release with buster
> > > (RC bugs are already open against all r-deps).
> > >
> > >
> >
> > As version 2.3.4.dfsg-10 is part of buster what do we do with that bug ?
> 
> 
> Truth is we can't even agree inside the team. Some of us think we should
> just remove it alongside whatever hasn't been ported, some think we should
> not.
> 
> Now in my *very personal* opinion: even if it's not supported by the
> security team I think it should keep the RC status if released with buster.
> It's a pile of security bugs in one single package.

qtwebkit hasn't been security-supported in any Debian release it was ever
present in. Does it really make sense to remove it now so close to the
buster release (with all kinds of unpreditable fallout on kde4libs).

Wouldn't it be better to wait after the buster release and then agressively
bump all the remaining QT4/KDE4 to RC-severity the day after the buster
release so that automated testing removals can do their magic (and filin
g RM bugs a few months later).

Cheers,
Moritz

Re: security update for okular in Stretch

[Moritz Mühlenhoff]

On Thu, Sep 20, 2018 at 10:58:23PM +0200, Thorsten Alteholz wrote:
> Hi everybody,
> 
> in case you are interested, this is the debdiff to fix CVE-2018-1000801 of
> okular in Stretch.

Thanks! I've uploaded a fixed package and just released it as DSA 4303.

Cheers,
Moritz

Re: CVE-2018-10380: kwallet-pam: Access to privileged files

[Moritz Mühlenhoff]

On Fri, May 04, 2018 at 09:10:47PM +0200, Maximiliano Curia wrote:
> ¡Hola Moritz!
> 
> El 2018-05-03 a las 23:18 +0200, Maximiliano Curia escribió:
> > ¡Hola Moritz!
> 
> > El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió:
> > > On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote:
> > > > Hi,
> 
> > > > Following up the upstream announcement of a security flaw in
> > > > kwallet-pam [1] I would like to upload the upstream fixes to
> > > > stretch. All the versions prior the (not yet released) 5.12.6 are
> > > > affected by this. The fix was backported by upstream to plasma 5.8,
> > > > which is what we shipped in stretch.
> 
> > > > The latest 5.8 upstream version (5.8.9), only has a version bump,
> > > > and a minor translation update, which are not relevant. [2]
> 
> > > > I have already uploaded the fixes to unstable.
> 
> > > > I'm attaching the corresponding debdiff.
> 
> > > Looks good. Please build with -sa since kwallet-pam is new in 
> > > stretch-security
> > > and upload to security-master. I'll take care of the DSA.
> 
> > Uploaded, thanks for taking care of this!
> 
> If you the patched versions are still not published, please don't publish
> them, there are a couple of reported regressions with the patches as is.
> 
> https://bugs.kde.org/show_bug.cgi?id=393856
> 
> https://bugs.debian.org/897687
> 
> https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1769187
> 
> https://bugs.archlinux.org/task/58446?project=1=kwallet-pam
> 
> I'm really sorry about this.

Is the stderr fix all that was needed in addition? If so, can you
upload a revised package?

Cheers,
Moritz

Re: CVE-2018-10380: kwallet-pam: Access to privileged files

[Moritz Mühlenhoff]

On Fri, May 04, 2018 at 09:10:47PM +0200, Maximiliano Curia wrote:
> ¡Hola Moritz!
> 
> El 2018-05-03 a las 23:18 +0200, Maximiliano Curia escribió:
> > ¡Hola Moritz!
> 
> > El 2018-05-03 a las 22:56 +0200, Moritz Muehlenhoff escribió:
> > > On Thu, May 03, 2018 at 07:29:42PM +0200, Maximiliano Curia wrote:
> > > > Hi,
> 
> > > > Following up the upstream announcement of a security flaw in
> > > > kwallet-pam [1] I would like to upload the upstream fixes to
> > > > stretch. All the versions prior the (not yet released) 5.12.6 are
> > > > affected by this. The fix was backported by upstream to plasma 5.8,
> > > > which is what we shipped in stretch.
> 
> > > > The latest 5.8 upstream version (5.8.9), only has a version bump,
> > > > and a minor translation update, which are not relevant. [2]
> 
> > > > I have already uploaded the fixes to unstable.
> 
> > > > I'm attaching the corresponding debdiff.
> 
> > > Looks good. Please build with -sa since kwallet-pam is new in 
> > > stretch-security
> > > and upload to security-master. I'll take care of the DSA.
> 
> > Uploaded, thanks for taking care of this!
> 
> If you the patched versions are still not published, please don't publish
> them, there are a couple of reported regressions with the patches as is.
> 
> https://bugs.kde.org/show_bug.cgi?id=393856
> 
> https://bugs.debian.org/897687
> 
> https://bugs.launchpad.net/ubuntu/+source/kwallet-pam/+bug/1769187
> 
> https://bugs.archlinux.org/task/58446?project=1=kwallet-pam
> 
> I'm really sorry about this.

That's great timing :-)

I was about to test and release the update this evening, but I'll
put in on hold for now.

Cheers,
Moritz

Accepted plasma-workspace 4:5.8.6-2.1+deb9u1 (source amd64) into proposed-updates->stable-new, proposed-updates

[Moritz Mühlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Wed, 14 Feb 2018 00:03:33 +0100
Source: plasma-workspace
Binary: plasma-workspace-dev plasma-workspace-wayland plasma-workspace 
libkworkspace5-5 libplasma-geolocation-interface5 libtaskmanager6 
libweather-ion7 sddm-theme-breeze sddm-theme-debian-breeze
Architecture: source amd64
Version: 4:5.8.6-2.1+deb9u1
Distribution: stretch-security
Urgency: medium
Maintainer: Debian/Kubuntu Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Moritz Mühlenhoff <j...@debian.org>
Description:
 libkworkspace5-5 - Plasma Workspace for KF5 library
 libplasma-geolocation-interface5 - Plasma Workspace for KF5 library
 libtaskmanager6 - Plasma Workspace for KF5 library
 libweather-ion7 - Plasma Workspace for KF5 library
 plasma-workspace - Plasma Workspace for KF5
 plasma-workspace-dev - Plasma Workspace for KF5 devel files
 plasma-workspace-wayland - Plasma Workspace for KF5 - Wayland integration
 sddm-theme-breeze - Breeze SDDM theme
 sddm-theme-debian-breeze - Debian Breeze SDDM theme
Changes:
 plasma-workspace (4:5.8.6-2.1+deb9u1) stretch-security; urgency=medium
 .
   * CVE-2018-6791
Checksums-Sha1:
 73ea2a9539c686668f8aa260bfe0e8c916612be8 4616 
plasma-workspace_5.8.6-2.1+deb9u1.dsc
 d28a325db971c197df77ce7ede2c514387ada65b 6992264 
plasma-workspace_5.8.6.orig.tar.xz
 72b07f71656217cb0f7e69dab60c97ad5bc19fbe 31388 
plasma-workspace_5.8.6-2.1+deb9u1.debian.tar.xz
 cd2974ce6b165ed1e88b548d0d2c0ce627b09e65 837502 
libkworkspace5-5-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 b7be7c1f0dd2cc6ca59cdbbe9e8359d47a44c4eb 54536 
libkworkspace5-5_5.8.6-2.1+deb9u1_amd64.deb
 6e00fbf2c182bf3fbda3d40cec3ce4a551b496fa 281026 
libplasma-geolocation-interface5-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 dd0ccde9e8efed958c92a8502e2c7247801a3cc2 30188 
libplasma-geolocation-interface5_5.8.6-2.1+deb9u1_amd64.deb
 d06547a8518dd74f85f3f84d0b552042c4857afc 2130594 
libtaskmanager6-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 6ea7c85485f0306655f01431cc6f4f18744d23f1 133158 
libtaskmanager6_5.8.6-2.1+deb9u1_amd64.deb
 d03c46f1fc314d035bec9e0b7af4e8463eeb801a 304458 
libweather-ion7-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 73d5f7c09b1e9e268a85aa7452a7284f48fee5e5 25638 
libweather-ion7_5.8.6-2.1+deb9u1_amd64.deb
 0369984ad8b321bcb5f0389f2c3c32c400ce08cd 62872340 
plasma-workspace-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 118c1d62f3808766eae8c258ca2c0b874f2dbaf7 49546 
plasma-workspace-dev_5.8.6-2.1+deb9u1_amd64.deb
 f19e1c7ad789897a1368a8f9862c0f0602c2166a 24318 
plasma-workspace-wayland_5.8.6-2.1+deb9u1_amd64.deb
 e22bedfb83cfdf0f0ed93db74cbd2a6e3a795970 31521 
plasma-workspace_5.8.6-2.1+deb9u1_amd64.buildinfo
 5f92592f01e25c7b98618b3247c1efce941aabd6 7374556 
plasma-workspace_5.8.6-2.1+deb9u1_amd64.deb
 b83c0b651bcd00f8eec251d649174f8dd5cbeb14 827312 
sddm-theme-breeze_5.8.6-2.1+deb9u1_amd64.deb
 0ff411aa053a0fb8ff2ae398afe527923cd8cb03 21124 
sddm-theme-debian-breeze_5.8.6-2.1+deb9u1_amd64.deb
Checksums-Sha256:
 e8807cc8768c7b50143c521911e1f20402346d6cacd78e40139d4bd523f2c359 4616 
plasma-workspace_5.8.6-2.1+deb9u1.dsc
 51ab8b5f4c33c83fb64eb3f27561f3699b12b5e5c9fa7d38b73d93e57da50192 6992264 
plasma-workspace_5.8.6.orig.tar.xz
 d2a4a7ed1a3704dc3cead520a35196193875f26ca5a34cef97296e0d83dd9ccc 31388 
plasma-workspace_5.8.6-2.1+deb9u1.debian.tar.xz
 a0ab3713f56a2a8246e2538231a77bf2fae1ff3293118d0b7224ee6d8e0d7589 837502 
libkworkspace5-5-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 35af948527f6a3e6a92ea9d3a90f3d7d12cd8a7ccebf641a989585a8df355ba5 54536 
libkworkspace5-5_5.8.6-2.1+deb9u1_amd64.deb
 9c7f2350b1171f928b446434cd615203576f284340a523fe4751ca98f13154b2 281026 
libplasma-geolocation-interface5-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 bcbf3415590dfcef31f1a9c236454b23c276d8358ff0b4b042312394d417629a 30188 
libplasma-geolocation-interface5_5.8.6-2.1+deb9u1_amd64.deb
 8bdacb15ed08c40dc8e81149816a81eecbaf4d9ec2e673b97e3d756107d9a9d9 2130594 
libtaskmanager6-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 fd75c18944bdde76fa39516b0cd1d3e0a8125c13e8e64e4f19b006256ed20518 133158 
libtaskmanager6_5.8.6-2.1+deb9u1_amd64.deb
 78f8f2e4f327781f0cff54d61d5dfdb68507e875c3d677a895ea1dc8acba1b10 304458 
libweather-ion7-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 57ac4015cef9c800659d9f9227eaa41058ef71a7776d209cb199f50277887b52 25638 
libweather-ion7_5.8.6-2.1+deb9u1_amd64.deb
 3bac25320fd978a1b8d98bbbd6b60d3ded20a81358cf6524f671d959e45da793 62872340 
plasma-workspace-dbgsym_5.8.6-2.1+deb9u1_amd64.deb
 c47b1aa31c3be7250219915eb907be75c0c3f5811d333489cf20d163a941fc7d 49546 
plasma-workspace-dev_5.8.6-2.1+deb9u1_amd64.deb
 10a2b7b973899a5cd6a55145fa1303bae5c5577df0d010b2a090857f2e220520 24318 
plasma-workspace-wayland_5.8.6-2.1+deb9u1_amd64.deb
 9a4d0c9df3484733b112fe25371ad08e67ac97c834457a8faa4ceeb370fcee4d 31521 
plasma-workspace_5.8.6-2.1+deb9u1_amd64.buildinfo
 833dd9862db0ab75a60d0341da8e87e49b2d2a00716cd779ea9007dad173cd6b 7374556 
plasma-workspace_5.8.6-2.1+deb9u1_amd64.deb
 3b96d6654511eed4d136575cbd0737bc10296fe4184c604ba2fd0848c1e9923b 

Bug#842498: your mail

[Moritz Mühlenhoff]

On Mon, Feb 13, 2017 at 11:06:17PM +0100, Moritz Mühlenhoff wrote:
> On Wed, Nov 09, 2016 at 05:38:46PM +0100, Bálint Réczey wrote:
> > clone 842498 -1
> > retitle 842498 kde-runtime: Command displayed by kdesu truncated by unicode 
> > string terminator (CVE-2016-7787)
> > reassign -1 kdesudo 3.4.2.4-2
> > thanks
> 
Dear KDE maintainers,
the bug meta data suggest CVE-2016-7787 might also affect src:kde-runtime,
can you please comment on this? Does it need a fix for stretch?

Cheers,
Moritz

Bug#842498: your mail

[Moritz Mühlenhoff]

On Wed, Nov 09, 2016 at 05:38:46PM +0100, Bálint Réczey wrote:
> clone 842498 -1
> retitle 842498 kde-runtime: Command displayed by kdesu truncated by unicode 
> string terminator (CVE-2016-7787)
> reassign -1 kdesudo 3.4.2.4-2
> thanks

Dear KDE maintainers,
the bug meta data suggest CVE-2016-7787 might also affect src:kde-runtime,
can you please comment on this? Does it need a fix for stretch?

Cheers,
Moritz

Bug#850954: CVE-2016-10040

[Moritz Mühlenhoff]

Lisandro Damián Nicanor Pérez Meyer wrote:
> > Maybe the next QT upload should simply add a note to the
> > changelog that it's unsupported. Do we have any notable
> > users of QXmlSimpleReader in stretch? Probably not.
> 
> I'm afraid we do:
> 
>  %3E=1>
> 
> Granted, we need to distinguish between Qt4 and Qt5 users of it.
> 
> What's not clear to me from Thiago's mail is if this bug is still present in 
> Qt >= 5.5 or he's referring to another corner case.

No idea, but it sounds to me as if that's still in 5.5 since the
class is more or less unmaintained.

Cheers,
Moritz

Bug#815360: Bug#795428: OpenSLP 1.2 should not be part of stretch

[Moritz Mühlenhoff]

On Sun, Feb 21, 2016 at 12:20:52AM +, Julien Cristau wrote:
> Control: clone -1 -2 -3 -4 -5 -6 -7 -8
> Control: reassign -2 cups 2.1.3-1
> Control: retitle -2 cups: build-depends on libslp-dev
> Control: reassign -3 kde-runtime 4:15.08.3-1
> Control: retitle -3 kde-runtime: build-depends on libslp-dev
> Control: reassign -4 kio-extras 4:15.08.3-1
> Control: retitle -4 kio-extras: build-depends on libslp-dev
> Control: reassign -5 nis 3.17-34
> Control: retitle -5 nis: build-depends on libslp-dev
> Control: reassign -6 ola 0.9.8-1
> Control: retitle -6 ola: build-depends on libslp-dev
> Control: reassign -7 openldap 2.4.42+dfsg-2
> Control: retitle -7 openldap: build-depends on libslp-dev
> Control: reassign -8 roaraudio 1.0~beta11-5
> Control: retitle -8 roaraudio: build-depends on libslp-dev
> 
> On Thu, Aug 13, 2015 at 23:55:59 +0200, Moritz Muehlenhoff wrote:
> 
> > Source: openslp-dfsg
> > Severity: serious
> > 
> > The last maintainer upload of openslp happened in 2007
> > and it's orphaned for 5.5 years now. The 1.2 branch is
> > completely abandoned upstream.
> > 
> > At the minimum the package should be upgraded to 2.0,
> > but the comment at
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5177
> > suggests it's completely abandoned upstream.
> > 
> Cloning the bug against the reverse dependencies.

Dear KDE maintainers,
this seems to be a forgotten/unused build dep? While kde-runtime build depends
on libslp-dev, none of the binary packages actually link against it.

Cheers,
Moritz

Bug#785855: qtmobility: Please update to GStreamer 1.x

[Moritz Mühlenhoff]

On Wed, May 20, 2015 at 01:32:13PM -0300, Lisandro Damián Nicanor Pérez Meyer 
wrote:
> On Wednesday 20 May 2015 13:11:45 Lisandro Damián Nicanor Pérez Meyer wrote:
> [snip]
> > I think it's time to remove qtmobility from the archive.
> > 
> > That would break actionaz, marble, monav and tupi though.
> 
> marble uses qtmobility only on linux, so it might simply remove the B-D
> 
> tupi has a qt5 version in experimental

tupi and actionaz have been fixed and monav is already removed
from testing, which leaves marble. How about removing marble
and qtmobility from testing until marble has been fixed?

Cheers,
Moritz

Bug#755359: [kdm] systemd seem to fail to start display-manager.service

[Moritz Mühlenhoff]

On Fri, Apr 03, 2015 at 09:05:17AM +0200, John Paul Adrian Glaubitz wrote:
 On 04/02/2015 10:15 PM, Moritz Mühlenhoff wrote:
  My patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754314
  retains the kdmrc customisation currently present in the sysvinit script;
  maybe you can fold that one into your patch?
 
 Hmm, I haven't realized that the display manager's configuration file is
 touch by the init script. I think that's definitely going beyond to what
 an init script is supposed to do.

Yeah, but I think the behaviour of the systemd unit should retain the
established behaviour of the svsvinit script.

 I also noticed that the systemd service file you wrote contains an
 [Install] section but this section is not allowed in service files
 for display managers at the time being since their service files
 are installed through the debconf mechanism when configuring the
 default display manager. This is also the reason why you are having
 problems activating the service.

Yeah, the logic to handle display managers appeared later, my patch
is nearly nine months old by now and much has changed in the systemd
Debian integration.

 OTOH, I was a bit surprised to see that you removed the ConsoleKit
 dependency. I wasn't even aware that kdm actually supports logind,
 does it?

See the references in my original bug submission.

 Maybe we can come up with a good patch if we merge both our patches
 into one that incorporates all important aspects discussed above.

I'd be in favour of adding the ExecStartPre of kdm-debian-setup-config
(but I'm unsure whether people actually use this), but I won't be able
to spend further time on this ATM.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150403195826.GA18811@pisco.westfalen.local

Bug#755359: [kdm] systemd seem to fail to start display-manager.service

[Moritz Mühlenhoff]

On Thu, Apr 02, 2015 at 04:20:06PM +0200, John Paul Adrian Glaubitz wrote:
 On 04/02/2015 12:57 PM, John Paul Adrian Glaubitz wrote:
  Attaching a debdiff with the proposed changes to the kde-workspace
  source package which will add systemd support to kdm.
 
 Attaching a cleaned up revision the patch where I fixed the tab stops
 and added an additional line in the debian/changelog to indicate that
 the file debian/kdm.service was added to the source package.

Hi John,
Thanks for working on this. I had previously also worked on a systemd unit
last year but due to the lack of feedback from KDE maintainers I stopped
working on it.

My patch from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=754314
retains the kdmrc customisation currently present in the sysvinit script;
maybe you can fold that one into your patch?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150402201542.GD21714@pisco.westfalen.local

Bug#779550: qt4-x11: CVE-2015-0295

[Moritz Mühlenhoff]

On Mon, Mar 02, 2015 at 03:37:03PM -0300, Lisandro Damián Nicanor Pérez Meyer 
wrote:
 On Monday 02 March 2015 18:20:22 Moritz Muehlenhoff wrote:
  On Mon, Mar 02, 2015 at 07:32:11PM +0300, Dmitry Shachnev wrote:
   clone -1 -2
   reassign -2 libqt5gui5 5.3.2+dfsg-4
   thanks
   
   On Mon, 02 Mar 2015 10:18:40 -0300, Lisandro Damián Nicanor Pérez Meyer 
 wrote:
And we have the same bug for Qt5 too.

Moritz, do you thing it's grave enough to update jessie via standard
methods?

mm, now that I remember we need a tpu for qt5 /o\
   
   I think it should not be RC for Qt 5, as we have no DEs in archive
   using Qt 5.
   
   Re Qt 4, this can be fixed via unstable so I don't see why not to do it.
   But I want to hear Moritz' opinion first.
  
  Agreed, I didn't file both as RC since it doesn't allow code conjection.
  For Wheezy we can either fix it along with a potential future DSA or
  address it via a stable point update.
  
  Both can be fixed for jessie via unstable upload+unblock. They're
  security bugs within the limits of what the releases managers unblock
  at this point of the freeze.
 
 Not Qt5 due to an unvoluntary upload of some X thing that changed build 
 dependencies. Qtbase should go trough TPU :-/

Is this planned during the freeze? Otherwise can fix it alongin a later point
update or security update for jessie.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20150315200532.GF20177@pisco.westfalen.local

Bug#769632: kde-runtime: CVE-2014-8600: Insufficient Input Validation By IO Slaves and Webkit Part

[Moritz Mühlenhoff]

On Sat, Nov 15, 2014 at 08:25:41AM +0100, Salvatore Bonaccorso wrote:
 Source: kde-runtime
 Version: 4:4.8.4-2
 Severity: normal
 Tags: security upstream patch fixed-upstream
 
 Hi,
 
 the following vulnerability was published for kde-runtime.
 
 CVE-2014-8600[0]:
 Insufficient Input Validation By IO Slaves and Webkit Part
 
 If you fix the vulnerability please also make sure to include the
 CVE (Common Vulnerabilities  Exposures) id in your changelog entry.

Could you please fix this for jessie?

Cheers,
Moritz

 
 For further information see:
 
 [0] https://security-tracker.debian.org/tracker/CVE-2014-8600
 [1] https://www.kde.org/info/security/advisory-20141113-1.txt
 [2] 
 http://quickgit.kde.org/?p=kde-runtime.gita=commith=d68703900edc8416fbcd2550cd336cbbb76decb9
 
 Regards,
 Salvatore
 
 


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141209211607.GA23451@pisco.westfalen.local

Bug#766796: konqueror: Konqueror is vulnerable to the Poodle attack

[Moritz Mühlenhoff]

severity 766796 important
thanks

On Sat, Oct 25, 2014 at 11:50:40PM +0200, Patrick Häcker wrote:
 Package: konqueror
 Version: 4:4.14.1-1
 Severity: grave
 Tags: security
 Justification: user security hole
 
 Dear Maintainer,
 
 according to https://www.poodletest.com/ Konqueror is still vulnerable to the
 Poodle attack.
 If this is only fixable in KHTML or WebKit, please move the bug there.
 
 As all the other major browsers plan to deactivate SSLv3 support in the near
 future, Konqueror should probably do so as well for Jessie.

Konqueror is not covered by security support, so this is not release-critical.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20141026123905.GA6631@pisco.westfalen.local

Bug#754314: systemd support for kdm

[Moritz Mühlenhoff]

On Tue, Aug 12, 2014 at 10:43:11AM +0200, Michael Biebl wrote:
 Hi,
 
 On Thu, Jul 17, 2014 at 05:17:23PM +0200, Moritz Muehlenhoff wrote:
  On Mon, Jul 14, 2014 at 06:34:40PM +0200, Moritz Mühlenhoff wrote:
   On Wed, Jul 09, 2014 at 10:16:07PM +0200, Moritz Muehlenhoff wrote:
Source: kde-workspace
Severity: wishlist
Tags: patch

activation of the service
-

After installation of the updated package the service isn't enabled
by default. You'll need to run systemctl enable kdm.service for
that. I'm not sure how the default display manager is handled if
several systemd units are installed, so it's probably for the best 
right now.
   
   Michael Stapelberg explained to me that the unit file needs an additional
   WantedBy=multi-user.target which would resolve this.
  
  This doesn't seem to be sufficient, I still need to enable the service 
  manually
  ATM.
  
 
 This issue was discussed during the systemd/GNOME sprint this spring.
 I.e. how the display-manager.service symlink is supposed to be managed
 when multiple display managers are installed.
 
 lightdm and gdm3 are already updated to support this scheme, so I'm bringing
 their maintainers into the loop here.
 Please coordinate with them when adding systemd support to kdm.

We should really wrap this into some common code, which is included from
the respective display managers! I've looked into lightdm amd gdm3 and 
they already diverge (lightdm misses the removal code present for gdm3). 
After all, this affects wdm and xdm as well.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140814202916.GA6931@pisco.westfalen.local

Bug#755814: kde4libs: CVE-2014-5033

[Moritz Mühlenhoff]

On Thu, Jul 31, 2014 at 09:07:22PM +0200, Felix Geyer wrote:
 Hi Moritz,
 
 On Wed, 23 Jul 2014 16:05:25 +0200 Moritz Muehlenhoff j...@inutil.org wrote:
  Package: kde4libs
  Severity: grave
  Tags: security
  Justification: user security hole
  
  Hi,
  please see https://bugzilla.novell.com/show_bug.cgi?id=864716 for the 
  original
  bug report. The upstream fix is available here:
  http://quickgit.kde.org/?p=kdelibs.gita=commith=e4e7b53b71e2659adaf52691d4accc3594203b23
  
  We should also fix this in Wheezy.
 
 Attached is a debdiff that adds the upstream patch to kde4libs/wheezy.
 I've tested that kauth still works (e.g. changing the display manager setting 
 in system settings).
 Please let me know if I can go ahead and upload it to the security archive.

Please build with -sa (since this is the first wheezy security update for
kde4libs) and upload to security-master.

I'm mostly offline until next week, if noone gets to it earlier, I'll
deal with it in a week.

Thanks,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140806200015.GA12961@pisco.westfalen.local

Bug#754314: systemd support for kdm

[Moritz Mühlenhoff]

On Wed, Jul 09, 2014 at 10:16:07PM +0200, Moritz Muehlenhoff wrote:
 Source: kde-workspace
 Severity: wishlist
 Tags: patch
 
 activation of the service
 -
 
 After installation of the updated package the service isn't enabled
 by default. You'll need to run systemctl enable kdm.service for
 that. I'm not sure how the default display manager is handled if
 several systemd units are installed, so it's probably for the best 
 right now.

Michael Stapelberg explained to me that the unit file needs an additional
WantedBy=multi-user.target which would resolve this.

Maybe we should upload an systemd-enabled version of kde-workspace/kdm 
to experimental so that people running into bugs under systemd 
(e.g. #743649 and #754257) can try it out?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140714163440.GC3048@pisco.westfalen.local

Re: KDE/jessie feedback

[Moritz Mühlenhoff]

On Sat, Apr 05, 2014 at 05:29:30PM +0200, Sune Vuorela wrote:
 Phonon-vlc upstream is much more active that the phonon-gstreamer from my 
 impression, and phonon upstream does recommend phonon-vlc to be the default.
 But fedora ships phonon-gstreamer as the default.

JFTR, I'm fine with keeping VLC if you prefer it over gstreamer, but
I was curious what Ubuntu people are doing and Kubuntu 14.04 uses
gstreamer as well (not sure about earlier releases)

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140414155934.GA13731@pisco.westfalen.local

Re: KDE/jessie feedback

[Moritz Mühlenhoff]

On Sat, Apr 05, 2014 at 05:29:30PM +0200, Sune Vuorela wrote:
 Hi Moritz
 
 Thank you for your mail. I'll go thru your three topics.
 
  - With the default desktop there're notifications on new updates, but the
  standard tool (I'm not sure which it is precisely) only offers a
  notification, but no GUI-way to install the upgrades. I've tried apper and
  it seems to offer that, maybe that should be the standard tool?
 
 Apper should be pulled in by the kde desktop task and thus available, but I'm 
 aiming to replace it with the kubuntu-originating tool 'muon'.

Great! From my experience with non-technical users running KDE the lack of
proper GUI updates is the only technical hurdle of KDE in Wheezy (if that
thing pops up, you need to run Konsole and type in that cryptic message
you wrote down). If that's fixed that's very nice. muon doesn't seem to
be in sid or experimental, I'll give it some testing once available.

  - In the default install dragonplayer is installed (and it's a hard
  dependency from the meta packages). However, with dragonplayer many videos
  I tried only played the sound of the video, not the actual video. I need to
  debug that further, maybe there's a dependency missing. Overall mpv seems
  the superior choice to me (it's not a KDE component, of course, but it
  integrates very well and it has a clean design while still being very
  powerful).
 
 We try hard to select packages based on what KDE provides, and dragonplayer 
 is 
 the player provided here. Also, I think it is important that the media player 
 by default is honoring the settings in System Settings. Only applications 
 built upon phonon fully does that.
 Do you have the vlc package installed? Phonon-backend-vlc does have a 
 recommends: vlc for helping with video playing capabilities, and Recommends 
 should be installed on all normal systems or else you get to keep the pieces.

That in fact fixes it. Maybe a Depends is more appropriate, w/o vlc installed
hardly any of the media files I tested played with video?
 
  - One issue we discussed during the security team meeting in Essen is VLC.
  Upstream focuses on people upgrading to new upstream releases and it's
  difficult to extract security fixes. Unfortunately VLC builds a library
  with Phonon being the major user, so upgrading to new upstream releases
  will break things. Since Phonon also supports Gstreamer as a backend (which
  is more stable API-wise and supportable), what do you think of switching
  Phonon over to Gstreamer?
 
 can't you just rebuild phonon if you upload a newer VLC? I guess release team 
 don't like transitions in stable, but ...

Unfortunately the VLC API isn't stable, e.g. 2.1.0 made a soname bump. That
would causes quite a bit of churn and we'd really like to avoid to change 
multiple
reverse deps along with VLC. Working on VLC is tedious enough on its own.
 
 Phonon-vlc upstream is much more active that the phonon-gstreamer from my 
 impression, and phonon upstream does recommend phonon-vlc to be the default.
 But fedora ships phonon-gstreamer as the default.

 I do have a preference for not going against upstreams wishes here, so I 
 would 
 prefer if we could find a solution where we follow upstream's wishes.

Ok, you should better be following the upstream recommendation for now. Is 
there 
any hope that KDE 5 will move to some QT5 multimedia classes which make VLC
a thing of the past?

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140409203945.GA5695@pisco.westfalen.local

Bug#725887: Dropping NAS support

[Moritz Mühlenhoff]

On Sat, Oct 19, 2013 at 04:01:45PM -0300, Lisandro Damián Nicanor Pérez Meyer 
wrote:
 On Saturday 19 October 2013 13:48:08 Moritz Mühlenhoff wrote:
 [snip]
   Hi Moritz!
   
   The popcon is indeed low. But I also noted that libaudio2 it's a very
   small
   package (~175 kB uncompressed in amd64) and having the lib itself
   installed
   it's not a big problem as far as I understand (or does it triggers
   something else I'm not aware?)
  
  nas recently had a DSA security update and when I tested the packages I
  wondered about the high popcon of libaudio2 in comparison to the actual nas
  server.
  
  How is the sound output configured in QT? Is it a system-wide setting (i.e.
  a a system with libaudio2 installed is only exploitable if QT is configured
  to use NAS)?
 
 Qt can only use NAS if and only if it's built with NAS support. Saddly this 
 doesn't generates an extra plugin or such, but integrates in libQtGui 
 itself.
 
 So either we keep it or fully remove it.

I don't have a strong opinion on this issue, if you feel NAS is still useful 
for some users, please simply close the bug.

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131203173157.GF4967@pisco.westfalen.local

Re: Bug#725887: Dropping NAS support

[Moritz Mühlenhoff]

On Thu, Oct 10, 2013 at 11:50:28AM -0300, Lisandro Damián Nicanor Pérez Meyer 
wrote:
 tag 725887 moreinfo
 thanks
 
 On Wednesday 09 October 2013 18:54:24 Moritz Muehlenhoff wrote:
  Package: qt4-x11
  Severity: normal
  
  I suggest to remove NAS support from libqtgui4 or move it to a separate
  module which can be installed selectively. NAS is a vintage sound
  server and unlikely to be present on modern desktop system (since it
  would also fight with pulseaudio over sound device control).
  
  Passing -no-nas-sound to configure and dropping the build-dep on
  libaudio-dev resolves this.
  
  QT seems to be the main culprit for the relatively large installed base
  of libaudio2 compared to the NAS sound server itself:
  http://qa.debian.org/popcon.php?package=nas
 
 Hi Moritz!
 
 The popcon is indeed low. But I also noted that libaudio2 it's a very small 
 package (~175 kB uncompressed in amd64) and having the lib itself installed 
 it's not a big problem as far as I understand (or does it triggers something 
 else I'm not aware?)

nas recently had a DSA security update and when I tested the packages I 
wondered 
about the high popcon of libaudio2 in comparison to the actual nas server.

How is the sound output configured in QT? Is it a system-wide setting (i.e. a
a system with libaudio2 installed is only exploitable if QT is configured to
use NAS)?

Cheers,
Moritz



 
 Yesterday I checked the possibility of adding it as a separate module but it 
 seems there is no way to do that.
 
 So, at least there is the intention of removing nas from Debian [0] I don't 
 think I'll remove the support.
 
 [0] For which I would wait for proper bugs+usertagging
 
 Kinds regards, Lisandro.
 
 -- 
 
 Lisandro Damián Nicanor Pérez Meyer
 http://perezmeyer.com.ar/
 http://perezmeyer.blogspot.com/



-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20131019114807.GA6110@pisco.westfalen.local

Bug#590147: Upgrade

[Moritz Mühlenhoff]

On Mon, Nov 29, 2010 at 11:28:31AM +0200, Modestas Vainius wrote:
  The two are from my point of view RC
 
 No, the first part is not RC because:
 
 1) it is rare enough
 2) there is no data loss involved
 
 There is no info about the 2nd part and according to upstream, the bug has 
 been there since etch (!!!) meaning two debian stable releases already have 
 it. However, the debian bug has only been reported recently. This tells a lot 
 about commodity of this bug.
 
 You may argue as much as you want but probability of this getting fixed is 
 nearly 0% since it has not been fixed for many years and there is obvious 
 lack 
 of information. What is more, metakit has no future. Once akregrator is 
 rewriten based on akonadi, this will go away.

I propose to downgrade this to non-RC severity. If it all, it's a rare
corner-case.

Cheers,
Moritz



-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20120527095007.GA16194@pisco.westfalen.local

Bug#638241: Needs to be adapted to libav/0.7.1

[Moritz Mühlenhoff]

tags 638241 patch
thanks

On Wed, Aug 17, 2011 at 10:36:18PM +0200, Moritz Muehlenhoff wrote:
 Package: ffmpegthumbs
 Severity: important
 
 Hi,
 the transition from ffmpeg/0.6.2 to libav/0.7 is planned soonish.
 (libav is a ffmpeg fork, to which Debian will switch, see
 http://en.wikipedia.org/wiki/FFmpeg for more information)
 
 Your package currently fails to build from source when built against
 libav/0.7.2 and needs to be adapted. You can test this yourself by
 building against the packages from experimental:

Attached patch fixes compilation against libav 0.7 and is also usable
for current sid with libav 0.6 (kdemultimedia used deprecated API 
functions, which have finally been removed in 0.7).

Cheers,
Moritz
diff -aur kdemultimedia-4.6.5.orig/ffmpegthumbs/ffmpegthumbnailer/moviedecoder.cpp kdemultimedia-4.6.5/ffmpegthumbs/ffmpegthumbnailer/moviedecoder.cpp
--- kdemultimedia-4.6.5.orig/ffmpegthumbs/ffmpegthumbnailer/moviedecoder.cpp	2011-01-19 23:23:19.0 +0100
+++ kdemultimedia-4.6.5/ffmpegthumbs/ffmpegthumbnailer/moviedecoder.cpp	2011-08-31 10:20:02.0 +0200
@@ -122,7 +122,7 @@
 void MovieDecoder::initializeVideo()
 {
 for (unsigned int i = 0; i  m_pFormatContext-nb_streams; i++) {
-if (m_pFormatContext-streams[i]-codec-codec_type == CODEC_TYPE_VIDEO) {
+if (m_pFormatContext-streams[i]-codec-codec_type == AVMEDIA_TYPE_VIDEO) {
 m_pVideoStream = m_pFormatContext-streams[i];
 m_VideoStream = i;
 break;

Re: Release notes entry for web browser security support

[Moritz Mühlenhoff]

On Wed, Feb 02, 2011 at 07:33:27PM +0100, Julien Cristau wrote:
 On Mon, Jan 10, 2011 at 20:56:01 +0100, Moritz Muehlenhoff wrote:
 
  State of browser support
  
  Debian Squeeze includes several browser engines which are affected by a 
  frequent
  stream of security vulnerabilities. The high rate of vulnerabilities
  and lack of upstream support in the form of long term branches make it
  close to impossible to support these browsers with backported security
  fixes. Additionally, library interdepencies make it impossible to update to 
  newer
  upstream releases. As such, browsers built upon the webkit, qtwebkit
  and khtml engines are included in Squeeze, but not covered by full security 
  support. We will make an effort to track down and backport security fixes,
  but in general these browsers should not be used against untrusted websites.
  
  For general web browser use we recommend browsers building on the 
  Mozilla xulrunner engine (Iceweasel and Iceape) or Chromium. Xulrunner
  has had a history of good backportability for older releases over the
  previous release cycles.
  
  Chromium - while build upon the Webkit codebase - is a leaf package, i.e.
  if backporting becomes no longer feasible, there's still the possibility of
  upgrading to a later upstream release (which is not possible for the
  webkit library itself).
  
 Should I include this in the release notes then, or does the webkit part
 need changes?

Slightly modified (including the fact that there's in fact a LTS branch 
by Collabora and Red Hat):

---
Debian Squeeze includes several browser engines which are affected
by a frequent stream of security vulnerabilities. The high rate of
vulnerabilities and partial lack of upstream support in the form of
long term branches make it very difficult to support these browsers
with backported security fixes. Additionally, library interdepencies
make it impossible to update to newer upstream releases. As such,
browsers built upon the qtwebkit and khtml engines are included in
Squeeze, but not covered by full security support. We will make an
effort to track down and backport security fixes, but in general
these browsers should not be used against untrusted websites.

For general web browser use we recommend browsers building on the
Mozilla xulrunner engine (Iceweasel and Iceape), browsers based on
the Webkit engine (e.g. Epiphany) or Chromium. Xulrunner
has had a history of good backportability for older releases over
the previous release cycles.

Chromium - while build upon the Webkit codebase - is a leaf package,
i.e. if backporting becomes no longer feasible, there's still the
possibility of upgrading to a later upstream release (which is not
possible for the webkit library itself).

Webkit is supported by upstream with a long term maintenance branch.
---

Cheers,
Moritz


-- 
To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/20110202200144.GA4624@pisco.westfalen.local