*** This bug is a security vulnerability *** Public security bug reported:
A recent upstream release contains two security fixes. All supported Ubuntu releases are affected. * SECURITY UPDATE: quasselcore, corruption of heap metadata caused by qdatastream - debian/patches/Implement_custom_deserializer.patch: Original patch from upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer - CVE requested by upstream * SECURITY UPDATE: quasselcore, denial of service for unconfigure core - debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is _configured.patch: Original patch from upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer - CVE requested by upstream I'll be attaching a debdiff for Trusty, but not later releases as that is the only Ubuntu release I still have an interest in. Note that the debian/changelog doesn't have the LP bug number in it since I haven't filed it yet. The trusty fix is based on the Debian patches for Jessie (Debian 8): https://salsa.debian.org/qt-kde-team/kde-extras/quassel/tree/jessie I'm running the fixed version now. ** Affects: quassel (Ubuntu) Importance: Undecided Status: New ** Affects: quassel (Ubuntu Trusty) Importance: Undecided Status: Confirmed ** Affects: quassel (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: quassel (Ubuntu Artful) Importance: Undecided Status: New ** Affects: quassel (Ubuntu Bionic) Importance: Undecided Status: New ** Affects: quassel (Debian) Importance: Unknown Status: Unknown ** Tags: patch ** Patch added: "Trusty fix" https://bugs.launchpad.net/bugs/1767539/+attachment/5129007/+files/quassel.security.debdiff ** Also affects: quassel (Ubuntu Bionic) Importance: Undecided Status: Confirmed ** Also affects: quassel (Ubuntu Trusty) Importance: Undecided Status: New ** Also affects: quassel (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: quassel (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: quassel (Ubuntu Trusty) Status: New => Confirmed ** Changed in: quassel (Ubuntu Bionic) Status: Confirmed => New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1767539 Title: Security fixes from 0.12.5 require backfit to earlier releases To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1767539/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs