Bug 27560

Summary: qtwebsockets5 new security issue CVE-2018-21035
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: andrewsfarm, herman.viaene, ouaurelien, sysadmin-bugs
Version: 7Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7-64-OK
Source RPM: qtwebsockets5-5.12.6-1.mga7.src.rpm CVE: CVE-2018-21035
Status comment:

Description David Walser 2020-11-04 23:42:16 CET 
RedHat has issued an advisory on November 3:
https://access.redhat.com/errata/RHSA-2020:4690
David Walser 2020-12-28 19:02:42 CET

Status comment: (none) => Patch available from RedHat

Comment 1 David Walser 2021-06-22 00:35:01 CEST 
Advisory:
========================

Updated qtwebsockets5 packages fix security vulnerability:

In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames
and 2GB for messages. Smaller limits cannot be configured. This makes it easier
for attackers to cause a denial of service (memory consumption)
(CVE-2018-21035).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21035
https://access.redhat.com/errata/RHSA-2020:4690
========================

Updated packages in core/updates_testing:
========================
qtwebsockets5-5.12.6-1.1.mga7
qtwebsockets5-doc-5.12.6-1.1.mga7
libqt5websockets5-5.12.6-1.1.mga7
libqt5websockets-devel-5.12.6-1.1.mga7

from qtwebsockets5-5.12.6-1.1.mga7.src.rpm

Status comment: Patch available from RedHat => (none)
Assignee: kde => qa-bugs

Comment 2 Herman Viaene 2021-06-22 10:58:37 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues.
This seems to me like ddeveloper's library, confirmed by
# urpmq --whatrequires qtwebsockets5
lib64qt5websockets-devel
qtwebsockets5
and
# urpmq --whatrequires-recursive qtwebsockets5
lib64nextcloud-client-devel
lib64qt5websockets-devel
qtwebsockets5

So OK'ing on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2021-06-22 17:59:41 CEST 
Sounds good to me, Herman. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-06-22 20:39:08 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2018-21035

Comment 4 Mageia Robot 2021-06-23 19:14:28 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0270.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED