Ubuntu has issued an advisory on December 17: http://www.ubuntu.com/usn/usn-2057-1/ qt5 in Cauldron may also be affected. Reproducible: Steps to Reproduce:
CC: (none) => balcaen.johnWhiteboard: (none) => MGA3TOO
URL: (none) => http://lwn.net/Vulnerabilities/577579/
Blocks: (none) => 11726
for the record: https://codereview.qt-project.org/#change,71010 http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
pushed in the BS for mga3
Assignee: mageia => qa-bugs
OK, we have qt5 5.2 in Cauldron, so it's already fixed there. Thanks Nicolas! It looks like we have a qt5 5.0.2 packaged on Mageia 3, so that may need to be added to this. Here's the advisory with just qt4 for now. Advisory: ======================== Updated qt4 packages fixes security vulnerability: It was discovered that QXmlSimpleReader in Qt incorrectly handled XML entity expansion. An attacker could use this flaw to cause Qt applications to consume large amounts of resources, resulting in a denial of service (CVE-2013-4549). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4549 http://lists.qt-project.org/pipermail/announce/2013-December/000036.html http://www.ubuntu.com/usn/usn-2057-1/ ======================== Updated packages in core/updates_testing: ======================== qt4-common-4.8.5-1.2.mga3 libqtxml4-4.8.5-1.2.mga3 libqtscripttools4-4.8.5-1.2.mga3 libqtxmlpatterns4-4.8.5-1.2.mga3 libqtsql4-4.8.5-1.2.mga3 libqtnetwork4-4.8.5-1.2.mga3 libqtscript4-4.8.5-1.2.mga3 libqtgui4-4.8.5-1.2.mga3 libqtsvg4-4.8.5-1.2.mga3 libqttest4-4.8.5-1.2.mga3 libqthelp4-4.8.5-1.2.mga3 libqtclucene4-4.8.5-1.2.mga3 libqtcore4-4.8.5-1.2.mga3 libqt3support4-4.8.5-1.2.mga3 libqtopengl4-4.8.5-1.2.mga3 libqtdesigner4-4.8.5-1.2.mga3 libqtdbus4-4.8.5-1.2.mga3 libqtmultimedia4-4.8.5-1.2.mga3 qt4-qtdbus-4.8.5-1.2.mga3 libqtdeclarative4-4.8.5-1.2.mga3 qt4-qmlviewer-4.8.5-1.2.mga3 libqt4-devel-4.8.5-1.2.mga3 qt4-devel-private-4.8.5-1.2.mga3 qt4-xmlpatterns-4.8.5-1.2.mga3 qt4-qtconfig-4.8.5-1.2.mga3 qt4-doc-4.8.5-1.2.mga3 qt4-demos-4.8.5-1.2.mga3 qt4-examples-4.8.5-1.2.mga3 qt4-linguist-4.8.5-1.2.mga3 qt4-assistant-4.8.5-1.2.mga3 qt4-database-plugin-mysql-4.8.5-1.2.mga3 qt4-database-plugin-sqlite-4.8.5-1.2.mga3 qt4-database-plugin-tds-4.8.5-1.2.mga3 qt4-database-plugin-pgsql-4.8.5-1.2.mga3 qt4-graphicssystems-plugin-4.8.5-1.2.mga3 qt4-accessibility-plugin-4.8.5-1.2.mga3 qt4-designer-4.8.5-1.2.mga3 qt4-designer-plugin-webkit-4.8.5-1.2.mga3 qt4-designer-plugin-qt3support-4.8.5-1.2.mga3 qt4-qvfb-4.8.5-1.2.mga3 qt4-qdoc3-4.8.5-1.2.mga3 from qt4-4.8.5-1.2.mga3
CC: (none) => mageiaVersion: Cauldron => 3Whiteboard: MGA3TOO => (none)
Blocks: 11726 => (none)
Should we wait for qt5 to be updated too, or go ahead with testing qt4, and use a new bug report for qt5?
CC: (none) => davidwhodgins
Blocks: (none) => 12178
I created Bug 12178 for qt5, so qt4 can be tested.
The version in updates, and updates testing have the same release/version numbers. $ tree -ifa|grep qt4-demos ./release/qt4-demos-4.8.4-7.mga3.i586.rpm ./updates/qt4-demos-4.8.5-1.2.mga3.i586.rpm ./updates_testing/qt4-demos-4.8.5-1.2.mga3.i586.rpm
Whiteboard: (none) => feedback
Thanks, qt4-4.8.5-1.3.mga3.src.rpm is building now.
Whiteboard: feedback => (none)
Advisory added to svn. Waiting for local mirror to sync, before testing.
Whiteboard: (none) => advisory
No poc, so just testing that all of the packages install cleanly and kde is ok. Testing complete on Mageia 3 i586 and x86_64. Someone from the sysadmin team please push 12043.adv to updates.
Keywords: (none) => validated_updateWhiteboard: advisory => advisory MGA3-64-OK MGA3-32-OKCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0009.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED