Fedora has issued advisories on March 26: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155063.html https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154671.html Fedora has a patch for the issue for qtwebkit 2.3.4, and it is fixed in qtwebkit5 5.4.1. Mageia 4 and Cauldron are affected. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA5TOO, MGA4TOO
URL: http://lwn.net/Vulnerabilities/639231/ => http://lwn.net/Vulnerabilities/641427/
Actually qtwebkit5 needs an additional patch as well: http://pkgs.fedoraproject.org/cgit/qt5-qtwebkit.git/commit/?h=f22&id=ae50d7df90edc20a9f7427879d39c5b176f17a56
URL: http://lwn.net/Vulnerabilities/641427/ => http://lwn.net/Vulnerabilities/639231/
Patches checked into Mageia 4 and Cauldron SVN. Freeze push requested.
Patched packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated qtwebkit and qtwebkit5 packages fix security vulnerability: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode. References: https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155063.html https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154671.html ======================== Updated packages in core/updates_testing: ======================== libqtwebkit2.2_4-2.3.3-3.1 qtwebkit-qmlplugin-2.3.3-3.1 libqtwebkit2.2-devel-2.3.3-3.1 qtwebkit5-5.2.0-2.1 libqt5webkitwidgets5-5.2.0-2.1 libqt5webkitwidgets-devel-5.2.0-2.1 libqt5webkitwidgets-private-devel-5.2.0-2.1 libqt5webkit5-5.2.0-2.1 libqt5webkit-devel-5.2.0-2.1 libqt5webkit-private-devel-5.2.0-2.1 from SRPMS: qtwebkit-2.3.3-3.1.mga4.src.rpm qtwebkit5-5.2.0-2.1.mga4.src.rpm
Version: Cauldron => 4Assignee: mageia => qa-bugsWhiteboard: MGA5TOO, MGA4TOO => (none)
qtwebkit is used by a lot of things, but most directly by qupzilla and rekonq. qtwebkit5 is only used by qt-creator, sigil, and yaflight, but I'm not sure how.
Tested with qupzilla and qt-creator. Seems OK on Mageia 4 i586.
Whiteboard: (none) => has_procedure MGA4-32-OK
Tested mga4 64 Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK mga4-64-okCC: (none) => sysadmin-bugs
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0194.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
CVE-2015-8079 has been assigned for this: http://openwall.com/lists/oss-security/2015/11/05/4
Summary: qtwebkit new security issue fixed upstream in 5.4.1 => qtwebkit new security issue fixed upstream in 5.4.1 (CVE-2015-8079)