Bug 27560 - qtwebsockets5 new security issue CVE-2018-21035
Summary: qtwebsockets5 new security issue CVE-2018-21035
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-11-04 23:42 CET by David Walser
Modified: 2021-06-23 19:14 CEST (History)
4 users (show)

See Also:
Source RPM: qtwebsockets5-5.12.6-1.mga7.src.rpm
CVE: CVE-2018-21035
Status comment:


Attachments

Description David Walser 2020-11-04 23:42:16 CET
RedHat has issued an advisory on November 3:
https://access.redhat.com/errata/RHSA-2020:4690
David Walser 2020-12-28 19:02:42 CET

Status comment: (none) => Patch available from RedHat

Comment 1 David Walser 2021-06-22 00:35:01 CEST
Advisory:
========================

Updated qtwebsockets5 packages fix security vulnerability:

In Qt through 5.14.1, the WebSocket implementation accepts up to 2GB for frames
and 2GB for messages. Smaller limits cannot be configured. This makes it easier
for attackers to cause a denial of service (memory consumption)
(CVE-2018-21035).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21035
https://access.redhat.com/errata/RHSA-2020:4690
========================

Updated packages in core/updates_testing:
========================
qtwebsockets5-5.12.6-1.1.mga7
qtwebsockets5-doc-5.12.6-1.1.mga7
libqt5websockets5-5.12.6-1.1.mga7
libqt5websockets-devel-5.12.6-1.1.mga7

from qtwebsockets5-5.12.6-1.1.mga7.src.rpm

Status comment: Patch available from RedHat => (none)
Assignee: kde => qa-bugs

Comment 2 Herman Viaene 2021-06-22 10:58:37 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
This seems to me like ddeveloper's library, confirmed by
# urpmq --whatrequires qtwebsockets5
lib64qt5websockets-devel
qtwebsockets5
and
# urpmq --whatrequires-recursive qtwebsockets5
lib64nextcloud-client-devel
lib64qt5websockets-devel
qtwebsockets5

So OK'ing on clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA7-64-OK

Comment 3 Thomas Andrews 2021-06-22 17:59:41 CEST
Sounds good to me, Herman. Validating. Advisory in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Aurelien Oudelet 2021-06-22 20:39:08 CEST

Keywords: (none) => advisory
CC: (none) => ouaurelien
CVE: (none) => CVE-2018-21035

Comment 4 Mageia Robot 2021-06-23 19:14:28 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0270.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.