Two CVEs in qtbase-opensource-src

Thu Jan 30 15:39:41 GMT 2020

Hi!

On Thu, 30 Jan 2020 at 12:37, Moritz Mühlenhoff <jmm at inutil.org> wrote:
>
> On Thu, Jan 30, 2020 at 12:19:31PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
> > Hi!
> >
> > On Thu, 30 Jan 2020 at 11:44, Moritz Mühlenhoff <jmm at inutil.org> wrote:
> > >
> > > On Thu, Jan 30, 2020 at 11:25:02AM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
> > > > Hi! Two security bugs where found in qtbase-opensource-src:
> > > >
> > > > https://lists.qt-project.org/pipermail/development/2020-January/038521.html
> > >
> > > > Please noe that the attached debdiff is made againt the current version in
> > > > buster p-u, already accepted by SRM.
> > >
> > > Hi Lisandro,
> > > debdiff looks good, please upload to security-master!
> >
> > Do I need to do a binary upload or source only is enough? (apart from
> > including the source in the upload, first security upload if I'm not
> > mistaken).
>
> Ack, source uploads are fine for stretch (for the first upload to a security
> suite -sa is needed, but that already happened for 5.7.1+dfsg-3+deb9u1)

Ah, excellent, so I'll do source only uploads for both buster and stretch.

> > > Stretch is still supported for another ~ half year, could you also prepare
> > > a stretch-security update for CVE-2020-0569?
> >
> > Sure. I'll also see to prepare a qt4-x11 upload too. I might even do
> > an unstable one...
>
> Let's not waste time on an additional sid uploads for Qt4, the big RM hammer
> is coming in a month anyway :-)

OK :-) I might keep it fixed just in case non the less...

I'm attaching the stretch debdiff.

-- 
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stretchdebdiff.diff
Type: text/x-patch
Size: 2191 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-kde-talk/attachments/20200130/f3be0a57/attachment-0001.bin>