← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1767539] Re: Security fixes from 0.12.5 require backfit to earlier releases

 

** Bug watch added: Debian Bug tracker #896914
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896914

** Also affects: quassel (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896914
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1767539

Title:
  Security fixes from 0.12.5 require backfit to earlier releases

Status in quassel package in Ubuntu:
  New
Status in quassel source package in Trusty:
  Confirmed
Status in quassel source package in Xenial:
  New
Status in quassel source package in Artful:
  New
Status in quassel source package in Bionic:
  New
Status in quassel package in Debian:
  Unknown

Bug description:
  A recent upstream release contains two security fixes.  All supported
  Ubuntu releases are affected.

    * SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
      qdatastream
      - debian/patches/Implement_custom_deserializer.patch: Original patch from
        upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
      - CVE requested by upstream
    * SECURITY UPDATE: quasselcore, denial of service for unconfigure core
      - debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is
        _configured.patch: Original patch from upstream 0.12.5 release, adapted
        for non-C++ 11 systems by Felix Geyer
      - CVE requested by upstream

  I'll be attaching a debdiff for Trusty, but not later releases as that
  is the only Ubuntu release I still have an interest in.  Note that the
  debian/changelog doesn't have the LP bug number in it since I haven't
  filed it yet.  The trusty fix is based on the Debian patches for
  Jessie (Debian 8):

  https://salsa.debian.org/qt-kde-team/kde-extras/quassel/tree/jessie

  I'm running the fixed version now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1767539/+subscriptions