group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1767539] Re: Security fixes from 0.12.5 require backfit to earlier releases

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Scott Kitterman <ubuntu@xxxxxxxxxxxxx>
Date: Sat, 28 Apr 2018 00:50:00 -0000
Reply-to: Bug 1767539 <1767539@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Bug watch added: Debian Bug tracker #896914
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896914

** Also affects: quassel (Debian) via
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=896914
   Importance: Unknown
       Status: Unknown

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1767539

Title:
  Security fixes from 0.12.5 require backfit to earlier releases

Status in quassel package in Ubuntu:
  New
Status in quassel source package in Trusty:
  Confirmed
Status in quassel source package in Xenial:
  New
Status in quassel source package in Artful:
  New
Status in quassel source package in Bionic:
  New
Status in quassel package in Debian:
  Unknown

Bug description:
  A recent upstream release contains two security fixes.  All supported
  Ubuntu releases are affected.

    * SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
      qdatastream
      - debian/patches/Implement_custom_deserializer.patch: Original patch from
        upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
      - CVE requested by upstream
    * SECURITY UPDATE: quasselcore, denial of service for unconfigure core
      - debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is
        _configured.patch: Original patch from upstream 0.12.5 release, adapted
        for non-C++ 11 systems by Felix Geyer
      - CVE requested by upstream

  I'll be attaching a debdiff for Trusty, but not later releases as that
  is the only Ubuntu release I still have an interest in.  Note that the
  debian/changelog doesn't have the LP bug number in it since I haven't
  filed it yet.  The trusty fix is based on the Debian patches for
  Jessie (Debian 8):

  https://salsa.debian.org/qt-kde-team/kde-extras/quassel/tree/jessie

  I'm running the fixed version now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1767539/+subscriptions