group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #23584
[Bug 1767539] Re: Security fixes from 0.12.5 require backfit to earlier releases
** Changed in: quassel (Debian)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1767539
Title:
Security fixes from 0.12.5 require backfit to earlier releases
Status in quassel package in Ubuntu:
Confirmed
Status in quassel source package in Trusty:
Fix Released
Status in quassel source package in Xenial:
Confirmed
Status in quassel source package in Artful:
Confirmed
Status in quassel source package in Bionic:
Confirmed
Status in quassel package in Debian:
Fix Released
Bug description:
A recent upstream release contains two security fixes. All supported
Ubuntu releases are affected.
* SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
qdatastream
- debian/patches/Implement_custom_deserializer.patch: Original patch from
upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
- CVE requested by upstream
* SECURITY UPDATE: quasselcore, denial of service for unconfigure core
- debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is
_configured.patch: Original patch from upstream 0.12.5 release, adapted
for non-C++ 11 systems by Felix Geyer
- CVE requested by upstream
I'll be attaching a debdiff for Trusty, but not later releases as that
is the only Ubuntu release I still have an interest in. Note that the
debian/changelog doesn't have the LP bug number in it since I haven't
filed it yet. The trusty fix is based on the Debian patches for
Jessie (Debian 8):
https://salsa.debian.org/qt-kde-team/kde-extras/quassel/tree/jessie
I'm running the fixed version now.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1767539/+subscriptions