group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #23661
[Bug 1767539] Re: Security fixes from 0.12.5 require backfit to earlier releases
This bug was fixed in the package quassel - 1:0.12.5-2ubuntu1
---------------
quassel (1:0.12.5-2ubuntu1) cosmic; urgency=high
* Merge from Debian Sid (LP: #1767539). Remaining changes:
- Dropping of (different) transitional packages since 16.04 LTS released.
- Apparmor profile.
- Ufw profile.
- Change the default channel to #lubuntu.
quassel (1:0.12.5-2) unstable; urgency=high
* Build-depend on qtwebengine5-dev only for archs where it's
available.
quassel (1:0.12.5-1) unstable; urgency=high
* New upstream release.
- Fixes a deserialization security vulnerability.
- Fixes a DoS while quassel is starting up.
* Drop Fix_the_ssl_check_with_Qt_5.6_and_gcc_5.patch, applied upstream.
* Build against Qt WebEngine instead of QtWebKit, following upstream.
* Move git repo to salsa.debian.org
-- Simon Quigley <tsimonq2@xxxxxxxxxx> Sun, 13 May 2018 19:52:22 -0500
** Changed in: quassel (Ubuntu Cosmic)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1767539
Title:
Security fixes from 0.12.5 require backfit to earlier releases
Status in quassel package in Ubuntu:
Fix Released
Status in quassel source package in Trusty:
Fix Released
Status in quassel source package in Xenial:
Confirmed
Status in quassel source package in Artful:
Confirmed
Status in quassel source package in Bionic:
Confirmed
Status in quassel source package in Cosmic:
Fix Released
Status in quassel package in Debian:
Fix Released
Bug description:
A recent upstream release contains two security fixes. All supported
Ubuntu releases are affected.
* SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
qdatastream
- debian/patches/Implement_custom_deserializer.patch: Original patch from
upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
- CVE requested by upstream
* SECURITY UPDATE: quasselcore, denial of service for unconfigure core
- debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is
_configured.patch: Original patch from upstream 0.12.5 release, adapted
for non-C++ 11 systems by Felix Geyer
- CVE requested by upstream
I'll be attaching a debdiff for Trusty, but not later releases as that
is the only Ubuntu release I still have an interest in. Note that the
debian/changelog doesn't have the LP bug number in it since I haven't
filed it yet. The trusty fix is based on the Debian patches for
Jessie (Debian 8):
https://salsa.debian.org/qt-kde-team/kde-extras/quassel/tree/jessie
I'm running the fixed version now.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1767539/+subscriptions