group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1767539] Re: Security fixes from 0.12.5 require backfit to earlier releases

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1767539@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 May 2018 01:59:44 -0000
Reply-to: Bug 1767539 <1767539@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package quassel - 1:0.12.5-2ubuntu1

---------------
quassel (1:0.12.5-2ubuntu1) cosmic; urgency=high

  * Merge from Debian Sid (LP: #1767539). Remaining changes:
    - Dropping of (different) transitional packages since 16.04 LTS released.
    - Apparmor profile.
    - Ufw profile.
    - Change the default channel to #lubuntu.

quassel (1:0.12.5-2) unstable; urgency=high

  * Build-depend on qtwebengine5-dev only for archs where it's
available.

quassel (1:0.12.5-1) unstable; urgency=high

  * New upstream release.
    - Fixes a deserialization security vulnerability.
    - Fixes a DoS while quassel is starting up.
  * Drop Fix_the_ssl_check_with_Qt_5.6_and_gcc_5.patch, applied upstream.
  * Build against Qt WebEngine instead of QtWebKit, following upstream.
  * Move git repo to salsa.debian.org

 -- Simon Quigley <tsimonq2@xxxxxxxxxx>  Sun, 13 May 2018 19:52:22 -0500

** Changed in: quassel (Ubuntu Cosmic)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1767539

Title:
  Security fixes from 0.12.5 require backfit to earlier releases

Status in quassel package in Ubuntu:
  Fix Released
Status in quassel source package in Trusty:
  Fix Released
Status in quassel source package in Xenial:
  Confirmed
Status in quassel source package in Artful:
  Confirmed
Status in quassel source package in Bionic:
  Confirmed
Status in quassel source package in Cosmic:
  Fix Released
Status in quassel package in Debian:
  Fix Released

Bug description:
  A recent upstream release contains two security fixes.  All supported
  Ubuntu releases are affected.

    * SECURITY UPDATE: quasselcore, corruption of heap metadata caused by
      qdatastream
      - debian/patches/Implement_custom_deserializer.patch: Original patch from
        upstream 0.12.5 release, adapted for non-C++ 11 systems by Felix Geyer
      - CVE requested by upstream
    * SECURITY UPDATE: quasselcore, denial of service for unconfigure core
      - debian/patches/Reject_clients_that_attempt_to_login_before_the_core_is
        _configured.patch: Original patch from upstream 0.12.5 release, adapted
        for non-C++ 11 systems by Felix Geyer
      - CVE requested by upstream

  I'll be attaching a debdiff for Trusty, but not later releases as that
  is the only Ubuntu release I still have an interest in.  Note that the
  debian/changelog doesn't have the LP bug number in it since I haven't
  filed it yet.  The trusty fix is based on the Debian patches for
  Jessie (Debian 8):

  https://salsa.debian.org/qt-kde-team/kde-extras/quassel/tree/jessie

  I'm running the fixed version now.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1767539/+subscriptions