Your message dated Mon, 13 May 2024 19:32:55 +0000 with message-id <e1s6bpr-005v9p...@fasolo.debian.org> and subject line Bug#1059302: fixed in qtbase-opensource-src 5.15.2+dfsg-9+deb11u1 has caused the Debian Bug report #1059302, regarding qt6-base: CVE-2023-37369 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1059302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059302 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: qt6-base X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qt6-base. CVE-2023-37369[0]: | In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x | before 6.5.2, there can be an application crash in QXmlStreamReader | via a crafted XML string that triggers a situation in which a prefix | is greater than a length. https://www.qt.io/blog/security-advisory-qxmlstreamreader https://codereview.qt-project.org/c/qt/qtbase/+/455027 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-37369 https://www.cve.org/CVERecord?id=CVE-2023-37369 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---Source: qtbase-opensource-src Source-Version: 5.15.2+dfsg-9+deb11u1 Done: Thorsten Alteholz <deb...@alteholz.de> We believe that the bug you reported is fixed in the latest version of qtbase-opensource-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1059...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Thorsten Alteholz <deb...@alteholz.de> (supplier of updated qtbase-opensource-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 28 Apr 2024 22:48:02 +0200 Source: qtbase-opensource-src Architecture: source Version: 5.15.2+dfsg-9+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Thorsten Alteholz <deb...@alteholz.de> Closes: 1031872 1036702 1036848 1037210 1041105 1059302 1060694 1064053 Changes: qtbase-opensource-src (5.15.2+dfsg-9+deb11u1) bullseye; urgency=medium . * Non-maintainer upload by the LTS Team. * CVE-2024-25580 (Closes: #1064053) fix buffer overflow due to crafted KTX image file * CVE-2023-32763 (Closes: #1036702) fix QTextLayout buffer overflow due to crafted SVG file * CVE-2022-25255 prevent QProcess from execution of a binary from the current working directory when not found in the PATH * CVE-2023-24607 (Closes: #1031872) fix denial of service via a crafted string when the SQL ODBC driver plugin is used * fix regression caused by patch for CVE-2023-24607 * CVE-2023-32762 prevent incorrect parsing of the strict-transport-security (HSTS) header * CVE-2023-51714 (Closes: #1060694) fix incorrect HPack integer overflow check. * CVE-2023-38197 (Closes: #1041105) fix infinite loop in recursive entity expansion * CVE-2023-37369 (Closes: #1059302) fix crash of application in QXmlStreamReader due to crafted XML string * CVE-2023-34410 (Closes: #1037210) fix checking during TLS whether root of the chain really is a configured CA certificate * CVE-2023-33285 (Closes: #1036848) fix buffer overflow in QDnsLookup Checksums-Sha1: 6e16146f78475c11c4dda7d6f2f65e57fdb0e29e 5641 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.dsc 130e02045fc0817e521a5e979e5c4791ea32bb2b 48055144 qtbase-opensource-src_5.15.2+dfsg.orig.tar.xz 1a9ee70661e4c9b81869966c55677c155a2bd2e0 273028 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.debian.tar.xz ff4c258d3f2f37754a5c2ca3a0821f9bb80c49ee 35848 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1_amd64.buildinfo Checksums-Sha256: c0a433401e556ecc90f4aac049cd95a054b3ba736f325039edc367c76b3d8eb1 5641 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.dsc 9ed5e0ab96a04daec5383a5e642d0308ca8246359a4c857a73a5c58d806237bb 48055144 qtbase-opensource-src_5.15.2+dfsg.orig.tar.xz 29a9be7d1ed654ea53c5f01d00c613a3d2c44e515f4fefc01340167c9c8c0fa8 273028 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.debian.tar.xz 271951118c9e6b1ee010cd091253437342dc3277439981de3a5cd592cfca9fca 35848 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1_amd64.buildinfo Files: 165f1cc5e44cc75dc0ebf13a249f8a0f 5641 libs optional qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.dsc c0e684ed6ee9d24e4509d64ceb9764cf 48055144 libs optional qtbase-opensource-src_5.15.2+dfsg.orig.tar.xz f84b2a84c64c6cec1b2c6d2c0dc4bc05 273028 libs optional qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.debian.tar.xz 68690ed0fe2e8e2abd2b08c3723a1dde 35848 libs optional qtbase-opensource-src_5.15.2+dfsg-9+deb11u1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmZA2mpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh bHRlaG9sei5kZQAKCRCW/KwNOHtYR+cJD/9Y5SmHa87XNkeyEkVJEG7y7G/ZPs4d alpPnnrgKEDau1IFhaa5kEM6K3mWZG0krpOkHc9mNo6tSU5OrY21xvpgCt1URLur SSipqijUnTtbqEdiMJI1QLhzHobWThwpkmRoq1ENA4zTilPQE1b1Aqzuh26HZKKw P4lGfL64YjaXqNrzajWWINBXYWIt7xp6R9Lv0coxGvv0Z+yyLgL3vqObf38O7/Fx FG5WDQr+sOSy5V6giqNDDao1bsEoBI3E9xRyAOGtV8+bqNUTrpCHZpm1y7L9vRIP sZiSwgLmYpSyWLsSaCPd1cC52YBYSuXh3Mo1Cj/81reeCehMs4nrc9KocukjJPS/ JNSCugNyqlSYFActfBpJr5GDezdXiUzjPu9h8KAsMFnIqjLG59vW8qgBUCLsoWzc GJN1F2cDyaA8CU4UKhNhGgQXxYNllOfsspa8i0EQe/5NJrWg/B8Z79QinywPkTwQ 2ScerdgvVzFwlpi+txLJUk//7sh+8Ai7UigIsC0gcRLrOAt8xFuaU/KtLUhcF5TL JPi0zSuBmIB29WgbwhF5IltmyWJ2xDduWCkLXBzskIqYqJSS6+V7pqobmHV3gLc+ sP/q9n/QlNNZLVw9AGTY2PqN9BIuNZHoLOXorwfPFmFTuX++rlfLP/oUlgUjGhZy aRn2aSVwPXotBA== =9HiB -----END PGP SIGNATURE-----pgpo_RNZmk8Ub.pgp
Description: PGP signature
--- End Message ---