Your message dated Sat, 10 Feb 2024 13:02:54 +0000
with message-id <[email protected]>
and subject line Released with 11.9
has caused the Debian Bug report #1006294,
regarding bullseye-pu: package knewstuff/5.78.0-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1006294: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006294
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: important
Tags: bullseye
User: [email protected]
Usertags: pu
X-Debbugs-Cc: [email protected], [email protected]
[ Reason ]
A bug in plasma-discover causes a Denial of Service attack
against the KDE servers. 3 packages needs to be patch to
mitigate the attack: knewstuff, plasma-desktop and
plasma-discover.
This update fixes bug #1006126 for bullseye and has been
fixed in unstable in version 5.90.0-1 for knewstuff.
[ Impact ]
Running the old version causes considerable load for the KDE
servers.
[ Tests ]
No manual tests have been performed.
[ Risks ]
The risks are rather low as the update is a single patch.
The patch has been created by KDE upstream specifically for the
version in bullseye.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
The update contains a single patch to help ease the load on
KDE servers.
[ Other info ]
It would be good if users of KDE plasma could receive the update
as quick as possible.
diffstat for knewstuff-5.78.0 knewstuff-5.78.0
changelog | 8 ++++++++
patches/knewstuff_dns.patch | 28 ++++++++++++++++++++++++++++
patches/series | 1 +
3 files changed, 37 insertions(+)
diff -Nru knewstuff-5.78.0/debian/changelog knewstuff-5.78.0/debian/changelog
--- knewstuff-5.78.0/debian/changelog 2021-02-24 23:04:55.000000000 +0100
+++ knewstuff-5.78.0/debian/changelog 2022-02-22 22:02:10.000000000 +0100
@@ -1,3 +1,11 @@
+knewstuff (5.78.0-4+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * Cherry-pick commit to fix the Denial of Service bug in Discover
+ (Closes: #1006126).
+
+ -- Patrick Franz <[email protected]> Tue, 22 Feb 2022 22:02:10 +0100
+
knewstuff (5.78.0-4) unstable; urgency=medium
* Team upload.
diff -Nru knewstuff-5.78.0/debian/patches/knewstuff_dns.patch
knewstuff-5.78.0/debian/patches/knewstuff_dns.patch
--- knewstuff-5.78.0/debian/patches/knewstuff_dns.patch 1970-01-01
01:00:00.000000000 +0100
+++ knewstuff-5.78.0/debian/patches/knewstuff_dns.patch 2022-02-22
21:57:05.000000000 +0100
@@ -0,0 +1,28 @@
+From abaa25340b96307fcc7e586ed00bfde67500b57d Mon Sep 17 00:00:00 2001
+From: Aleix Pol <[email protected]>
+Date: Tue, 8 Feb 2022 11:48:11 +0100
+Subject: [PATCH] Engine: Ensure we are not using the wrong ProvidersUrl
+
+---
+ src/core/engine.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/core/engine.cpp b/src/core/engine.cpp
+index c5894747..30fdf2bb 100644
+--- a/src/core/engine.cpp
++++ b/src/core/engine.cpp
+@@ -237,7 +237,10 @@ bool Engine::init(const QString &configfile)
+
+ qCDebug(KNEWSTUFFCORE) << "Categories: " << m_categories;
+ m_providerFileUrl = group.readEntry("ProvidersUrl");
+-
++ if (m_providerFileUrl ==
QLatin1String("https://download.kde.org/ocs/providers.xml";)) {
++ m_providerFileUrl =
QStringLiteral("https://autoconfig.kde.org/ocs/providers.xml";);
++ qCWarning(KNEWSTUFFCORE) << "Please make sure" << configfile << "has
ProvidersUrl=https://autoconfig.kde.org/ocs/providers.xml";;
++ }
+ d->tagFilter = group.readEntry("TagFilter",
QStringList(QStringLiteral("ghns_excluded!=1")));
+ d->downloadTagFilter = group.readEntry("DownloadTagFilter",
QStringList());
+
+--
+GitLab
+
diff -Nru knewstuff-5.78.0/debian/patches/series
knewstuff-5.78.0/debian/patches/series
--- knewstuff-5.78.0/debian/patches/series 2021-02-24 11:36:14.000000000
+0100
+++ knewstuff-5.78.0/debian/patches/series 2022-02-22 21:57:39.000000000
+0100
@@ -1 +1,2 @@
upstream-a3050ecf-qtquickengine-check-knscore-engine-is-valid-before-search.patch
+knewstuff_dns.patch
--- End Message ---
--- Begin Message ---
Version: 11.9
The upload requested in this bug has been released as part of 11.9.
--- End Message ---
