Package: kde4libs
Version: 4:4.8.4-4
Severity: important
Tags: security patch
Control: forwarded -1 https://bugs.kde.org/show_bug.cgi?id=319428
Hi,
the following vulnerability was published for kde4libs.
CVE-2013-2074[0]:
prints passwords contained in HTTP URLs in error messages
Upstream
Hi Qt/KDE maintainers,
On Fri, May 31, 2013 at 01:39:50PM +0200, Moritz Muehlenhoff wrote:
Package: kdeplasma-addons
Severity: important
Tags: security
Please see http://seclists.org/oss-sec/2013/q2/429
Once an upstream fix is available, we can fix this in
a point update.
Short note on
Hi Qt/KDE Maintainers,
On Wed, Feb 06, 2013 at 03:18:07AM +0100, Luciano Bello wrote:
Package: qt4-x11
Severity: important
Tags: security patch
Justification: user security hole
Hi Qt/KDE Maintainers,
This vulnerability had been reported against qt4-x11:
: not-needed
Author: Salvatore Bonaccorso car...@debian.org
Last-Update: 2013-08-18
Applied-Upstream: 5.0.1, 4.8.5, 4.7.6
--- a/src/corelib/kernel/qsharedmemory_unix.cpp
+++ b/src/corelib/kernel/qsharedmemory_unix.cpp
@@ -199,7 +199,7 @@
}
// create
-if (-1 == shmget(handle(), size
Hi,
On Sun, Jun 01, 2014 at 11:30:15PM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
tag 750141 moreinfo
thanks
On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
Package: libqt4-xml
Severity: serious
Tags: security
Justification: security
Qt 4.8.6 has a fix for a denial
Source: kde4libs
Version: 4:4.13.1-1
Severity: grave
Tags: security upstream fixed-upstream
Justification: user security hole
Hi
See http://www.kde.org/info/security/advisory-20140618-1.txt for
further reference.
From the advisory only 4.10.95 to 4.13.2 are affected.
Regards,
Salvatore
--
Source: kde-runtime
Version: 4:4.8.4-2
Severity: normal
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for kde-runtime.
CVE-2014-8600[0]:
Insufficient Input Validation By IO Slaves and Webkit Part
If you fix the vulnerability please also make sure to
Source: qtbase-opensource-src
Version: 5.3.2+dfsg-4
Severity: normal
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for qtbase-opensource-src.
CVE-2015-1858[0]:
segmentation fault in qbmphandler.cpp
CVE-2015-1859[1]:
segmentation fault in
Source: qt4-x11
Version: 4:4.8.6+git64-g5dc8b2b+dfsg-3
Severity: normal
Tags: security upstream fixed-upstream
Hi,
the following vulnerabilities were published for qt4-x11.
CVE-2015-1858[0]:
segmentation fault in qbmphandler.cpp
CVE-2015-1859[1]:
segmentation fault in qicohandler.cpp
Source: plasma-workspace
Version: 4:5.4.3-1
Severity: grave
Tags: security upstream patch
Justification: user security hole
Forwarded: https://bugs.kde.org/show_bug.cgi?id=358125
Hi,
the following vulnerability was published for plasma-workspace.
CVE-2016-2312[0]:
KDE lockscreen bypass by
Source: kde4libs
Version: 4:4.8.4-4
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for kde4libs.
CVE-2016-6232[0]:
Extraction of tar files possible to arbitrary system locations
Please note [1], were Balint noticed that the patch in 4:4.14.22-1 was
Hi
It might be noted that the issues itself are mitigated with the fixes
applied for CVE-2016-7966, and a user protected from this CVE by only
viewing plain text mails. But the issues still presend. At least for
CVE-2016-7968 a full fix would need to be building with Qt 5.7.0
AFAICT (please
Source: kde-cli-tools
Version: 4:5.7.4-1
Severity: important
Tags: security upstream patch fixed-upstream
Hi,
the following vulnerability was published for kde-cli-tools.
CVE-2016-7787[0]:
kdesu: Displayed command truncated by unicode string terminator
If you fix the vulnerability please also
Hi libspectre maintainers,
Did any of you had a chance to look at #840691? It is currently still
assigned to src:ghostscript, but the problem might actually lie in
libspectre.
Thanks already for your help,
Regards,
Salvatore
Hi Scott,
On Wed, Oct 12, 2016 at 02:56:06PM -0400, Scott Kitterman wrote:
> Proposed update attached. It is the exact upstream commit that resolved this
> issue upstream (relevant code is unchanged from stable) and I have the fix
> running locally. I do not have an example of the exploit to
Hi,
Just an additional comment on the debdiff:
On Fri, Oct 14, 2016 at 08:23:04PM +0200, Sandro Knauß wrote:
> Hey,
>
> I now back ported the second part of the fix of the CVE. I updated the
> version
> deb8u1 from Scott. Should I create a deb8u2 for the additional patch?
Please note, to
Hi Sandro,
On Fri, Oct 14, 2016 at 10:56:00PM +0200, Sandro Knauß wrote:
> Hi,
>
> now I'm fully confused - you said on IRC, I should better create a deb8u2
> ontop. Well I created now the debdiff for a deb8u2.
>
> So you can decide what is the best way for the sec team and what version
>
Source: ark
Version: 4:16.08.3-1
Severity: grave
Tags: upstream patch security fixed-upstream
Justification: user security hole
Forwarded: https://bugs.kde.org/show_bug.cgi?id=374572
Hi,
the following vulnerability was published for ark.
CVE-2017-5330[0]:
unintended execution of scripts and
Hi
For jessie: I think the issue was only introduce after the "Open File"
action was introduced, which is post 15.11.80. Would be great if you
can confirm that.
Regards,
Salvatore
Source: kio
Version: 5.22.0-1
Severity: important
Tags: patch upstream security
Hi,
the following vulnerability was published for kio.
CVE-2017-6410[0]:
| kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls
| the PAC FindProxyForURL function with a full https URL
Source: kde4libs
Version: 4:4.14.26-1
Severity: important
Tags: upstream patch security
Hi,
the following vulnerability was published for kde4libs.
CVE-2017-6410[0]:
| kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls
| the PAC FindProxyForURL function with a full https
Source: kde4libs
Source-Version: 4:4.14.26-2
On Sun, Mar 05, 2017 at 09:48:06PM +0100, Salvatore Bonaccorso wrote:
> Source: kde4libs
> Version: 4:4.14.26-1
> Severity: important
> Tags: upstream patch security
>
> Hi,
>
> the following vulnerability was published for
Source: kf5-messagelib
Version: 4:16.04.3-2
Severity: important
Tags: patch upstream security
Control: clone -1 -2
Control: reassign -2 kdepim 4:4.14.1-1
Hi,
the following vulnerability was published for kf5-messagelib (and
kmail).
CVE-2017-9604[0]:
| KDE kmail before 5.5.2 and messagelib
Package: sddm
Version: 0.14.0-4
Severity: normal
Tags: upstream
Forwarded: https://github.com/sddm/sddm/pull/834
Hi
In sddm setups where the sddm pam configuration is configured to use
pam_group to add additional groups on login depending on the
/etc/security/group.conf configuration does not
Source: sddm
Source-Version: 0.18.0-1
On Tue, May 08, 2018 at 03:14:26PM +0200, Salvatore Bonaccorso wrote:
> Package: sddm
> Version: 0.14.0-4
> Severity: normal
> Tags: upstream
> Forwarded: https://github.com/sddm/sddm/pull/834
>
> Hi
>
> In sddm setups where
Source: okular
Version: 4:17.12.2-2
Severity: important
Tags: patch security upstream
Forwarded: https://bugs.kde.org/show_bug.cgi?id=398096
Hi,
The following vulnerability was published for okular.
CVE-2018-1000801[0]:
| okular version 18.08 and earlier contains a Directory Traversal
|
Source: ktexteditor
Version: 5.37.0-2
Severity: grave
Tags: security upstream
Hi
See http://www.openwall.com/lists/oss-security/2018/04/24/1 for
details (and proposed patch).
Regards,
Salvatore
Control: user -1 debian-rele...@lists.debian.org
Control: usertags -1 + bsp-2018-12-ch-bern
Hi Simon,
On Sun, Sep 09, 2018 at 02:00:20PM -0500, Simon Quigley wrote:
> Control: owner -1
>
> I can take care of this on behalf of the Qt/KDE Team.
Any news on this to be fixed for buster? (Currently
:20.0 +0100
+++ okular-17.12.2/debian/changelog 2018-12-02 12:27:39.0 +0100
@@ -1,3 +1,11 @@
+okular (4:17.12.2-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix path traversal issue when extracting an .okular file
+(CVE-2018-1000801) (Closes: #908168)
+
+ -- Salvatore
Hi
According to the update in the security-tracker done by Moritz for
https://salsa.debian.org/security-tracker-team/security-tracker/commit/ed21bb0c20a2272745fb959f4c1da58a44ce32e7#4716ef5aa8f2742228ba3b3633215c8b808565e3_72290_72286
we might close this related issue for kmail, but not doing
Source: kmail
Version: 4:18.08.3-1
Severity: important
Tags: security upstream
Forwarded: https://bugs.kde.org/show_bug.cgi?id=404698
Hi,
The following vulnerability was published for kmail. It was reported
upstream at [1] but at point of writing the bugreport there is not
much information
Control: tags -1 + fixed-upstream
On Sat, Apr 13, 2019 at 10:31:53AM +0200, Salvatore Bonaccorso wrote:
> Source: kmail
> Version: 4:18.08.3-1
> Severity: important
> Tags: security upstream
> Forwarded: https://bugs.kde.org/show_bug.cgi?id=404698
Discussion on https://bugs.kde.o
Source: kconfig
Version: 5.54.0-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Control: found -1 5.28.0-2
Control: clone -1 -2
Control: reassign -2 src:kde4libs 4:4.14.38-3
Control: retitle -2 kde4libs: CVE-2019-14744
Control: found -2 4:4.14.26-2
Hi,
The
Source: qtwebsockets-opensource-src
Version: 5.14.1-1
Severity: important
Tags: security upstream
Forwarded: https://bugreports.qt.io/browse/QTBUG-70693
Control: found -1 5.12.5-2
Control: found -1 5.11.3-5
Hi,
The following vulnerability was published for qtwebsockets-opensource-src.
Source: qtbase-opensource-src
Version: 5.12.5+dfsg-8
Severity: important
Tags: security upstream
Forwarded: https://bugreports.qt.io/browse/QTBUG-47417
Hi,
The following vulnerability was published for qtbase-opensource-src.
CVE-2015-9541[0]:
| Qt through 5.14 allows an exponential XML entity
Source: kmail
Version: 4:19.08.3-1
Severity: important
Tags: security upstream fixed-upstream
Hi,
The following vulnerability was published for kmail, it was fixed in
v19.12.3 upstream.
CVE-2020-11880[0]:
| An issue was discovered in KDE KMail before 19.12.3. By using the
| proprietary
Source: kio-extras
Version: 4:19.12.3-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for kio-extras.
CVE-2020-12755[0]:
| fishProtocol::establishConnection in fish/fish.cpp in KDE kio-extras
| through 20.04.0 makes a cacheAuthentication call even if
Source: okular
Version: 4:19.12.3-1
Severity: important
Tags: security upstream
Control: found -1 4:17.12.2-2.2
Control: found -1 4:16.08.2-1+deb9u1
Control: found -1 4:16.08.2-1
Hi,
The following vulnerability was published for okular.
CVE-2020-9359[0]:
| KDE Okular before 1.10.0 allows code
Source: ark
Version: 4:20.08.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ark.
CVE-2020-24654[0]:
| In KDE Ark before 20.08.1, a crafted TAR archive with symlinks can
| install files
Source: kdeconnect
Version: 20.04.3-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for kdeconnect.
CVE-2020-26164[0]:
| packet manipulation can be exploited in a Denial of Service attack
If you
Source: qtbase-opensource-src
Version: 5.14.2+dfsg-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 5.14.2+dfsg-4
Control: found -1 5.11.3+dfsg1-1+deb10u3
Control: found -1 5.11.3+dfsg1-1
Hi,
The following vulnerability was
Source: md4c
Version: 0.4.5-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/mity/md4c/issues/130
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for md4c.
CVE-2020-26148[0]:
| md_push_block_bytes in md4c.c in md4c
Source: kdepim-runtime
Version: 4:20.04.1-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: Debian Security Team
Control: clone -1 -2
Control: reassign -2 src:kmail-account-wizard 4:20.04.1-1
Control: retitle -2 kmail-account-wizard: CVE-2020-15954
Hi,
The following vulnerability was
Hi,
On Wed, Nov 04, 2020 at 01:52:12PM +0100, Salvatore Bonaccorso wrote:
> Source: sddm
> Version: 0.18.1-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> X-Debbugs-Cc: car...@debian.org, Debian Security Team
>
>
> Hi,
>
Hi Norbert,
On Thu, Nov 05, 2020 at 08:26:07PM +0900, Norbert Preining wrote:
> Hi Salvatore, hi FTP Master,
>
> @Salvatore: thanks for the NMU preparation. We are now preparing a fix
> for unstable via version 0.19, and at the same time I thought I upload
> to buster-security, based on your
sounds great, thank you.
>
> That is coming in in short time.
Thank you for your work on this update (and in general for the
package).
Regards,
Salvatore
>From e2fceb114a975775fd64dd064e4b7be3dee5cd1f Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso
Date: Wed, 4 Nov 2020 15:28
Hi Norbert,
On Thu, Nov 05, 2020 at 09:15:15PM +0900, Norbert Preining wrote:
> Hi Salvatore,
>
> On Thu, 05 Nov 2020, Salvatore Bonaccorso wrote:
> > to day, this is the debdiff I just used for the upload. tracker.d.o
> > does not show it yet because the packages are sit
Source: sddm
Version: 0.18.1-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for sddm.
CVE-2020-28049[0]:
| local privilege escalation due to race condition in
Source: md4c
Version: 0.4.7-1
Severity: important
Tags: security upstream
Forwarded: https://github.com/mity/md4c/issues/155
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for md4c.
CVE-2021-30027[0]:
| md_analyze_line in md4c.c in md4c
Source: qtsvg-opensource-src
Version: 5.15.2-3
Severity: important
Tags: security upstream
Forwarded: https://bugreports.qt.io/browse/QTBUG-96044
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: found -1 5.11.3-2
Hi,
The following vulnerability was published for
Source: ktexteditor
Version: 5.90.0-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for ktexteditor.
CVE-2022-23853[0]:
| The LSP (Language Server Protocol) plugin in KDE Kate before 21.12.2
| and
Source: qt6-base
Version: 6.4.2+dfsg-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Control: clone -1 -2
Control: reassign -2 src:qtbase-opensource-src 5.15.8+dfsg-11
Control: retitle -2 qtbase-opensource-src: CVE-2023-34410
Hi,
The
Source: qt6-base
Version: 6.4.2+dfsg-9
Severity: important
Tags: security upstream
Forwarded: https://codereview.qt-project.org/c/qt/qtbase/+/477644
X-Debbugs-Cc: car...@debian.org, Debian Security Team
Hi,
The following vulnerability was published for qt6-base.
CVE-2023-33285[0]:
| An issue
Source: qt6-base
Source-Version: 6.4.2+dfsg-21
On Sat, Jan 13, 2024 at 02:37:52PM +, Debian FTP Masters wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA512
>
> Format: 1.8
> Date: Sat, 13 Jan 2024 14:53:25 +0100
> Source: qt6-base
> Architecture: source
> Version: 6.4.2+dfsg-21
>
54 matches
Mail list logo