Bug#1037209: marked as done (qt6-base: CVE-2023-34410)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 07 Jun 2023 20:23:25 +0000
with message-id <E1q6zgj-00F8J4-M9@fasolo.debian.org>
and subject line Bug#1037209: fixed in qt6-base 6.4.2+dfsg-11
has caused the Debian Bug report #1037209,
regarding qt6-base: CVE-2023-34410
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1037209: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037209
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: qt6-base: CVE-2023-34410
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Wed, 07 Jun 2023 20:58:47 +0200
• Message-id: <[🔎] 168616432741.1643120.2483898883352736529.reportbug@eldamar.lan>

Source: qt6-base
Version: 6.4.2+dfsg-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:qtbase-opensource-src 5.15.8+dfsg-11
Control: retitle -2 qtbase-opensource-src: CVE-2023-34410

Hi,

The following vulnerability was published for Qt.

CVE-2023-34410[0]:
| An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and
| 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS
| does not always consider whether the root of a chain is a configured
| CA certificate.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-34410
    https://www.cve.org/CVERecord?id=CVE-2023-34410

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: 12.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.3.0-0-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_DIE, TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

--- End Message ---

--- Begin Message ---

• To: 1037209-close@bugs.debian.org
• Subject: Bug#1037209: fixed in qt6-base 6.4.2+dfsg-11
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Wed, 07 Jun 2023 20:23:25 +0000
• Message-id: <E1q6zgj-00F8J4-M9@fasolo.debian.org>
• Reply-to: Patrick Franz <deltaone@debian.org>

Source: qt6-base
Source-Version: 6.4.2+dfsg-11
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
qt6-base, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1037209@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated qt6-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Jun 2023 21:54:59 +0200
Source: qt6-base
Architecture: source
Version: 6.4.2+dfsg-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1037209
Changes:
 qt6-base (6.4.2+dfsg-11) unstable; urgency=medium
 .
   [ Patrick Franz ]
   * Add patch to fix CVE-2023-34410 (Closes: #1037209).
Checksums-Sha1:
 1d56d61da63560454772fa3533654e695f1bcfb9 4834 qt6-base_6.4.2+dfsg-11.dsc
 61018b50ee3ad14bba588c7d093f6fa33c995768 182484 qt6-base_6.4.2+dfsg-11.debian.tar.xz
 bbd24c5533f07f265e03aedf452c4ee5a2276a25 9418 qt6-base_6.4.2+dfsg-11_source.buildinfo
Checksums-Sha256:
 76ec053d559fe0aa60f2cab8b8898603d15c4096ec7363182a1950d47fce9067 4834 qt6-base_6.4.2+dfsg-11.dsc
 bfb90539eeb79a315db54bbba0ce5910cad97d7074b2c59d35987528ae44e5e4 182484 qt6-base_6.4.2+dfsg-11.debian.tar.xz
 b2fdf61993594cb7c90556d7bebddd871b77deb36a0772005b3886ac4d9b79c0 9418 qt6-base_6.4.2+dfsg-11_source.buildinfo
Files:
 613f30dd30ccddd2137bd20b4610ed9e 4834 libs optional qt6-base_6.4.2+dfsg-11.dsc
 9d31dbe9e95a9f3bff40bc930f5d9b32 182484 libs optional qt6-base_6.4.2+dfsg-11.debian.tar.xz
 2d0234103154c8f17c99e6a67ad5dd70 9418 libs optional qt6-base_6.4.2+dfsg-11_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmSA420ACgkQnp96YDB3
/lZ7gRAAxBGPJOTPrhxG8roS+m4Gp+lS6yOf5+9rQQsc7AmRm9Magq+U6SpRwu6b
YgPatwmrausE494ig61vuo4LChEYBFxmaORnGagn+kVsPkZIbUrhZmHL64e7LrH5
dzKPPVfQMRqhcN/XnyE3fGns4ORK6D5RHGl6O5qu5cHslXeEArtWRtW1RSuwzFm2
3+ztc3mUgHFZ3k3vUdDlv/x0EBVNkcjcUwExVX3iQ6rgW8BQEF06vx/4K3b7iFHo
frGjqvxJjxv2FUADs3av29vJ6mHgoSCWR77ihypuTFL1D8sDFqXMORR6tgtN6d0O
jt31MWqhrbBTgnuUaOg8Oja25Qv2bXE1SzPItW2ntDoRhdkWghIZtVz4iT/40EKn
K+Fo/8iwZx0ZnInkLfcyMi9EVpvPTDId22OSxSwextfq0hqog1vXEsbR083SZOP6
wpj/byB8dg150bmCqKTyzuexLbftWpI3FhSNhrngTfLkGLweOX3wQsm6NtRE9eAH
hNhiOkkYdp24seuQHXHLpcU+UsbXExPxOEQ0j2I47e3BkapGNiJtmvnMhmlZrYNF
XokGecMtw8lo7/aDWca/37PphFYhB7LLwgNKHtemQEm2NfTNEzxhrqJxuMCu5iic
L6I43TN/x8YCoKs9Z2EatArx3KqRWEVmAApkM8cnf1Ym+Y6ddqc=
=MiKU
-----END PGP SIGNATURE-----

--- End Message ---