Your message dated Fri, 31 May 2024 07:05:10 +0000 with message-id <E1sCwK6-007TZt-E2@fasolo.debian.org> and subject line Bug#1071974: fixed in qtnetworkauth-everywhere-src 5.15.13-3 has caused the Debian Bug report #1071974, regarding qtnetworkauth-everywhere-src: CVE-2024-36048 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1071974: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071974 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: qt6-networkauth: CVE-2024-36048
- From: Salvatore Bonaccorso <carnil@debian.org>
- Date: Sun, 26 May 2024 21:04:24 +0200
- Message-id: <[🔎] 171675026428.842605.3377339466502407925.reportbug@eldamar.lan>
Source: qt6-networkauth Version: 6.4.2-5 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Control: clone -1 -2 Control: reassign -2 src:qtnetworkauth-everywhere-src 5.15.13-2 Control: retitle -2 qtnetworkauth-everywhere-src: CVE-2024-36048 Hi, The following vulnerability was published for QAbstractOAuth. CVE-2024-36048[0]: | QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x | before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through | 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may | result in guessable values. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-36048 https://www.cve.org/CVERecord?id=CVE-2024-36048 [1] https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317 [2] https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---
- To: 1071974-close@bugs.debian.org
- Subject: Bug#1071974: fixed in qtnetworkauth-everywhere-src 5.15.13-3
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Fri, 31 May 2024 07:05:10 +0000
- Message-id: <E1sCwK6-007TZt-E2@fasolo.debian.org>
- Reply-to: Dmitry Shachnev <mitya57@debian.org>
Source: qtnetworkauth-everywhere-src Source-Version: 5.15.13-3 Done: Dmitry Shachnev <mitya57@debian.org> We believe that the bug you reported is fixed in the latest version of qtnetworkauth-everywhere-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1071974@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Shachnev <mitya57@debian.org> (supplier of updated qtnetworkauth-everywhere-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 31 May 2024 09:34:41 +0300 Source: qtnetworkauth-everywhere-src Architecture: source Version: 5.15.13-3 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Dmitry Shachnev <mitya57@debian.org> Closes: 1071974 Changes: qtnetworkauth-everywhere-src (5.15.13-3) unstable; urgency=medium . * Backport upstream patch to fix data race and poor seeding in generateRandomString() (closes: #1071974, CVE-2024-36048). - Add one new symbol to debian/libqt5networkauth5.symbols. Checksums-Sha1: 1f9a38caa6b98f0e1694c650edaed601a2caf6e4 2902 qtnetworkauth-everywhere-src_5.15.13-3.dsc d26c05fe5f74d987bf3d068fbb7a2d5f76b4d179 9432 qtnetworkauth-everywhere-src_5.15.13-3.debian.tar.xz e488bc90bd836bd1e0fc0ad3416e0a8a4edb4605 11872 qtnetworkauth-everywhere-src_5.15.13-3_source.buildinfo Checksums-Sha256: f3748ba8fbc5d976b3558f56eeea5782f145db3f4ebeeef9afdc2512b91c8087 2902 qtnetworkauth-everywhere-src_5.15.13-3.dsc 7cc912946d198c215e18eb2594a69f576ff83f44e77d64c51254605c3f0ca70b 9432 qtnetworkauth-everywhere-src_5.15.13-3.debian.tar.xz e045b642751013634be4e81215871fcce541798f24eb3d70041f36af8adb5430 11872 qtnetworkauth-everywhere-src_5.15.13-3_source.buildinfo Files: 1dbb8038380e4384b8bbf048fb1402bb 2902 libs optional qtnetworkauth-everywhere-src_5.15.13-3.dsc 60f1b8723d229621ed7a81e251fb5421 9432 libs optional qtnetworkauth-everywhere-src_5.15.13-3.debian.tar.xz 975717f4c3c823cdb2af0422a154ddc5 11872 libs optional qtnetworkauth-everywhere-src_5.15.13-3_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmZZb6ETHG1pdHlhNTdA ZGViaWFuLm9yZwAKCRCyZhS0UvRGtvX2D/4wjm5UR3zhreVGNNrtJ+38SAwWctJa BUxwhBtnZq64BJLrgTmqJdYRcBQYEwVOwhCxn3vKkEng39mzvS+P/Mcpzy4ko4/S 8wESQcUZywrcoT6CqS4521WdzMchmmc0YE+O/9uWewzt9Addt0lUy3mafJ7DXjgX 1a4QcJ0U9JPImDHKy7aaSkxuvRPfOq4GNFbtusqbIZTKps8UPmJlsIrmSw1TgtQc /hjortzX5SDVhXj5IgIki++TfiFfids9RJ/rPWUDBjopAHeedLvHZZPZaO+G0rLQ l7/kksHr3ypNEfiePLMb9ByStWXmcejpDNBO4QQzwWuj2d8kTm16wZuXk6UQgaxm 1xgF3t52axosOhkxdPbDgWkr1NkezZi4j82PFAexs5ghyu3I1oqpAPMH6ZBPLqSA 6vdEcWY8RW5AoLgaSWb5kznFtPhvU2Z6IBOykUbcKYuvCWGPeRBsPnfnXU2YglLy obA21USLSWldBDPN6gw0XPoM0z2apjuCqwB1F7vyht4UKRlJX2xOJ6urAUNTXA1P pgoVRhw8G0HDD/s/1EuaKwlWEJXXRG++i1ie0EgA59kDueCJHsWnPm5FEawV6gWN w4l46t3PlSpgnABTkgWE018e0tOfsUmEgh6agNNk/R2Y9M+ffeKJDGEhS5kfp9MT QAagdw70LlMhPw== =NE0B -----END PGP SIGNATURE-----Attachment: pgppsvhoLhfdB.pgp
Description: PGP signature
--- End Message ---