[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1076293: marked as done (qtbase-opensource-src: CVE-2024-39936)

Your message dated Sun, 14 Jul 2024 16:06:24 +0000
with message-id <E1sT1k0-002Ipy-Bn@fasolo.debian.org>
and subject line Bug#1076293: fixed in qtbase-opensource-src 5.15.13+dfsg-3
has caused the Debian Bug report #1076293,
regarding qtbase-opensource-src: CVE-2024-39936
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1076293: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1076293
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: qt6-base
Version: 6.6.2+dfsg-9
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: forwarded -1 https://codereview.qt-project.org/c/qt/qtbase/+/571601
Control: clone -1 -2
Control: reassign -2 src:qtbase-opensource-src 5.15.13+dfsg-2
Control: retitle -2 qtbase-opensource-src: CVE-2024-39936

Hi,

The following vulnerability was published for QT.

CVE-2024-39936[0]:
| An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before
| 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x
| before 6.7.3. Code to make security-relevant decisions about an
| established connection may execute too early, because the
| encrypted() signal has not yet been emitted and processed..


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-39936
    https://www.cve.org/CVERecord?id=CVE-2024-39936
[1] https://codereview.qt-project.org/c/qt/qtbase/+/571601

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message --- 
Source: qtbase-opensource-src
Source-Version: 5.15.13+dfsg-3
Done: Dmitry Shachnev <mitya57@debian.org>

We believe that the bug you reported is fixed in the latest version of
qtbase-opensource-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1076293@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Shachnev <mitya57@debian.org> (supplier of updated qtbase-opensource-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 14 Jul 2024 18:35:58 +0300
Source: qtbase-opensource-src
Architecture: source
Version: 5.15.13+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Dmitry Shachnev <mitya57@debian.org>
Closes: 1076293
Changes:
 qtbase-opensource-src (5.15.13+dfsg-3) unstable; urgency=medium
 .
   * Backport upstream patch to delay any communication until encrypted() can
     be responded to (CVE-2024-39936, closes: #1076293).
   * Populate ${libssl:Depends} properly for libqt5network5t64.
Checksums-Sha1:
 d0ffbd90aef511337a24e469ffc069420fc56de8 5334 qtbase-opensource-src_5.15.13+dfsg-3.dsc
 63bc7eae51a561fd78305837e72ac31c1324ca3b 233720 qtbase-opensource-src_5.15.13+dfsg-3.debian.tar.xz
 86dc5d6440e6ad063248d50baa46a7f11f9717e5 16660 qtbase-opensource-src_5.15.13+dfsg-3_source.buildinfo
Checksums-Sha256:
 f1a1524929562128b0fdcf9f10f0716b32d55dbff98f86d098ae2ce5f41bc354 5334 qtbase-opensource-src_5.15.13+dfsg-3.dsc
 d6e77fca65206671844af16f047f916e54011b12e4f6f8989e1b91636931d6d0 233720 qtbase-opensource-src_5.15.13+dfsg-3.debian.tar.xz
 675c4fc4c63228811258bae659d2560a273eb90cc00f335c1ea6e6025d184098 16660 qtbase-opensource-src_5.15.13+dfsg-3_source.buildinfo
Files:
 c2f677f2c98d9700b3242575419ff643 5334 libs optional qtbase-opensource-src_5.15.13+dfsg-3.dsc
 42f7a56354c1d762a0863024a629ba4d 233720 libs optional qtbase-opensource-src_5.15.13+dfsg-3.debian.tar.xz
 2d7c0da49a74723a5fc29447209d3400 16660 libs optional qtbase-opensource-src_5.15.13+dfsg-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmaT8OoTHG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRCyZhS0UvRGtkLVD/sGw0m4enDPVdgqCOSCIMeFBUhTwigi
MG3Jko3TcQsvtdpyASFKlEBinuH3rC08NxJ99A/QZsWVfZhJlfR06dNFyWQHoUpq
c4gNREmKoNSY1wqsrzzhl2Ae/u53KF6RHKOdt/M1byzbPAZX+zzVPLdVwbnfe1m6
JqhfcuxShBwETyuRs/LKnBLEAj8bmt79DKuzyOlBOTxggHCu9FfjhrgbsOfCo5B5
TUGVXgY57PG2mg6inlzBTL1VUctH+92GEtzRZyjJ6NEyLRohlXgS4YCQsmgXECD8
U2cB+1ys5+20JBXm4h05EOwx/HfTWo4RGD4hj3E46z381hzjyiKdYRrnWtGR2929
UkXUmsdj+SD1VpmRjoAc+6Ap/zg3W0oc4zIBEExFLgYsBpxSu8ttzOVdFnI+DaVB
liPc2F4Z8e/S1nuQm5KW8vje/Wg+y+Xz4KL1Zhbz+jRy+sm2Kg3Q5qY06ZCJ4YvH
+rZZHmh0jy7nyZTQPzPRNQ9q1qEZs0Wakm3DwmsalUoNEX3te2a4lDclHNObbq7t
8PYYZ/OaX7yrfAdCIvg4ad0Kk6Uwt3EqPxbARgcOA9PoN55zx7TAPtru1okgoSgL
hpTs1eC1ugbTBt9iWFtB9hAVpPZAerFA3eTiQ2Shg+ElxqqAn/vHSIVa3KpHPdM9
sCPqwco3lYelww==
=UPqh
-----END PGP SIGNATURE-----

Attachment: pgp9MrrONQqWu.pgp
Description: PGP signature


--- End Message ---
Reply to: