Your message dated Thu, 04 Sep 2025 17:59:28 +0000 with message-id <[🔎] E1uuEF6-009us6-0t@fasolo.debian.org> and subject line Bug#1111522: Removed package(s) from unstable has caused the Debian Bug report #1069574, regarding age-old and insecure webkit package to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1069574: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069574 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: age-old and insecure webkit package
- From: Hadmut Danisch <hadmut@danisch.de>
- Date: Sat, 20 Apr 2024 21:23:37 +0300
- Message-id: <97426d46-80c4-417a-b464-aa9ceb567cba@danisch.de>
Package: libqt5webkit5
Version: 5.212.0~alpha4-30
Hi,
this was originally a bug report against Ubuntu 24.04 as 2061191, but since the package is community maintained and not by Ubuntu, they asked me to report it "upstreams".
Ubuntu 24.04 beta / Debian bookworm still use libqt5webkit5.
It is not obvious, where it comes from, but the version is still an alpha4, and the link in the README seems to suggest, that it still comes from https:/
/github. , which redirects to https:/com/annulen/ webkit /github. , where the alpha4 tag is over 4 years old.com/qtwebkit/ qtwebkit There, the latest README tells:
Code in this repository is obsolete. If you are looking for up-to-date QtWebKit use this fork: https:/
/github. com/movableink/ webkit https:/
/github. seems to be still maintained – more or less. And calls itself "inofficial mirror"com/movableink/ webkit Have a look at
https:/
/blogs. gnome.org/ mcatanzaro/ 2022/11/ 04/stop- using-qtwebkit/ which calls qtwebkit insecure, poorly maintained, and cites CVEs about remote code execution (some of them would have to be fixed in the fork, but probably not in the version here in ubuntu).
The problem is, that tools like wkhtmltopdf do use this library and are typically used to pull contents from a given URL, i.e. from foreign websites.
Processing foreign HTML and _javascript_ code in conjunction with vulnerabilities to remote code execution, this is highly dangerous.
regards
Hadmut
--- End Message ---
--- Begin Message ---
- To: 754165-done@bugs.debian.org,779569-done@bugs.debian.org,1015646-done@bugs.debian.org,1048126-done@bugs.debian.org,1069574-done@bugs.debian.org,1093096-done@bugs.debian.org,1113453-done@bugs.debian.org,
- Cc: qtwebkit-opensource-src@packages.debian.org
- Subject: Bug#1111522: Removed package(s) from unstable
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Thu, 04 Sep 2025 17:59:28 +0000
- Message-id: <[🔎] E1uuEF6-009us6-0t@fasolo.debian.org>
Version: 5.212.0~alpha4-42+rm Dear submitter, as the package qtwebkit-opensource-src has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1111522 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org. Debian distribution maintenance software pp. Thorsten Alteholz (the ftpmaster behind the curtain)
--- End Message ---