[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-devel-list
Subject: Re: [security] only latest Qt 5.14.1 has all fixes
From: Damian Ivanov <damianatorrpm () gmail ! com>
Date: 2020-01-29 10:43:28
Message-ID: CAPVS_cfqDeSvH2mht7WkfU+C8yE2ZW4BnNeVeUO=JN075iHMzQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
But it's not the only CVE fixed with Qt 5.14.1
The point is that there is other software using Qt which doesn't start with
K even though K works just fine with 5.14 by the experience of other
distributions.
Though all software is affected by security issues by using unpatched Qt.
Affected by these new circumstances is not only @fedoraproject but as a
bonus also rhel / centos unless RH is paying to Qt for the LTS or RH
backports or provide latest Qt (at least very soon regarding the LTS)
The best approach is probably to provide a repo with the latest Qt version
for fedora, whoever wants to use their security free old tested version can
do so and others can use the newest secure upstream Qt version. As a former
user of openSUSE I gotta say that they have solved this very elegantly.
Multiple repos for example for Qt are created easily. You can even bump
version numbers or do simple changes to spec files from your phone or any
other web capable host, a very welcoming build system, back than with OBS
as openSUSE user I was maintaining more than a dozen of packages.
I will be gathering a list of all the CVE's later that would need to be
backported (to 5.12 and Qt 5.13) unless there is another solution, although
I think crash fixes should be backported as well, as there is no option to
use a good Qt version on Fedora, whereas other distributions do provide an
option to use a secure Qt version, maybe a public comparison is needed.
BR,
Damian
On Tue, 28 Jan 2020, 23:58 Rex Dieter, <rdieter@math.unl.edu> wrote:
> Kevin Kofler wrote:
>
> > Rex Dieter wrote:
> >> Latest CVE there has a backported fix applied to fedora's packaging, and
> >> is currently in bodhi updates-testing,
> >> https://bodhi.fedoraproject.org/updates/FEDORA-2020-9139ba5469
> >> https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9b85978d4
> >
> > But that's only QtBase. QtWebEngine has dozens of security fixes again in
> > 5.14.0 and 5.14.1 and our package is stuck on 5.13.2. (5.14.0 adds the
> > fixes from Chrom* 78, 5.14.1 the ones from Chrom* 79. 5.13.2 only has
> > security fixes up to Chrom* 77.)
>
> QtBase was the primary CVE mentioned in the original link.
>
> QtWebengine packaging is less restricted as far as updates and pretty sure
> that wasn't the point of the original post.
>
> -- Rex
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-leave@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
>
[Attachment #5 (text/html)]
<div dir="auto"><div>But it's not the only CVE fixed with Qt 5.14.1 </div><div \
dir="auto">The point is that there is other software using Qt which doesn't start \
with K even though K works just fine with 5.14 by the experience of other \
distributions.</div><div dir="auto"><br></div><div dir="auto">Though all software is \
affected by security issues by using unpatched Qt.</div><div \
dir="auto"><br></div><div dir="auto">Affected by these new circumstances is not only \
@fedoraproject but as a bonus also rhel / centos unless RH is paying to Qt for the \
LTS or RH backports or provide latest Qt (at least very soon regarding the \
LTS)</div><div dir="auto"><br></div><div dir="auto">The best approach is probably to \
provide a repo with the latest Qt version for fedora, whoever wants to use their \
security free old tested version can do so and others can use the newest secure \
upstream Qt version. As a former user of openSUSE I gotta say that they have solved \
this very elegantly. Multiple repos for example for Qt are created easily. You can \
even bump version numbers or do simple changes to spec files from your phone or any \
other web capable host, a very welcoming build system, back than with OBS as openSUSE \
user I was maintaining more than a dozen of packages.</div><div \
dir="auto"><br></div><div dir="auto">I will be gathering a list of all the CVE's \
later that would need to be backported (to 5.12 and Qt 5.13) unless there is another \
solution, although I think crash fixes should be backported as well, as there is no \
option to use a good Qt version on Fedora, whereas other distributions do provide an \
option to use a secure Qt version, maybe a public comparison is needed.</div><div \
dir="auto"><br></div><div dir="auto">BR,</div><div dir="auto">Damian</div><div \
dir="auto"><br></div><div dir="auto"><br><div class="gmail_quote" dir="auto"><div \
dir="ltr" class="gmail_attr">On Tue, 28 Jan 2020, 23:58 Rex Dieter, <<a \
href="mailto:rdieter@math.unl.edu">rdieter@math.unl.edu</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex">Kevin Kofler wrote:<br> <br>
> Rex Dieter wrote:<br>
>> Latest CVE there has a backported fix applied to fedora's packaging, \
and<br> >> is currently in bodhi updates-testing,<br>
>> <a href="https://bodhi.fedoraproject.org/updates/FEDORA-2020-9139ba5469" \
rel="noreferrer noreferrer" \
target="_blank">https://bodhi.fedoraproject.org/updates/FEDORA-2020-9139ba5469</a><br>
>> <a href="https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9b85978d4" \
rel="noreferrer noreferrer" \
target="_blank">https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9b85978d4</a><br>
> <br>
> But that's only QtBase. QtWebEngine has dozens of security fixes again \
in<br> > 5.14.0 and 5.14.1 and our package is stuck on 5.13.2. (5.14.0 adds \
the<br> > fixes from Chrom* 78, 5.14.1 the ones from Chrom* 79. 5.13.2 only \
has<br> > security fixes up to Chrom* 77.)<br>
<br>
QtBase was the primary CVE mentioned in the original link.<br>
<br>
QtWebengine packaging is less restricted as far as updates and pretty sure <br>
that wasn't the point of the original post.<br>
<br>
-- Rex<br>
_______________________________________________<br>
devel mailing list -- <a href="mailto:devel@lists.fedoraproject.org" target="_blank" \
rel="noreferrer">devel@lists.fedoraproject.org</a><br> To unsubscribe send an email \
to <a href="mailto:devel-leave@lists.fedoraproject.org" target="_blank" \
rel="noreferrer">devel-leave@lists.fedoraproject.org</a><br> Fedora Code of Conduct: \
<a href="https://docs.fedoraproject.org/en-US/project/code-of-conduct/" \
rel="noreferrer noreferrer" \
target="_blank">https://docs.fedoraproject.org/en-US/project/code-of-conduct/</a><br> \
List Guidelines: <a href="https://fedoraproject.org/wiki/Mailing_list_guidelines" \
rel="noreferrer noreferrer" \
target="_blank">https://fedoraproject.org/wiki/Mailing_list_guidelines</a><br> List \
Archives: <a href="https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org" \
rel="noreferrer noreferrer" \
target="_blank">https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org</a><br>
</blockquote></div></div></div>
[Attachment #6 (text/plain)]
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic