Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact

qt6-base: CVE-2023-34410

Related Vulnerabilities: CVE-2023-34410  

Source

Debian Bug report logs - #1037209
qt6-base: CVE-2023-34410

version graph

Package: src:qt6-base; Maintainer for src:qt6-base is Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 7 Jun 2023 19:03:02 UTC

Severity: important

Tags: security, upstream

Found in version qt6-base/6.4.2+dfsg-10

Fixed in version qt6-base/6.4.2+dfsg-11

Done: Patrick Franz <deltaone@debian.org>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#1037209; Package src:qt6-base. (Wed, 07 Jun 2023 19:03:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Wed, 07 Jun 2023 19:03:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: qt6-base: CVE-2023-34410
Date: Wed, 07 Jun 2023 20:58:47 +0200
Source: qt6-base
Version: 6.4.2+dfsg-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:qtbase-opensource-src 5.15.8+dfsg-11
Control: retitle -2 qtbase-opensource-src: CVE-2023-34410

Hi,

The following vulnerability was published for Qt.

CVE-2023-34410[0]:
| An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and
| 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS
| does not always consider whether the root of a chain is a configured
| CA certificate.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-34410
    https://www.cve.org/CVERecord?id=CVE-2023-34410

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

-- System Information:
Debian Release: 12.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.3.0-0-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_DIE, TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Bug 1037209 cloned as bug 1037210 Request was from Salvatore Bonaccorso <carnil@debian.org> to submit@bugs.debian.org. (Wed, 07 Jun 2023 19:03:04 GMT) (full text, mbox, link).

Reply sent to Patrick Franz <deltaone@debian.org>:
You have taken responsibility. (Wed, 07 Jun 2023 20:27:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 07 Jun 2023 20:27:03 GMT) (full text, mbox, link).

Message #12 received at 1037209-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1037209-close@bugs.debian.org
Subject: Bug#1037209: fixed in qt6-base 6.4.2+dfsg-11
Date: Wed, 07 Jun 2023 20:23:25 +0000
Source: qt6-base
Source-Version: 6.4.2+dfsg-11
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
qt6-base, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1037209@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated qt6-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 07 Jun 2023 21:54:59 +0200
Source: qt6-base
Architecture: source
Version: 6.4.2+dfsg-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1037209
Changes:
 qt6-base (6.4.2+dfsg-11) unstable; urgency=medium
 .
   [ Patrick Franz ]
   * Add patch to fix CVE-2023-34410 (Closes: #1037209).
Checksums-Sha1:
 1d56d61da63560454772fa3533654e695f1bcfb9 4834 qt6-base_6.4.2+dfsg-11.dsc
 61018b50ee3ad14bba588c7d093f6fa33c995768 182484 qt6-base_6.4.2+dfsg-11.debian.tar.xz
 bbd24c5533f07f265e03aedf452c4ee5a2276a25 9418 qt6-base_6.4.2+dfsg-11_source.buildinfo
Checksums-Sha256:
 76ec053d559fe0aa60f2cab8b8898603d15c4096ec7363182a1950d47fce9067 4834 qt6-base_6.4.2+dfsg-11.dsc
 bfb90539eeb79a315db54bbba0ce5910cad97d7074b2c59d35987528ae44e5e4 182484 qt6-base_6.4.2+dfsg-11.debian.tar.xz
 b2fdf61993594cb7c90556d7bebddd871b77deb36a0772005b3886ac4d9b79c0 9418 qt6-base_6.4.2+dfsg-11_source.buildinfo
Files:
 613f30dd30ccddd2137bd20b4610ed9e 4834 libs optional qt6-base_6.4.2+dfsg-11.dsc
 9d31dbe9e95a9f3bff40bc930f5d9b32 182484 libs optional qt6-base_6.4.2+dfsg-11.debian.tar.xz
 2d0234103154c8f17c99e6a67ad5dd70 9418 libs optional qt6-base_6.4.2+dfsg-11_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmSA420ACgkQnp96YDB3
/lZ7gRAAxBGPJOTPrhxG8roS+m4Gp+lS6yOf5+9rQQsc7AmRm9Magq+U6SpRwu6b
YgPatwmrausE494ig61vuo4LChEYBFxmaORnGagn+kVsPkZIbUrhZmHL64e7LrH5
dzKPPVfQMRqhcN/XnyE3fGns4ORK6D5RHGl6O5qu5cHslXeEArtWRtW1RSuwzFm2
3+ztc3mUgHFZ3k3vUdDlv/x0EBVNkcjcUwExVX3iQ6rgW8BQEF06vx/4K3b7iFHo
frGjqvxJjxv2FUADs3av29vJ6mHgoSCWR77ihypuTFL1D8sDFqXMORR6tgtN6d0O
jt31MWqhrbBTgnuUaOg8Oja25Qv2bXE1SzPItW2ntDoRhdkWghIZtVz4iT/40EKn
K+Fo/8iwZx0ZnInkLfcyMi9EVpvPTDId22OSxSwextfq0hqog1vXEsbR083SZOP6
wpj/byB8dg150bmCqKTyzuexLbftWpI3FhSNhrngTfLkGLweOX3wQsm6NtRE9eAH
hNhiOkkYdp24seuQHXHLpcU+UsbXExPxOEQ0j2I47e3BkapGNiJtmvnMhmlZrYNF
XokGecMtw8lo7/aDWca/37PphFYhB7LLwgNKHtemQEm2NfTNEzxhrqJxuMCu5iic
L6I43TN/x8YCoKs9Z2EatArx3KqRWEVmAApkM8cnf1Ym+Y6ddqc=
=MiKU
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Jun 8 18:32:56 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook
Vulmon Logo
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started