Debian Bug report logs -
#1037209
qt6-base: CVE-2023-34410
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 7 Jun 2023 19:03:02 UTC
Severity: important
Tags: security, upstream
Found in version qt6-base/6.4.2+dfsg-10
Fixed in version qt6-base/6.4.2+dfsg-11
Done: Patrick Franz <deltaone@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#1037209
; Package src:qt6-base
.
(Wed, 07 Jun 2023 19:03:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Wed, 07 Jun 2023 19:03:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qt6-base
Version: 6.4.2+dfsg-10
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: clone -1 -2
Control: reassign -2 src:qtbase-opensource-src 5.15.8+dfsg-11
Control: retitle -2 qtbase-opensource-src: CVE-2023-34410
Hi,
The following vulnerability was published for Qt.
CVE-2023-34410[0]:
| An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and
| 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS
| does not always consider whether the root of a chain is a configured
| CA certificate.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-34410
https://www.cve.org/CVERecord?id=CVE-2023-34410
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
-- System Information:
Debian Release: 12.0
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.3.0-0-amd64 (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_DIE, TAINT_WARN
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Bug 1037209 cloned as bug 1037210
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Wed, 07 Jun 2023 19:03:04 GMT) (full text, mbox, link).
Reply sent
to Patrick Franz <deltaone@debian.org>
:
You have taken responsibility.
(Wed, 07 Jun 2023 20:27:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Bug acknowledged by developer.
(Wed, 07 Jun 2023 20:27:03 GMT) (full text, mbox, link).
Message #12 received at 1037209-close@bugs.debian.org (full text, mbox, reply):
Source: qt6-base
Source-Version: 6.4.2+dfsg-11
Done: Patrick Franz <deltaone@debian.org>
We believe that the bug you reported is fixed in the latest version of
qt6-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1037209@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated qt6-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 07 Jun 2023 21:54:59 +0200
Source: qt6-base
Architecture: source
Version: 6.4.2+dfsg-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1037209
Changes:
qt6-base (6.4.2+dfsg-11) unstable; urgency=medium
.
[ Patrick Franz ]
* Add patch to fix CVE-2023-34410 (Closes: #1037209).
Checksums-Sha1:
1d56d61da63560454772fa3533654e695f1bcfb9 4834 qt6-base_6.4.2+dfsg-11.dsc
61018b50ee3ad14bba588c7d093f6fa33c995768 182484 qt6-base_6.4.2+dfsg-11.debian.tar.xz
bbd24c5533f07f265e03aedf452c4ee5a2276a25 9418 qt6-base_6.4.2+dfsg-11_source.buildinfo
Checksums-Sha256:
76ec053d559fe0aa60f2cab8b8898603d15c4096ec7363182a1950d47fce9067 4834 qt6-base_6.4.2+dfsg-11.dsc
bfb90539eeb79a315db54bbba0ce5910cad97d7074b2c59d35987528ae44e5e4 182484 qt6-base_6.4.2+dfsg-11.debian.tar.xz
b2fdf61993594cb7c90556d7bebddd871b77deb36a0772005b3886ac4d9b79c0 9418 qt6-base_6.4.2+dfsg-11_source.buildinfo
Files:
613f30dd30ccddd2137bd20b4610ed9e 4834 libs optional qt6-base_6.4.2+dfsg-11.dsc
9d31dbe9e95a9f3bff40bc930f5d9b32 182484 libs optional qt6-base_6.4.2+dfsg-11.debian.tar.xz
2d0234103154c8f17c99e6a67ad5dd70 9418 libs optional qt6-base_6.4.2+dfsg-11_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmSA420ACgkQnp96YDB3
/lZ7gRAAxBGPJOTPrhxG8roS+m4Gp+lS6yOf5+9rQQsc7AmRm9Magq+U6SpRwu6b
YgPatwmrausE494ig61vuo4LChEYBFxmaORnGagn+kVsPkZIbUrhZmHL64e7LrH5
dzKPPVfQMRqhcN/XnyE3fGns4ORK6D5RHGl6O5qu5cHslXeEArtWRtW1RSuwzFm2
3+ztc3mUgHFZ3k3vUdDlv/x0EBVNkcjcUwExVX3iQ6rgW8BQEF06vx/4K3b7iFHo
frGjqvxJjxv2FUADs3av29vJ6mHgoSCWR77ihypuTFL1D8sDFqXMORR6tgtN6d0O
jt31MWqhrbBTgnuUaOg8Oja25Qv2bXE1SzPItW2ntDoRhdkWghIZtVz4iT/40EKn
K+Fo/8iwZx0ZnInkLfcyMi9EVpvPTDId22OSxSwextfq0hqog1vXEsbR083SZOP6
wpj/byB8dg150bmCqKTyzuexLbftWpI3FhSNhrngTfLkGLweOX3wQsm6NtRE9eAH
hNhiOkkYdp24seuQHXHLpcU+UsbXExPxOEQ0j2I47e3BkapGNiJtmvnMhmlZrYNF
XokGecMtw8lo7/aDWca/37PphFYhB7LLwgNKHtemQEm2NfTNEzxhrqJxuMCu5iic
L6I43TN/x8YCoKs9Z2EatArx3KqRWEVmAApkM8cnf1Ym+Y6ddqc=
=MiKU
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu Jun 8 18:32:56 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.