** Description changed:
- https://wiki.qt.io/Qt_5.9.6_Change_Files
- https://wiki.qt.io/Qt_5.9.7_Change_Files
- https://wiki.qt.io/Qt_5.9.8_Change_Files
+ [Impact]
+ The currently shipped release of Qt WebEngine (5.9.5) suffers from multiple
security issues, because it is based on an outdated Chromium release.
- Upstream Qt 5.9 is a long-term support (LTS) release. Qt 5.9.8 is a bug-
- fix release. It maintains both forward and backward compatibility
- (source and binary) with Qt 5.9.0 through 5.9.7. It would be beneficial
- to have Qt 5.9.8 in Bionic.
+ To enumerate these issues, I want to quote the upstream changelogs for
+ 5.9.6, 5.9.7 and 5.9.8 releases:
- Qtwebengine 5.9.8 Changes
- https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.8/?h=v5.9.8
+ https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.6
- Chromium
- --------
+ - Security fixes from Chromium up to version 66.0.3359.170:
+ * CVE-2018-6120
+ * CVE-2018-6115
+ * CVE-2018-6114
+ * CVE-2018-6118
+ * CVE-2018-6103
+ * CVE-2018-6101
+ * CVE-2018-6101
+ * CVE-2018-6085
+ * CVE-2018-6086
+ * CVE-2018-6088
+ * CVE-2018-6090
+ * Security Bug 831984
+ * Security Bug 816768
+ * Security Bug 797298
+
+ https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.7?h=5.9
+
+ - Security fixes from Chromium up to version 69.0.3497.113:
+ * CVE-2018-4117
+ * CVE-2018-6124
+ * CVE-2018-6129
+ * CVE-2018-6130
+ * CVE-2018-6132
+ * CVE-2018-6135
+ * CVE-2018-6144
+ * CVE-2018-6145
+ * CVE-2018-6153
+ * CVE-2018-6154
+ * CVE-2018-6155
+ * CVE-2018-6155
+ * CVE-2018-6156
+ * CVE-2018-6159
+ * CVE-2018-6161
+ * CVE-2018-6162
+ * CVE-2018-6165
+ * CVE-2018-16066
+ * CVE-2018-16067
+ * CVE-2018-16068
+ * CVE-2018-16076
+ * CVE-2018-16077
+
+ https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.8?h=5.9
+
- Security fixes from Chromium up to version 72.0.3626.121
* CVE-2018-17462
* CVE-2018-17469
* CVE-2018-17471
* CVE-2018-17474
* CVE-2018-17476
* CVE-2018-17481
* CVE-2018-18336
* CVE-2018-18337
* CVE-2018-18339
* CVE-2018-18340
* CVE-2018-18342
* CVE-2018-18343
* CVE-2018-18345
* CVE-2018-18347
* CVE-2018-18349
* CVE-2018-18356
* CVE-2019-5756
* CVE-2019-5758
* CVE-2019-5759
* CVE-2019-5764
* CVE-2019-5786
* Security issue 872189
* Security issue 877843
* Security issue 880207
* Security issue 899689
* Security issue 900910
* Security issue 911253
* Security issue 922677
- The other Qt 5.8.9 components are also a bug-fix release.
+ These issues affect users of browsers based on Qt WebEngine (such as
+ falkon and qutebrowser) and other apps (kmail, akregator).
+
+ There were also some non-security fixes in 5.9.6 release:
+
+ - [QTBUG-64071] Only add the first found widevine CDM
+ - [QTBUG-64925] Fix compilation with system ICU 60
+ - [QTBUG-66560] Remove NOTREACHED in ScreenWin::GetNativeWindowFromHWND
+ - Fix build with GCC 8.1.0
+
+ [Proposed Fix]
+ To fix all these issues, I propose to upgrade to the latest release from
upstream 5.9 LTS branch. I think it is better to do this via -proposed rather
than -security, to allow more people to test this package before it is moved to
-updates.
+
+ [Test Case]
+ Install applications that are using Qt WebEngine (falkon, qutebrowser,
konqueror, akregator, kmail, kontact, etc.)
+
+ Make sure they are working properly and can show HTML content.
+
+ [Regression Potential]
+ There are many security fixes in the new release, and they can introduce
regressions (e.g. incorrect display of certain HTML pages). There should be no
regressions in terms of ABI compatibility, as Qt 5.9 is an LTS branch and
upstream developers promise both backward and upward ABI compatibility within
this branch.
** Also affects: qtwebengine-opensource-src (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: qtwebengine-opensource-src (Ubuntu)
Status: New => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1830807
Title:
Update to bug-fix release Qt 5.9.8 to fix security issues in
qtwebengine in Bionic
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtwebengine-opensource-src/+bug/1830807/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
