But it's not the only CVE fixed with Qt 5.14.1
The point is that there is other software using Qt which doesn't start with K even though K works just fine with 5.14 by the experience of other distributions.
Though all software is affected by security issues by using unpatched Qt.
Affected by these new circumstances is not only @fedoraproject but as a bonus also rhel / centos unless RH is paying to Qt for the LTS or RH backports or provide latest Qt (at least very soon regarding the LTS)
The best approach is probably to provide a repo with the latest Qt version for fedora, whoever wants to use their security free old tested version can do so and others can use the newest secure upstream Qt version. As a former user of openSUSE I gotta say that they have solved this very elegantly. Multiple repos for example for Qt are created easily. You can even bump version numbers or do simple changes to spec files from your phone or any other web capable host, a very welcoming build system, back than with OBS as openSUSE user I was maintaining more than a dozen of packages.
I will be gathering a list of all the CVE's later that would need to be backported (to 5.12 and Qt 5.13) unless there is another solution, although I think crash fixes should be backported as well, as there is no option to use a good Qt version on Fedora, whereas other distributions do provide an option to use a secure Qt version, maybe a public comparison is needed.
BR,
Damian
On Tue, 28 Jan 2020, 23:58 Rex Dieter, <rdieter@xxxxxxxxxxxx> wrote:
Kevin Kofler wrote:
> Rex Dieter wrote:
>> Latest CVE there has a backported fix applied to fedora's packaging, and
>> is currently in bodhi updates-testing,
>> https://bodhi.fedoraproject.org/updates/FEDORA-2020-9139ba5469
>> https://bodhi.fedoraproject.org/updates/FEDORA-2020-e9b85978d4
>
> But that's only QtBase. QtWebEngine has dozens of security fixes again in
> 5.14.0 and 5.14.1 and our package is stuck on 5.13.2. (5.14.0 adds the
> fixes from Chrom* 78, 5.14.1 the ones from Chrom* 79. 5.13.2 only has
> security fixes up to Chrom* 77.)
QtBase was the primary CVE mentioned in the original link.
QtWebengine packaging is less restricted as far as updates and pretty sure
that wasn't the point of the original post.
-- Rex
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
