ALT-BU-2023-7358-1
Branch sisyphus_riscv64 update bulletin.
Package altlinux-freedesktop-menu updated to version 0.69-alt1 for branch sisyphus_riscv64.
Closed bugs
Добавить категорию System в cinnamon-settings.desktop
Package subversion updated to version 1.14.2-alt2 for branch sisyphus_riscv64.
Closed bugs
rebuild with swig-4.1.1 produces undefined symbol: SWIG_InstallConstants
Package qt6-shadertools updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-declarative updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-translations updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-svg updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-multimedia updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-websockets updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-wayland updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-serialport updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-imageformats updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-connectivity updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-sensors updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-positioning updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-scxml updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-virtualkeyboard updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-networkauth updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-quicktimeline updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-5compat updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-base updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-tools updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-3d updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-charts updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package qt6-webchannel updated to version 6.6.0-alt1 for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-02373
Уязвимость плагина SQL ODBC кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03689
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с ошибками процедуры подтверждения подлинности сертификата, позволяющая нарушителю обойти существующие ограничения безопасности
BDU:2023-03802
Уязвимость компонента QTextLayout кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-03803
Уязвимость кроссплатформенного фреймворка для разработки программного обеспечения Qt, связанная с передачей защищаемой информации в незашифрованном виде, позволяющая нарушителю оказать воздействие на целостность данных
BDU:2023-03876
Уязвимость компонента QDnsLookup кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05105
Уязвимость функции QXmlStreamReader кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-05106
Уязвимость функции QSvgFont (Qt SVG) кроссплатформенного фреймворка для разработки программного обеспечения Qt, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-24607
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/qtbase/+/456216
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
- https://www.qt.io/blog/tag/security
- https://www.qt.io/blog/tag/security
Modified: 2025-01-28
CVE-2023-32573
In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled.
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- https://codereview.qt-project.org/c/qt/qtsvg/+/474093
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-32762
An issue was discovered in Qt before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. Qt Network incorrectly parses the strict-transport-security (HSTS) header, allowing unencrypted connections to be established, even when explicitly prohibited by the server. This happens if the case used for this header does not exactly match.
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- https://codereview.qt-project.org/c/qt/qtbase/+/476140
- https://lists.qt-project.org/pipermail/announce/2023-May/000414.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Modified: 2024-11-21
CVE-2023-32763
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- GLSA-202402-03
- https://codereview.qt-project.org/c/qt/qtbase/+/476125
- GLSA-202402-03
- https://lists.qt-project.org/pipermail/announce/2023-May/000413.html
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
Modified: 2024-11-21
CVE-2023-33285
An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
Modified: 2025-03-21
CVE-2023-34410
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/477560
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- https://codereview.qt-project.org/c/qt/qtbase/+/480002
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- FEDORA-2023-0d4b3316f6
- FEDORA-2023-0d4b3316f6
Modified: 2024-11-21
CVE-2023-37369
In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
- https://bugreports.qt.io/browse/QTBUG-114829
- https://bugreports.qt.io/browse/QTBUG-114829
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- https://codereview.qt-project.org/c/qt/qtbase/+/455027
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-fd45b50121
- FEDORA-2023-fd45b50121
- FEDORA-2023-0e68827d36
- FEDORA-2023-0e68827d36
Modified: 2024-11-21
CVE-2023-38197
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- https://codereview.qt-project.org/c/qt/qtbase/+/488960
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- [debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-5ead27b6d2
- FEDORA-2023-364ae10761
- FEDORA-2023-364ae10761
- FEDORA-2023-ff372f9829
- FEDORA-2023-ff372f9829
Package kernel-image-un-def updated to version 6.5.11-alt1.0.port for branch sisyphus_riscv64.
Closed vulnerabilities
BDU:2023-07513
Уязвимость функции io_uring_show_fdinfo() в модуле io_uring/fdinfo.c подсистемы io_uring ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
BDU:2023-07688
Уязвимость функции brcmf_cfg80211_detach() в модуле drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c драйвера беспроводной связи brcm80211 ядра операционной системы Linux, позволяющая нарушителю вызвать отказ в обслуживании
Modified: 2024-11-21
CVE-2023-46862
An issue was discovered in the Linux kernel through 6.5.9. During a race with SQ thread exit, an io_uring/fdinfo.c io_uring_show_fdinfo NULL pointer dereference can occur.
- https://bugzilla.kernel.org/show_bug.cgi?id=218032#c4
- https://bugzilla.kernel.org/show_bug.cgi?id=218032#c4
- https://github.com/torvalds/linux/commit/7644b1a1c9a7ae8ab99175989bfc8676055edb46
- https://github.com/torvalds/linux/commit/7644b1a1c9a7ae8ab99175989bfc8676055edb46
- [debian-lts-announce] 20240111 [SECURITY] [DLA 3711-1] linux-5.10 security update
- [debian-lts-announce] 20240111 [SECURITY] [DLA 3711-1] linux-5.10 security update
Modified: 2025-03-06
CVE-2023-47233
The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this "could be exploited in a real world scenario." This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.
- https://bugzilla.suse.com/show_bug.cgi?id=1216702
- https://bugzilla.suse.com/show_bug.cgi?id=1216702
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0f7352557a35ab7888bc7831411ec8a3cbe20d78
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0f7352557a35ab7888bc7831411ec8a3cbe20d78
- [debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update
- [debian-lts-announce] 20240625 [SECURITY] [DLA 3842-1] linux-5.10 security update
- [debian-lts-announce] 20240627 [SECURITY] [DLA 3840-1] linux security update
- [debian-lts-announce] 20240627 [SECURITY] [DLA 3840-1] linux security update
- https://lore.kernel.org/all/20231104054709.716585-1-zyytlz.wz%40163.com/
- https://lore.kernel.org/all/20231104054709.716585-1-zyytlz.wz%40163.com/
- https://marc.info/?l=linux-kernel&m=169907678011243&w=2
- https://marc.info/?l=linux-kernel&m=169907678011243&w=2
Package alterator-l10n updated to version 2.9.137-alt5 for branch sisyphus_riscv64.
Closed bugs
Несостыковка в переводе для модуля alterator-audit
Package spirv-cross updated to version 0.57.0-alt0.3.g2de1265f for branch sisyphus_riscv64.
Closed bugs
Просьба собрать статическую библиотеку