105695 2005-09-12 08:31 0000 x11-libs/qt includes vulnerable zlib 2006-03-23 19:45:26 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://www.trolltech.com/developer/changes/changes-3.3.5.html B2? [glsa] jaervosz P2 normal --- 105719 1 jaervosz@gentoo.org security@gentoo.org kde@gentoo.org jaervosz@gentoo.org 2005-09-12 08:31:11 0000 It appears as if qt is using it's own version of zlib if the zlib USE flag is not set. From 3.3.5 Changelog: Added security patches for zlib: CAN-2005-1849, CAN-2005-2096 koon@gentoo.org 2005-09-12 09:01:52 0000 Hm. Let's say USE=-zlib is quite uncommon and rate this B2. koon@gentoo.org 2005-09-17 05:39:26 0000 KDE team: your position on this, please. caleb@gentoo.org 2005-09-18 07:21:25 0000 FYI: 3.3.5 is in portage now, as unstable. koon@gentoo.org 2005-09-18 09:35:32 0000 Thanks Caleb. Is it a candidate for stable right now ? greg_g@gentoo.org 2005-09-19 03:03:42 0000 (In reply to comment #4) > Thanks Caleb. Is it a candidate for stable right now ? I think not, see bug 106402. I suggest to commit qt-3.3.4-r8, the only difference to -r7 being that it forces "-system-zlib" as a compilation option. qt-3.3.4-r7 was ready to go stable, so qt-3.3.4-r8 could go stable right now. jaervosz@gentoo.org 2005-09-19 03:40:39 0000 Back to ebuild status, waiting for a suitable ebuild to mark stable. caleb@gentoo.org 2005-09-19 05:15:37 0000 #5 works for me. jaervosz@gentoo.org 2005-09-19 05:58:57 0000 Yeah it does for me as well if -r8 gets committed. caleb@gentoo.org 2005-09-19 07:06:46 0000 -r8 is committed, but not yet stable on any arches. I don't see why it can't go stable right away, but I'd like one more opinion on the matter (greg?). greg_g@gentoo.org 2005-09-19 08:32:00 0000 I agree that it can go stable right now. Actually I was going to propose -r7 for stable just before this bug showed up. koon@gentoo.org 2005-09-19 08:59:03 0000 OK, let's go then: archs please test and mark 3.3.4-r8 stable Target KEYWORDS="alpha amd64 hppa ia64 mips ppc ppc64 ~ppc-macos sparc x86" cryos@gentoo.org 2005-09-19 10:39:28 0000 This version also introduces a dep on ~dev-db/qt-unixODBC-3.3.4 which isn't currently stable on amd64 and has an open security bug against it (bug 105719) - advise on this please. caleb@gentoo.org 2005-09-19 19:04:33 0000 I've committed a patch to the qt-unixodbc ebuild that should fix the RUNPATH problem. corsair@gentoo.org 2005-09-19 21:15:09 0000 stable on ppc64 gustavoz@gentoo.org 2005-09-20 07:25:06 0000 sparc stable (with qt-unixODBC-3.3.4-r1). hansmi@gentoo.org 2005-09-20 10:27:13 0000 Stable on hppa, ppc cryos@gentoo.org 2005-09-20 11:42:42 0000 Looks good - stable on amd64. ferdy@gentoo.org 2005-09-21 02:34:48 0000 Looks ok on alpha. halcy0n@gentoo.org 2005-09-21 18:43:01 0000 Stable on x86 koon@gentoo.org 2005-09-22 01:59:19 0000 Common GLSA with the qt-unixodbc thing ? jaervosz@gentoo.org 2005-09-22 04:02:54 0000 Let's do a common GLSA with qt. jaervosz@gentoo.org 2005-09-22 04:06:29 0000 with qt-unixodbc of course :-) jaervosz@gentoo.org 2005-09-26 13:56:00 0000 GLSA 200509-18 ia64 and mips don't forget to mark stable to benifit from the GLSA. hardave@gentoo.org 2005-09-28 18:37:05 0000 Stable on mips.