Summary: | x11-libs/qt-core: Remote DoS Vulnerability (CVE-2010-2621) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://qt.gitorious.com/qt/qt/commit/c25c7c9bdfade6b906f37ac8bad44f6f0de57597 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2010-09-02 22:42:14 UTC
CVE-2010-2621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2621): The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request. Looks like $URL is the commit to fix this issue. Since this issue is fixed in Qt >=4.7, we will simply remove the vulnerable version. @security: is a GLSA still needed then? (In reply to comment #3) > Since this issue is fixed in Qt >=4.7, we will simply remove the vulnerable > version. @security: is a GLSA still needed then? Yeah, we may need a GLSA since the vulnerable package was stable. The GLSA yes/no decision in this case is made by the team since this only rates B3. Is there an fixed option for sparc? See bug 335730#c3 Last remaining affected version now masked pending removal. Thank you all. Affected version removed from tree. Removing qt from CC, nothing to do here for us anymore. I think we're past this now. GLSA Vote: no. GLSA vote: yes. Too old, do not want. It also sounds a lot like an application crash only. Vote: NO. Closing noglsa. |