+++ This bug was initially created as a clone of Bug #281818 +++ CVE-2009-1725 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1725): WebKit in Apple Safari before 4.0.2 does not properly handle numeric character references, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted HTML document.
All versions in the tree are affected, see the blocker for a patch.
I've added the patch to qt-webkit-4.4.2-r2, 4.5.1-r1 and 4.5.2-r1. Arches please test and mark as stable: - x11-libs/qt-webkit-4.4.2-r2 - x11-libs/qt-webkit-4.5.1-r1 (For those arches who haven't stabled 4.5.1 yet, please mark the rest of Qt 4.5.1 as stable too, so we can remove 4.4.2. If it's not too much trouble...)
x86 stable
Stable for HPPA.
ppc stable
Stable on alpha.
arm/ia64 stable
amd64 stable
ppc64: *ping* :)
Please don't bother with the versions mentioned in this bug anymore. Move on to 4.5.3 immediately (bug 290922).
ppc64 marked stable.
Security: you could issue a joint GLSA for this bug and bug 283810, once hppa has marked 4.5.3 stable, which I've been told would probably be today. The advice would then be to upgrade to >=4.5.3 which has both issues fixed. Tho I don't know what your policy is on cases like this.
GLSA request filed.
Thanks all. Affected version gone from tree. Removing qt from cc.
No GLSA for you.