Comment 1 Stefan Behte (RETIRED) 2010-09-03 21:47:24 UTC

CVE-2010-2621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2621):
  The QSslSocketBackendPrivate::transmit function in
  src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows
  remote attackers to cause a denial of service (infinite loop) via a
  malformed request.

Comment 2 Tim Sammut (RETIRED) 2012-06-03 22:43:43 UTC

Looks like $URL is the commit to fix this issue.

Comment 3 Ben de Groot (RETIRED) 2012-06-04 05:59:44 UTC

Since this issue is fixed in Qt >=4.7, we will simply remove the vulnerable version. @security: is a GLSA still needed then?

Comment 4 Tim Sammut (RETIRED) 2012-06-10 23:33:54 UTC

(In reply to comment #3)
> Since this issue is fixed in Qt >=4.7, we will simply remove the vulnerable
> version. @security: is a GLSA still needed then?

Yeah, we may need a GLSA since the vulnerable package was stable. The GLSA yes/no decision in this case is made by the team since this only rates B3.

Is there an fixed option for sparc?

Comment 5 Ben de Groot (RETIRED) 2012-06-11 05:29:02 UTC

See bug 335730#c3

Comment 6 Ben de Groot (RETIRED) 2012-06-14 08:22:58 UTC

Last remaining affected version now masked pending removal.

Comment 7 Johannes Huber (RETIRED) 2012-07-09 11:48:03 UTC

Thank you all. Affected version removed from tree. Removing qt from CC, nothing to do here for us anymore.

Comment 8 Tim Sammut (RETIRED) 2012-08-16 05:25:04 UTC

I think we're past this now. GLSA Vote: no.

Comment 9 Sean Amoss (RETIRED) 2012-09-19 10:34:06 UTC

GLSA vote: yes.

Comment 10 Stefan Behte (RETIRED) 2012-12-16 21:43:58 UTC

Too old, do not want.
It also sounds a lot like an application crash only.
Vote: NO.
Closing noglsa.