Mageia alert MGASA-2013-0053 (qt4)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2013-0053: qt4-4.8.4-1.1.mga2 (2/core) | |
| Date: | Sat, 16 Feb 2013 20:25:57 +0100 | |
| Message-ID: | <20130216192556.GA29236@valstar.mageia.org> |
MGASA-2013-0053 Date: February 16th, 2013 Affected releases: 2 Media: Core Description: Updated qt4 packages fix security vulnerabilities: A security vulnerability has been discovered in the SSL/TLS protocol, which affects connections using compression. The protocol, as used by Qt before 4.8.4, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack (CVE-2012-4929). The XMLHttpRequest object in Qt is intended to offer similar behaviour to that in web browsers, though it intentionally does not enforce the same- orign policy. It has been determined that the implementation in Qt will allow redirection from http to file schemes which may allow an attacker performing a man-in-the-middle attack to cause QML applications to leak sensitive information (CVE-2012-5624). A security flaw was found in the way QSslSocket implementation of the Qt, a software toolkit for applications development, performed certificate verification callbacks, when Qt libraries were used with different OpenSSL version than the one, they were compiled against. In such scenario, this would result in a connection error, but with the SSL error list to contain QSslError:NoError instead of proper reason of the error. This might result in a confusing error being presented to the end users, possibly encouraging them to ignore the SSL errors for the site the connection was initiated against (CVE-2012-6093). Two intermediate CA certificates were mis-issued by the TURKTRUST certificate authority. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information (CVE-2013-0743). The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server (CVE-2013-0254). This update provides Qt4 4.8.4, which disables SSL/TLS compression by default to mitigate CVE-2012-4929 and makes the rules for redirects a bit stricter to mitigate CVE-2012-5624. Patches from upstream have been included to fix CVE-2013-0254 by forcing all System V shared memory segments to be created with user-only permissions, fix CVE-2012-6093 by using the correct public API in openssl, and fix CVE-2013-0743 by blacklisting the invalid certificates. Updated Packages: i586: libqt3support4-4.8.4-1.1.mga2.i586.rpm libqt4-devel-4.8.4-1.1.mga2.i586.rpm libqtclucene4-4.8.4-1.1.mga2.i586.rpm libqtcore4-4.8.4-1.1.mga2.i586.rpm libqtdbus4-4.8.4-1.1.mga2.i586.rpm libqtdeclarative4-4.8.4-1.1.mga2.i586.rpm libqtdesigner4-4.8.4-1.1.mga2.i586.rpm libqtgui4-4.8.4-1.1.mga2.i586.rpm libqthelp4-4.8.4-1.1.mga2.i586.rpm libqtmultimedia4-4.8.4-1.1.mga2.i586.rpm libqtnetwork4-4.8.4-1.1.mga2.i586.rpm libqtopengl4-4.8.4-1.1.mga2.i586.rpm libqtscript4-4.8.4-1.1.mga2.i586.rpm libqtscripttools4-4.8.4-1.1.mga2.i586.rpm libqtsql4-4.8.4-1.1.mga2.i586.rpm libqtsvg4-4.8.4-1.1.mga2.i586.rpm libqttest4-4.8.4-1.1.mga2.i586.rpm libqtxml4-4.8.4-1.1.mga2.i586.rpm libqtxmlpatterns4-4.8.4-1.1.mga2.i586.rpm qt4-accessibility-plugin-4.8.4-1.1.mga2.i586.rpm qt4-assistant-4.8.4-1.1.mga2.i586.rpm qt4-common-4.8.4-1.1.mga2.i586.rpm qt4-database-plugin-mysql-4.8.4-1.1.mga2.i586.rpm qt4-database-plugin-pgsql-4.8.4-1.1.mga2.i586.rpm qt4-database-plugin-sqlite-4.8.4-1.1.mga2.i586.rpm qt4-database-plugin-tds-4.8.4-1.1.mga2.i586.rpm qt4-demos-4.8.4-1.1.mga2.i586.rpm qt4-designer-4.8.4-1.1.mga2.i586.rpm qt4-designer-plugin-qt3support-4.8.4-1.1.mga2.i586.rpm qt4-designer-plugin-webkit-4.8.4-1.1.mga2.i586.rpm qt4-devel-private-4.8.4-1.1.mga2.noarch.rpm qt4-doc-4.8.4-1.1.mga2.noarch.rpm qt4-examples-4.8.4-1.1.mga2.i586.rpm qt4-graphicssystems-plugin-4.8.4-1.1.mga2.i586.rpm qt4-linguist-4.8.4-1.1.mga2.i586.rpm qt4-qdoc3-4.8.4-1.1.mga2.i586.rpm qt4-qmlviewer-4.8.4-1.1.mga2.i586.rpm qt4-qtconfig-4.8.4-1.1.mga2.i586.rpm qt4-qtdbus-4.8.4-1.1.mga2.i586.rpm qt4-qvfb-4.8.4-1.1.mga2.i586.rpm qt4-xmlpatterns-4.8.4-1.1.mga2.i586.rpm qt4-debug-4.8.4-1.1.mga2.i586.rpm x86_64: lib64qt3support4-4.8.4-1.1.mga2.x86_64.rpm lib64qt4-devel-4.8.4-1.1.mga2.x86_64.rpm lib64qtclucene4-4.8.4-1.1.mga2.x86_64.rpm lib64qtcore4-4.8.4-1.1.mga2.x86_64.rpm lib64qtdbus4-4.8.4-1.1.mga2.x86_64.rpm lib64qtdeclarative4-4.8.4-1.1.mga2.x86_64.rpm lib64qtdesigner4-4.8.4-1.1.mga2.x86_64.rpm lib64qtgui4-4.8.4-1.1.mga2.x86_64.rpm lib64qthelp4-4.8.4-1.1.mga2.x86_64.rpm lib64qtmultimedia4-4.8.4-1.1.mga2.x86_64.rpm lib64qtnetwork4-4.8.4-1.1.mga2.x86_64.rpm lib64qtopengl4-4.8.4-1.1.mga2.x86_64.rpm lib64qtscript4-4.8.4-1.1.mga2.x86_64.rpm lib64qtscripttools4-4.8.4-1.1.mga2.x86_64.rpm lib64qtsql4-4.8.4-1.1.mga2.x86_64.rpm lib64qtsvg4-4.8.4-1.1.mga2.x86_64.rpm lib64qttest4-4.8.4-1.1.mga2.x86_64.rpm lib64qtxml4-4.8.4-1.1.mga2.x86_64.rpm lib64qtxmlpatterns4-4.8.4-1.1.mga2.x86_64.rpm qt4-accessibility-plugin-4.8.4-1.1.mga2.x86_64.rpm qt4-assistant-4.8.4-1.1.mga2.x86_64.rpm qt4-common-4.8.4-1.1.mga2.x86_64.rpm qt4-database-plugin-mysql-4.8.4-1.1.mga2.x86_64.rpm qt4-database-plugin-pgsql-4.8.4-1.1.mga2.x86_64.rpm qt4-database-plugin-sqlite-4.8.4-1.1.mga2.x86_64.rpm qt4-database-plugin-tds-4.8.4-1.1.mga2.x86_64.rpm qt4-demos-4.8.4-1.1.mga2.x86_64.rpm qt4-designer-4.8.4-1.1.mga2.x86_64.rpm qt4-designer-plugin-qt3support-4.8.4-1.1.mga2.x86_64.rpm qt4-designer-plugin-webkit-4.8.4-1.1.mga2.x86_64.rpm qt4-devel-private-4.8.4-1.1.mga2.noarch.rpm qt4-doc-4.8.4-1.1.mga2.noarch.rpm qt4-examples-4.8.4-1.1.mga2.x86_64.rpm qt4-graphicssystems-plugin-4.8.4-1.1.mga2.x86_64.rpm qt4-linguist-4.8.4-1.1.mga2.x86_64.rpm qt4-qdoc3-4.8.4-1.1.mga2.x86_64.rpm qt4-qmlviewer-4.8.4-1.1.mga2.x86_64.rpm qt4-qtconfig-4.8.4-1.1.mga2.x86_64.rpm qt4-qtdbus-4.8.4-1.1.mga2.x86_64.rpm qt4-qvfb-4.8.4-1.1.mga2.x86_64.rpm qt4-xmlpatterns-4.8.4-1.1.mga2.x86_64.rpm qt4-debug-4.8.4-1.1.mga2.x86_64.rpm SRPMS: qt4-4.8.4-1.1.mga2.src.rpm References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0254 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743 http://qt.digia.com/Release-Notes/security-issue-septembe... http://lists.qt-project.org/pipermail/announce/2012-Novem... http://qt.digia.com/Release-Notes/Release-Notes-Qt-484/ http://lists.qt-project.org/pipermail/announce/2013-Janua... http://lists.qt-project.org/pipermail/announce/2013-Janua... http://lists.qt-project.org/pipermail/announce/2013-Febru... http://lists.fedoraproject.org/pipermail/package-announce... http://lists.opensuse.org/opensuse-updates/2012-10/msg000... http://lists.fedoraproject.org/pipermail/package-announce... http://lists.fedoraproject.org/pipermail/package-announce... http://www.ubuntu.com/usn/USN-1687-1/ https://bugs.mageia.org/show_bug.cgi?id=7998 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-...