Hi,
On Sun, Jun 01, 2014 at 11:30:15PM -0300, Lisandro Damián Nicanor Pérez Meyer
wrote:
> tag 750141 moreinfo
> thanks
>
> On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
> > Package: libqt4-xml
> > Severity: serious
> > Tags: security
> > Justification: security
> >
> > Qt 4.8.6 has a fix for a denial of service attack due to XML entity
> > expansion ("billion laughs attack"). This fix doesn't seem to be in the
> > wheezy packages yet.
> >
> > http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
> >
> > Ubuntu patched their 4.8.4;
> >
> > https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
>
> Hi Hamish! I patched Qt4 for jessie at that time but IIRC (I might be mixing
> CVEs here) when I asked someone from the security team over IRC (or maybe by
> mail, I don't remember now) they told me it wasn't too important to get an
> update in stable.
Yep, perl mail It was on 2013-12-06, where Moritz had written:
Hi Lisandro,
this doesn't warrant a DSA. It can be fixed through a point update, though
or we can line it up for a future QT DSA.
Cheers,
Moritz
For the BTS, I think this was fixed in 4:4.8.5+git192-g085f851+dfsg-1.
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
