FEDORA-2017-e83c26a8c9 created by kkofler 3 years ago for Fedora 26
stable

This update updates QtWebEngine to the 5.9.0 release. QtWebEngine 5.9.0 is part of the Qt 5.9.0 release, but only the QtWebEngine component is included in this update.

The update fixes the following security issues in QtWebEngine 5.8.0: CVE-2017-5006, CVE-2017-5007, CVE-2017-5008, CVE-2017-5009, CVE-2017-5010, CVE-2017-5011, CVE-2017-5012, CVE-2017-5013, CVE-2017-5014, CVE-2017-5015, CVE-2017-5016, CVE-2017-5017, CVE-2017-5018, CVE-2017-5019, CVE-2017-5020, CVE-2017-5021, CVE-2017-5022, CVE-2017-5023, CVE-2017-5024, CVE-2017-5025, CVE-2017-5026, CVE-2017-5027, CVE-2017-5029, CVE-2017-5032, CVE-2017-5033, CVE-2017-5034, CVE-2017-5036, CVE-2017-5039, CVE-2017-5040, CVE-2017-5044, CVE-2017-5045, CVE-2017-5046, CVE-2017-5052, CVE-2017-5053, CVE-2017-5055, CVE-2017-5057, CVE-2017-5058, CVE-2017-5059, CVE-2017-5060, CVE-2017-5061, CVE-2017-5062, CVE-2017-5065, CVE-2017-5066, CVE-2017-5067, CVE-2017-5068, and CVE-2017-5069.

Other important changes include:

  • Based on Chromium 56.0.2924.122 with security fixes from Chromium up to version 58.0.3029.96. (5.8.0 was based on Chromium 53.0.2785.148 with security fixes from Chromium up to version 55.0.2883.75.)
  • [QTBUG-54650, QTBUG-59922] Accessibility is now disabled by default on Linux, like it is in Chrome, due to poor options for enabling it conditionally and its heavy performance impact. Set the environment variable QTWEBENGINE_ENABLE_LINUX_ACCESSIBILITY to enable it again.
  • [QTBUG-56531] Enabled filesystem: protocol handler.
  • [QTBUG-57720] Optimized incremental scene-graph rendering in particular for software rendering.
  • [QTBUG-60049] Enabled brotli support.
  • Many bug fixes, see https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.0?h=5.9 for details.

In addition, this build includes a fix for https://bugreports.qt.io/browse/QTBUG-61521 , a binary incompatibility in QtWebEngine 5.9.0 compared to 5.8.0.

How to install

sudo dnf upgrade --advisory=FEDORA-2017-e83c26a8c9

This update has been submitted for testing by kkofler.

3 years ago

This update has been pushed to testing.

3 years ago

kkofler edited this update.

3 years ago
User Icon lupinix commented & provided feedback 3 years ago
karma

QupZilla (2.1.2-4.fc26) doesn't start, maybe rebuild required?

qupzilla: relocation error: /lib64/libQupZilla.so.2: symbol free, version Qt_5 not defined in file libQt5WebEngineCore.so.5 with link time reference

Rebuilding stuff would work around it (kdepim is reportedly also affected), but QtWebEngine is supposed to be backwards-compatible, so I will try to fix it in QtWebEngine.

See also https://bugreports.qt.io/browse/QTBUG-60565

User Icon jamatos commented & provided feedback 3 years ago
karma

Yes, kdepim is affected: $ kmail kmail: relocation error: /lib64/libKF5MessageViewer.so.5: symbol free, version Qt_5 not defined in file libQt5WebEngineCore.so.5 with link time reference

User Icon crcinau commented & provided feedback 3 years ago
karma

Agreed - I get the same issue with kmail:

$ kmail kmail: relocation error: /lib64/libKF5MessageViewer.so.5: symbol free, version Qt_5 not defined in file libQt5WebEngineCore.so.5 with link time reference

I'm testing a fix now: http://pkgs.fedoraproject.org/cgit/rpms/qt5-qtwebengine.git/commit/?id=09a57d530ce6e89d75b43e1d73007b1b66a3bb8f but it will be a while until I have F26 builds ready to test.

User Icon kvolny commented & provided feedback 3 years ago
karma

I've just hit the bug 1464883 too - shouldn't this be retracted from testing?

Well, I was hoping to just edit the update with a fixed build, but now there is a mysterious further issue: https://bugzilla.redhat.com/show_bug.cgi?id=1464883#c2

This update has been unpushed.

kkofler edited this update.

New build(s):

  • qt5-qtwebengine-5.9.0-4.fc26

Removed build(s):

  • qt5-qtwebengine-5.9.0-2.fc26

Karma has been reset.

3 years ago

This update has been submitted for testing by kkofler.

3 years ago

The new build should address the issue reported in the above comments (https://bugreports.qt.io/browse/QTBUG-61521), please retest.

User Icon crcinau commented & provided feedback 3 years ago
karma

kmail seems to work ok with:

$ rpm -qa | grep qt5-qtwebengine qt5-qtwebengine-5.9.0-4.fc26.x86_64

User Icon lupinix commented & provided feedback 3 years ago
karma

Works fine so far

User Icon jamatos commented & provided feedback 3 years ago
karma

Yes, it works both kdepim/kmail and qupzilla. :-)

User Icon g6avk commented & provided feedback 3 years ago
karma

Fixes the above issues with Kmail/Qupzilla thanks.. so a +1

However and old issue and a new issue has appeared so I filed a bug report:

https://bugzilla.redhat.com/show_bug.cgi?id=1466028

This update has been pushed to testing.

3 years ago

This update has reached the stable karma threshold and can be pushed to stable now if the maintainer wishes.

3 years ago
User Icon lupinix commented & provided feedback 3 years ago
karma

@kvolny: Cannot reproduce this bug, i use ctrl+f all day.

What I know is that Ctrl+f is not working right in plain text files even with QtWebEngine 5.8.0. So I don't think that that is a regression from this update.

It works even with plain text files for me. What do you mean by "not working right"?

I've had it just not do anything. But this is with the old 5.8.0, mind you.

This update has been submitted for stable by kkofler.

3 years ago

kkofler edited this update.

3 years ago

This update has been pushed to stable.

3 years ago

Please login to add feedback.

Metadata
Type
security
Severity
urgent
Karma
4
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-10
Stable by Karma
disabled
Stable by Time
disabled
Dates
submitted
3 years ago
in testing
3 years ago
in stable
3 years ago
modified
3 years ago
BZ#1466689 QtWebEngine: multiple security vulnerabilities fixed in 5.9.0
0
0

Automated Test Results