[Development] WebSocket Module [CVE-2018-21035]

enstone83 at gmail.com enstone83 at gmail.com
Fri Mar 13 19:00:46 CET 2020 

Hi,

I forwarded my message to the security team on Monday 
(security at qt-project.org <mailto:security at qt-project.org>).
I didn't get any answer except this:

Your mail to 'Security' with the subject

     Fwd: Re: [Development] WebSocket Module [CVE-2018-21035]

Is being held until the list moderator can review it for approval.

The reason it is being held:

     Post by non-member to a members-only list

Either the message will get posted to the list, or you will receive
notification of the moderator's decision.  If you would like to cancel
this posting, please visit the following URL:

     https://lists.qt-project.org/confirm/security/11fd883d10074e8edcdd6a04e173199060299612


Your link says this:
Any issue reported to security at qt-project.org 
<mailto:security at qt-project.org> should receive (at least) an 
acknowledgment of receipt within 48 hours
Any issue reported should be triaged to determine the risk it poses to 
end users of Qt within 96 hours of the initial report to 
security at qt-project.org <mailto:security at qt-project.org>.

The 96 hours delay expired.

What to do now ?


Le 09/03/2020 à 15:34, Mårten Nordheim a écrit :
>
>
> On 09.03.2020 13:06, Sze Howe Koh wrote:
>> On Mon, 9 Mar 2020 at 19:11, <enstone83 at gmail.com> wrote:
>>> Hi,
>>>
>>> I provided a patch for CVE-2018-21035, present in Qt5 WebSocket Module.
>>> However apparently since the patch adds a new API it cannot go into 
>>> Qt5.
>>>
>>> This vulnerability makes the Qt5 WebSocket module totally unusable for
>>> use in non-trusted environment (like Internet).
>>>
>>> Is there anything to do about it ?
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2018-21035
>>> https://bugreports.qt.io/browse/QTBUG-70693
>>> https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735
>>
>> Hi,
>>
>> I suggest escalating this to the Security team for their attention
>> (see https://quips-qt-io.herokuapp.com/quip-0015-Security-Policy.html
>> ).
>>
>> On a related note, is Kurt Pattyn still the Maintainer for Qt
>> WebSockets [1]? He has been quiet on codereview.qt.io since May 2014
>> [2] and on GitHub since Feb 2019 [3].
>>
>
> Yes, Kurt still has the role.
>
> Mårten
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20200313/0b6bc7dc/attachment.html>

More information about the Development mailing list