[Development] WebSocket Module [CVE-2018-21035]
enstone83 at gmail.com
enstone83 at gmail.com
Fri Mar 13 19:00:46 CET 2020
Hi,
I forwarded my message to the security team on Monday
(security at qt-project.org <mailto:security at qt-project.org>).
I didn't get any answer except this:
Your mail to 'Security' with the subject
Fwd: Re: [Development] WebSocket Module [CVE-2018-21035]
Is being held until the list moderator can review it for approval.
The reason it is being held:
Post by non-member to a members-only list
Either the message will get posted to the list, or you will receive
notification of the moderator's decision. If you would like to cancel
this posting, please visit the following URL:
https://lists.qt-project.org/confirm/security/11fd883d10074e8edcdd6a04e173199060299612
Your link says this:
Any issue reported to security at qt-project.org
<mailto:security at qt-project.org> should receive (at least) an
acknowledgment of receipt within 48 hours
Any issue reported should be triaged to determine the risk it poses to
end users of Qt within 96 hours of the initial report to
security at qt-project.org <mailto:security at qt-project.org>.
The 96 hours delay expired.
What to do now ?
Le 09/03/2020 à 15:34, Mårten Nordheim a écrit :
>
>
> On 09.03.2020 13:06, Sze Howe Koh wrote:
>> On Mon, 9 Mar 2020 at 19:11, <enstone83 at gmail.com> wrote:
>>> Hi,
>>>
>>> I provided a patch for CVE-2018-21035, present in Qt5 WebSocket Module.
>>> However apparently since the patch adds a new API it cannot go into
>>> Qt5.
>>>
>>> This vulnerability makes the Qt5 WebSocket module totally unusable for
>>> use in non-trusted environment (like Internet).
>>>
>>> Is there anything to do about it ?
>>>
>>> https://nvd.nist.gov/vuln/detail/CVE-2018-21035
>>> https://bugreports.qt.io/browse/QTBUG-70693
>>> https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735
>>
>> Hi,
>>
>> I suggest escalating this to the Security team for their attention
>> (see https://quips-qt-io.herokuapp.com/quip-0015-Security-Policy.html
>> ).
>>
>> On a related note, is Kurt Pattyn still the Maintainer for Qt
>> WebSockets [1]? He has been quiet on codereview.qt.io since May 2014
>> [2] and on GitHub since Feb 2019 [3].
>>
>
> Yes, Kurt still has the role.
>
> Mårten
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/development/attachments/20200313/0b6bc7dc/attachment.html>
More information about the Development
mailing list