==================================================================== CERT-Renater Note d'Information No. 2018/VULN424 _____________________________________________________________________ DATE : 28/12/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Qt versions prior to 5.11.3. ===================================================================== https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ https://blog.qt.io/blog/2018/12/06/qt-5-12-lts-released/ _____________________________________________________________________ Qt 5.11.3 Released with Important Security Updates Published Tuesday December 4th, 2018 Qt 5.11.3 is released today. As a patch release it does not add any new functionality, but provides important bug fixes, security updates and other improvements. Compared to Qt 5.11.2, the Qt 5.11.3 release provides fixes for over 100 bugs and it contains around 300 changes in total. For details of the most important changes, please check the Change files of Qt 5.11.3. Qt 5.11.3 contains the following important security fixes: CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference All these security fixes are included in the upcoming Qt 5.12.0 release. Qt 5.9.7 released earlier contains all the fixes, except the one for virtual keyboard, which is available as a set of patches here, here and here. Qt 5.6.3 release can be patched with these security fixes available here, here, here, here, here, here, here and here. Qt 5.11.3 is the last release of the Qt 5.11.x series. The 5.11 branch is now closed. All bug fixes go into Qt 5.12 and the most important ones are cherry picked into Qt 5.9 LTS. The recommended way for getting Qt 5.11.3 is using the maintenance tool of the online installer. For new installations, please download latest online installer from Qt Account portal (commercial license holders) or from qt.io Download page (open source). Offline packages are also available for those can’t use the online installer. ____________________________________________________________________ Qt 5.12 LTS Released Published Thursday December 6th, 2018 Just in time for the end of the year, we have released Qt 5.12 LTS today. This is a long-term-supported (LTS) release that we will support for 3 years to come. We have had a strong focus on quality and fixed more than 2000 bugs since the last Qt LTS version, Qt 5.9.7 – make that over 5000 bugfixes since Qt 5.6.3. Of course, this is only the start, and we will work hard on continuously improving the quality of Qt 5.12 in upcoming patches Speaking about which, we have improved Qt’s performance and memory consumption, especially within the area of Qt 3D and the QML engine. But like all major Qt releases, Qt 5.12 LTS also includes a lot of new features. Let’s have a look at some of them. New modules and platforms I’m really happy to announce that we will now fully support Qt for Python, making all of the Qt APIs available to Python developers. The tech preview is currently available for you to test, while the official release will follow shortly after Qt 5.12. Qt for Python originates from the PySide project that we have been hosting on qt-project.org for many years. Qt for Python supports most of Qt’s C++ APIs and makes them accessible to Python programmers. In short: Python developers now can also create complex graphical applications and user interfaces. You can find more details in the Qt for Python blog posts. =============================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ===============================================================