| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| cve-2023-34410-57ba626.diff | [PATCH] Ssl: Copy the on-demand cert loading bool from default config Otherwise individual sockets will still load system certificates when a chain doesn't match against the configured CA certificates. That's not intended behavior, since specifically setting the CA certificates means you don't want the system certificates to be used. Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a This is potentially a breaking change because now, if you ever add a CA to the default config, it will disable loading system certificates on demand for all sockets. And the only way to re-enable it is to create a null-QSslConfiguration and set it as the new default. |
Mrten Nordheim <marten.nordheim@qt.io> | no | 2023-05-25 | ||
| cve-2023-34410-ada2c57.diff | [PATCH] Schannel: Reject certificate not signed by a configured CA certificate Not entirely clear why, but when building the certificate chain for a peer the system certificate store is searched for root certificates. General expectation is that after calling `sslConfiguration.setCaCertificates()` the system certificates will not be taken into consideration. To work around this behavior, we do a manual check that the root of the chain is part of the configured CA certificates. |
Mrten Nordheim <marten.nordheim@qt.io> | no | 2023-05-10 | ||
| cve-2023-32762.diff | no | |||||
| cve-2023-32763.diff | no | |||||
| cve-2023-33285.diff | diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp index 75f7c6c440..de0113494f 100644 |
no | ||||
| upstream_Add-HPPA-detection.patch | [PATCH] Add HPPA detection - detect the HPPA architecture (PA-RISC) and define Q_PROCESSOR_HPPA - set the right machine type in QElfParser for HPPA ELF files |
Pino Toscano <toscano.pino@tiscali.it> | no | 2022-10-06 | ||
| upstream_Add-M68k-detection.patch | [PATCH] Add M68k detection - detect the M68k architecture (Motorola 68000) and define Q_PROCESSOR_M68K - set the right machine type in QElfParser for M68k ELF files |
Pino Toscano <toscano.pino@tiscali.it> | no | 2022-10-06 | ||
| cve-2023-24607.patch | Fix CVE-2023-24607 CVE-2023-24607 can trigger a DOS with a specifically crafted string, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031871. This patch https://codereview.qt-project.org/c/qt/qtbase/+/456216, https://codereview.qt-project.org/c/qt/qtbase/+/457637 and https://codereview.qt-project.org/c/qt/qtbase/+/457937 See: https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin |
not-needed | ||||
| remove_privacy_breaches.diff | remove non-used privacy-breach code This code makes Lintian unhappy. But we are really not using it, it only gets inserted when building the online doc. Anyways the best way to calm down Lintian is to simply remove it. |
Lisandro Damin Nicanor Prez Meyer <lisandro@debian.org> | not-needed | 2015-02-18 | ||
| build_path_embedded_qtbuildinternalsextra_cmake.patch | [PATCH] cmake/QtBuildInternalsExtra.cmake.in: Patch out embedded build path. The original build path should not be needed in the shipped package, and causes reproducibility issues when built in different paths. https://reproducible-builds.org/docs/build-path/ |
Vagrant Cascadian <vagrant@reproducible-builds.org> | no | 2022-02-25 | ||
| cross.patch | no | |||||
| force_shared_libzstd.patch | force the usage of the shared libzstd library. The library provides both versions, and the original code prefers the static version over the shared, while on Debian it should always use the shared version. |
Lisandro Damin Nicanor Prez Meyer <lisandro@debian.org> | not-needed | upstream | ||
| armel-noyield.patch | Don't use yield on CPUs that might not support it | no |