diff -Nru qtbase-opensource-src-5.15.3+dfsg/debian/changelog qtbase-opensource-src-5.15.3+dfsg/debian/changelog --- qtbase-opensource-src-5.15.3+dfsg/debian/changelog 2022-06-18 16:22:24.000000000 +0300 +++ qtbase-opensource-src-5.15.3+dfsg/debian/changelog 2022-08-10 11:37:53.000000000 +0300 @@ -1,3 +1,11 @@ +qtbase-opensource-src (5.15.3+dfsg-2ubuntu0.2) jammy-security; urgency=medium + + * SECURITY UPDATE: TLS 1.3 was not used on armhf. (LP: #1981807) + - debian/patches/openssl_set_options.diff: Update signature of + SSL_CTX_set_options for OpenSSL 3. Thanks Michael Saxl! + + -- Dmitry Shachnev Wed, 10 Aug 2022 11:37:53 +0300 + qtbase-opensource-src (5.15.3+dfsg-2ubuntu0.1) jammy; urgency=medium * Backport upstream patch to remove limit on the number of HTTP/2 streams. diff -Nru qtbase-opensource-src-5.15.3+dfsg/debian/patches/openssl_set_options.diff qtbase-opensource-src-5.15.3+dfsg/debian/patches/openssl_set_options.diff --- qtbase-opensource-src-5.15.3+dfsg/debian/patches/openssl_set_options.diff 1970-01-01 03:00:00.000000000 +0300 +++ qtbase-opensource-src-5.15.3+dfsg/debian/patches/openssl_set_options.diff 2022-08-10 11:36:51.000000000 +0300 @@ -0,0 +1,79 @@ +Description: update function argument of SSL_CTX_set_options + openssl3 uses uint64_t for the options argument in SSL_CTX_set_options, + older ones used long. + sizeof(long) is not the same on any platform as sizeof(uint64_t) +Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e995bfc0ea783c15 + Backported for 5.15 by the patch author, Michael Saxl. +Last-Update: 2022-08-07 + +--- a/src/network/ssl/qsslcontext_openssl.cpp ++++ b/src/network/ssl/qsslcontext_openssl.cpp +@@ -455,7 +455,7 @@ init_context: + } + + // Enable bug workarounds. +- long options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); ++ qssloptions options = QSslSocketBackendPrivate::setupOpenSslOptions(configuration.protocol(), configuration.d->sslOptions); + q_SSL_CTX_set_options(sslContext->ctx, options); + + // Tell OpenSSL to release memory early +--- a/src/network/ssl/qsslsocket_openssl.cpp ++++ b/src/network/ssl/qsslsocket_openssl.cpp +@@ -528,9 +528,9 @@ static void q_loadCiphersForConnection(S + // Defined in qsslsocket.cpp + void q_setDefaultDtlsCiphers(const QList &ciphers); + +-long QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions) ++qssloptions QSslSocketBackendPrivate::setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions) + { +- long options; ++ qssloptions options; + if (protocol == QSsl::TlsV1SslV3) + options = SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3; + else if (protocol == QSsl::SecureProtocols) +--- a/src/network/ssl/qsslsocket_openssl_p.h ++++ b/src/network/ssl/qsslsocket_openssl_p.h +@@ -107,6 +107,12 @@ + + QT_BEGIN_NAMESPACE + ++#if defined(OPENSSL_VERSION_MAJOR) && OPENSSL_VERSION_MAJOR >= 3 ++typedef uint64_t qssloptions; ++#else ++typedef unsigned long qssloptions; ++#endif ++ + struct QSslErrorEntry { + int code; + int depth; +@@ -164,7 +170,7 @@ public: + QVector ocspErrors; + QByteArray ocspResponseDer; + +- Q_AUTOTEST_EXPORT static long setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions); ++ Q_AUTOTEST_EXPORT static qssloptions setupOpenSslOptions(QSsl::SslProtocol protocol, QSsl::SslOptions sslOptions); + static QSslCipher QSslCipher_from_SSL_CIPHER(const SSL_CIPHER *cipher); + static QList STACKOFX509_to_QSslCertificates(STACK_OF(X509) *x509); + static QList verify(const QList &certificateChain, const QString &hostName); +--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp ++++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp +@@ -157,7 +157,7 @@ DEFINEFUNC2(void, OPENSSL_sk_push, OPENS + DEFINEFUNC(void, OPENSSL_sk_free, OPENSSL_STACK *a, a, return, DUMMYARG) + DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return nullptr, return) + DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return) +-DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) ++DEFINEFUNC2(qssloptions, SSL_CTX_set_options, SSL_CTX *ctx, ctx, qssloptions op, op, return 0, return) + DEFINEFUNC(int, SSL_CTX_get_security_level, const SSL_CTX *ctx, ctx, return -1, return) + DEFINEFUNC2(void, SSL_CTX_set_security_level, SSL_CTX *ctx, ctx, int level, level, return, return) + #ifdef TLS1_3_VERSION +--- a/src/network/ssl/qsslsocket_openssl_symbols_p.h ++++ b/src/network/ssl/qsslsocket_openssl_symbols_p.h +@@ -244,7 +244,7 @@ Q_AUTOTEST_EXPORT void q_OPENSSL_sk_push + Q_AUTOTEST_EXPORT void q_OPENSSL_sk_free(OPENSSL_STACK *a); + Q_AUTOTEST_EXPORT void * q_OPENSSL_sk_value(OPENSSL_STACK *a, int b); + int q_SSL_session_reused(SSL *a); +-unsigned long q_SSL_CTX_set_options(SSL_CTX *ctx, unsigned long op); ++qssloptions q_SSL_CTX_set_options(SSL_CTX *ctx, qssloptions op); + int q_OPENSSL_init_ssl(uint64_t opts, const OPENSSL_INIT_SETTINGS *settings); + size_t q_SSL_get_client_random(SSL *a, unsigned char *out, size_t outlen); + size_t q_SSL_SESSION_get_master_key(const SSL_SESSION *session, unsigned char *out, size_t outlen); diff -Nru qtbase-opensource-src-5.15.3+dfsg/debian/patches/series qtbase-opensource-src-5.15.3+dfsg/debian/patches/series --- qtbase-opensource-src-5.15.3+dfsg/debian/patches/series 2022-06-18 16:21:27.000000000 +0300 +++ qtbase-opensource-src-5.15.3+dfsg/debian/patches/series 2022-08-10 11:37:13.000000000 +0300 @@ -15,6 +15,7 @@ CVE-2022-25255.diff gcc-11-qtconcurrentthreadengine.diff moc_handle_include.diff +openssl_set_options.diff # Debian specific. gnukfreebsd.diff