2015-04-27 08:14:46 |
Jonathan Riddell |
bug |
|
|
added bug |
2015-04-27 08:18:19 |
Jonathan Riddell |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2015-04-27 08:18:50 |
Jonathan Riddell |
nominated for series |
|
Ubuntu Vivid |
|
2015-04-27 08:18:50 |
Jonathan Riddell |
bug task added |
|
quassel (Ubuntu Vivid) |
|
2015-04-27 08:18:50 |
Jonathan Riddell |
nominated for series |
|
Ubuntu W-series |
|
2015-04-27 08:18:50 |
Jonathan Riddell |
bug task added |
|
quassel (Ubuntu W-series) |
|
2015-04-27 12:44:02 |
Scott Kitterman |
quassel (Ubuntu Vivid): status |
New |
Fix Committed |
|
2015-04-27 12:44:05 |
Scott Kitterman |
bug |
|
|
added subscriber SRU Verification |
2015-04-27 12:44:08 |
Scott Kitterman |
tags |
|
verification-needed |
|
2015-04-27 22:15:11 |
Tyler Hicks |
bug |
|
|
added subscriber Ubuntu Security Team |
2015-05-01 16:42:10 |
Felix Geyer |
cve linked |
|
2015-3427 |
|
2015-05-01 16:44:14 |
Felix Geyer |
nominated for series |
|
Ubuntu Utopic |
|
2015-05-01 16:44:14 |
Felix Geyer |
bug task added |
|
quassel (Ubuntu Utopic) |
|
2015-05-01 16:44:14 |
Felix Geyer |
nominated for series |
|
Ubuntu Trusty |
|
2015-05-01 16:44:14 |
Felix Geyer |
bug task added |
|
quassel (Ubuntu Trusty) |
|
2015-05-01 17:22:48 |
Felix Geyer |
cve linked |
|
2015-2778 |
|
2015-05-01 17:22:48 |
Felix Geyer |
cve linked |
|
2015-2779 |
|
2015-05-01 17:22:48 |
Felix Geyer |
attachment added |
|
quassel_0.10.0-0ubuntu2.2.debdiff https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1448911/+attachment/4389171/+files/quassel_0.10.0-0ubuntu2.2.debdiff |
|
2015-05-01 17:23:01 |
Felix Geyer |
attachment added |
|
quassel_0.10.1-0ubuntu1.2.debdiff https://bugs.launchpad.net/ubuntu/+source/quassel/+bug/1448911/+attachment/4389172/+files/quassel_0.10.1-0ubuntu1.2.debdiff |
|
2015-05-01 17:23:13 |
Felix Geyer |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2015-05-04 15:26:40 |
Jonathan Riddell |
description |
Bug fixed in 0.12.2 is an old CVE that re-occurred:
Previously, the initDbSession() function would only be run on the
initial connect. Since the initDbSession() code in PostgreSQL is
used to fix the CVE-2013-4422 SQL Injection bug, this means that
Quassel was still vulnerable to that CVE if the PostgreSQL server
is restarted or the connection is lost at any point while Quassel
is running.
This bug also causes the Qt5 psql timezone fix to stop working
after a reconnect.
The fix is to disable Qt's automatic reconnecting, check the
connection status ourselves, and reconnect if necessary, executing
the initDbSession() function afterward.
https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283 |
Bug fixed in 0.12.2 is an old CVE that re-occurred:
Previously, the initDbSession() function would only be run on the
initial connect. Since the initDbSession() code in PostgreSQL is
used to fix the CVE-2013-4422 SQL Injection bug, this means that
Quassel was still vulnerable to that CVE if the PostgreSQL server
is restarted or the connection is lost at any point while Quassel
is running.
This bug also causes the Qt5 psql timezone fix to stop working
after a reconnect.
The fix is to disable Qt's automatic reconnecting, check the
connection status ourselves, and reconnect if necessary, executing
the initDbSession() function afterward.
https://github.com/quassel/quassel/commit/6605882f41331c80f7ac3a6992650a702ec71283
TEST CASE:
15:22 < mamarley> Yeah, restart PostgreSQL and do something that will cause backlog messages to be recorded. Then, restart the quasselclient and make sure those backlog messages have the correct timestamp. |
|
2015-05-04 15:57:45 |
Jonathan Riddell |
tags |
verification-needed |
verification-done |
|
2015-05-04 16:18:45 |
Launchpad Janitor |
quassel (Ubuntu Vivid): status |
Fix Committed |
Fix Released |
|
2015-05-04 19:05:26 |
Steve Beattie |
quassel (Ubuntu Trusty): status |
New |
In Progress |
|
2015-05-04 19:05:29 |
Steve Beattie |
quassel (Ubuntu Utopic): status |
New |
In Progress |
|
2015-05-04 19:05:32 |
Steve Beattie |
quassel (Ubuntu Trusty): assignee |
|
Steve Beattie (sbeattie) |
|
2015-05-04 19:05:34 |
Steve Beattie |
quassel (Ubuntu Utopic): assignee |
|
Steve Beattie (sbeattie) |
|
2015-05-04 23:30:26 |
Launchpad Janitor |
quassel (Ubuntu Trusty): status |
In Progress |
Fix Released |
|
2015-05-04 23:30:26 |
Launchpad Janitor |
cve linked |
|
2013-4422 |
|
2015-05-04 23:36:11 |
Launchpad Janitor |
quassel (Ubuntu Utopic): status |
In Progress |
Fix Released |
|
2015-05-05 08:29:49 |
Steve Beattie |
quassel (Ubuntu Wily): status |
New |
Fix Released |
|
2015-05-24 10:13:17 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/trusty-security/quassel |
|
2015-05-24 10:13:20 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/utopic-security/quassel |
|