Mageia 7 MGASA-2021-0200 Critical: QSslSocket Denial of Service
mageia
April 30, 2021
QSslSocket incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications (CVE-2020-13962) This update provides additionals fixes: - Chec...
Summary
QSslSocket incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing
denial of service in TLS applications (CVE-2020-13962)
This update provides additionals fixes: - Check that the sizes are even representable when checking if clipping is necessary (P300)
- Multiply instead of shifting, The shift operator is undefined for negative
values. (P301)
- Check returns of hex2int in get_hex_rgb, Avoids undefined behavior when trying to shift negative values. (P302)
- Sanitize lengthValue in CSS parser, Limit the LengthData to the integer
range before rounding it, taking into account that qRound() substracts 1 from
negative values. (P303)
- QBezier: Don't try calculating a unit vector when length is null. It's undefined and causes a division by zero. (P304)
- Avoid potential ub in corrupt bmp file. biHeight may be int_min, in which
case qAbs
- wasm: disable XDG_RUNTIME_DIR warning XDG is not very relevant on the Web platform. (P306)
- Use SOUR...
References
- https://bugs.mageia.org/show_bug.cgi?id=27218
- - https://access.redhat.com/errata/RHSA-2020:4690
- https://www.cve.org/CVERecord?id=CVE-2020-13962
Resolution
SRPMS
- 7/core/qtbase5-5.12.6-4.2.mga7
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Publication date: 30 Apr 2021
URL: https://advisories.mageia.org/MGASA-2021-0200.html
Type: security
CVE: CVE-2020-13962
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!