From me at the-compiler.org Sun Jun 10 16:35:55 2018 From: me at the-compiler.org (Florian Bruhin) Date: Sun, 10 Jun 2018 16:35:55 +0200 Subject: [qutebrowser-announce] qutebrowser v1.3.2 released! Message-ID: <20180610143555.t462sqvbe4tcjvxu@hooch.localdomain> Hey, I'm happy to announce that I just released qutebrowser v1.3.2 with some more (and improved) workarounds for Qt 5.11 bugs, plus some other bugfixes: - QtWebEngine: Improved workaround for a bug in Qt 5.11 where only the top/bottom half of the window is used. - QtWebEngine: Work around a bug in Qt 5.11 where an endless loading-loop is triggered when clicking a link with an unknown scheme. - QtWebEngine: When switching between pages with changed settings, less unnecessary reloads are done now. - QtWebEngine: It's now possible to open external links such as `magnet://` or `mailto:` via hints. Enjoy! A v1.4.0 with new features (and Qt 5.11 bundled for Windows/macOS) will hopefully follow in around two weeks, once PyQt 5.11 is released. Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Fri Jun 22 00:51:04 2018 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 22 Jun 2018 00:51:04 +0200 Subject: [qutebrowser-announce] qutebrowser v1.3.3 released (security update!) Message-ID: <20180621225104.lw47qx2t7zbevylm@hooch.localdomain> Hey, I've just released qutebrowser v1.3.3, which fixes an XSS vulnerability on the qute://history page (:history). The vulnerability allowed websites to inject HTML into the page via a crafted title tag. This could allow them to steal your browsing history. If you're currently unable to upgrade, avoid using :history. A CVE request for this issue is pending, I'll send out another mail once there's a CVE ID assigned. The issue was introduced in March 2017 and part of the v0.11.0 release: https://github.com/qutebrowser/qutebrowser/commit/845f21b275bf438eccd7854f7f5401233ec6719a https://github.com/qutebrowser/qutebrowser/commit/1179ee7a937fb31414d77d9970bac21095358449 The patch applies cleanly to v1.2.x and v1.1.x (but I do not plan to do any updated releases of those): https://github.com/qutebrowser/qutebrowser/commit/5a7869f2feaa346853d2a85413d6527c87ef0d9f.patch It does *not* apply to v1.0.x and v0.11.x. If you need a backport, please let me know, but especially on v0.11.x you'll probably have a lot of other security issues due to an outdated QtWebKit anyways. I plan to release v1.4.0 later this week (once PyQt 5.11 is out), but since the bug was opened publicly, I decided to do an immediate bugfix release. As a reminder, for security-relevant bugs, please contact me directly at mail at qutebrowser.org. Other bugfixes in this release: - Crash in a workaround for a Qt 5.11 bug in rare circumstances. - Workaround for a Qt bug which preserves searches between page loads. - In v1.3.2 a dependency on the `PyQt5.QtQuickWidgets` module was accidentally introduced. Since that module isn't packaged everywhere, it's been removed again. Sorry for the trouble! Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Tue Jun 26 21:10:47 2018 From: me at the-compiler.org (Florian Bruhin) Date: Tue, 26 Jun 2018 21:10:47 +0200 Subject: [qutebrowser-announce] qutebrowser v1.3.3 released (security update!) In-Reply-To: <20180621225104.lw47qx2t7zbevylm@hooch.localdomain> References: <20180621225104.lw47qx2t7zbevylm@hooch.localdomain> Message-ID: <20180626191047.3uqp3l535t6i5idd@hooch.localdomain> On Fri, Jun 22, 2018 at 12:51:04AM +0200, Florian Bruhin wrote: > A CVE request for this issue is pending, I'll send out another mail once > there's a CVE ID assigned. This issue has been assigned CVE-2018-1000559: https://nvd.nist.gov/vuln/detail/CVE-2018-1000559 Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: