From me at the-compiler.org Fri Nov 1 20:36:50 2019 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 1 Nov 2019 20:36:50 +0100 Subject: [qutebrowser-announce] Chromium Zero-days (CVE-2019-13720 and -13721) Message-ID: <20191101193650.f227m2ej2np6nugk@hooch.localdomain> Hi, There's currently news going around of two Chromium Zero-Days, one of them being actively exploited in the wild: https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html qutebrowser likely is unaffected by the PDFium one (as it disables the PDF viewer, even with Qt 5.13). It's likely affected by the WebAudio one though, and I don't see a way to turn WebAudio off (other than disabling JS). Fixes for both will land in Qt 5.12.6 and 5.14.0 (there likely isn't going to be a 5.13.3). I've also reported this to Arch and a fix landed in qt5-webengine 5.13.1-3 (and 5.13.2-2 in [testing]). Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Fri Nov 1 20:42:59 2019 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 1 Nov 2019 20:42:59 +0100 Subject: [qutebrowser-announce] Chromium Zero-days (CVE-2019-13720 and -13721) In-Reply-To: <20191101193650.f227m2ej2np6nugk@hooch.localdomain> References: <20191101193650.f227m2ej2np6nugk@hooch.localdomain> Message-ID: <20191101194259.iezdpiywieipu4ox@hooch.localdomain> On Fri, Nov 01, 2019 at 08:36:56PM +0100, Florian Bruhin wrote: > I've also reported this to Arch and a fix landed in qt5-webengine 5.13.1-3 > (and 5.13.2-2 in [testing]). Sorry, the fix is not in 5.13.1-3 - only in 5.13.2-2 which I suppose will make it out of [testing] soon. If you happen to be using my qt5-debug packages, I'm building a 5.13.1-3.1 with the fix. Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Mon Nov 18 22:09:15 2019 From: me at the-compiler.org (Florian Bruhin) Date: Mon, 18 Nov 2019 22:09:15 +0100 Subject: [qutebrowser-announce] qutebrowser meetup Berlin Message-ID: <20191118210915.44duiiglxukrpt4v@hooch.localdomain> Hey! I'm currently in Berlin (mainly to meet Qt/QtWebEngine people at Qt {World, Contributors} Summit). I'd love to also meet some qutebrowser users here! :) I opened a date poll for a meetup: https://dudle.inf.tu-dresden.de/qb-berlin/ Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Fri Nov 22 19:04:26 2019 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 22 Nov 2019 19:04:26 +0100 Subject: [qutebrowser-announce] qutebrowser v1.8.2 released! Message-ID: <20191122180426.vc473er7y57odebj@hooch.localdomain> Hey, I'm happy to announce that I just released qutebrowser v1.8.2. The main aim behind the release is bundling Qt 5.12.6 for macOS/Windows, which comes with important Chromium security fixes. However, I also cherry-picked some bugfixes from master: Changed ~~~~~~~ - Windows/macOS releases now ship with Qt 5.12.6. This includes security fixes up to Chromium 77.0.3865.120 plus a security fix for CVE-2019-13720 from Chromium 78. Fixed ~~~~~ - Unbinding keys via `config.bind(key, None)` accidentally worked in v1.7.0 but raises an exception in v1.8.0. It now works again, but is deprecated and shows an error. Note that `:config-py-write` did write such invalid lines before v1.8.0, so existing config files might need adjustments. - The `readability-js` userscript now handles encodings correctly (which it didn't before for some websites). - can now be used to paste text starting with a hyphen. - Following hints via the number keypad now works properly again. - Errors while reading the state file are now displayed instead of causing a crash. - Crash when using `:debug-log-level` without a console attached. - Downloads are now hidden properly when the browser is in fullscreen mode. - Crash when setting `colors.webpage.bg` to an empty value with QtWebKit. - Crash when the history database file is not a proper sqlite database. - Workaround for missing/broken error pages on Debian. - A deprecation warning (caused by pywin32) about the imp module on Windows is now hidden. Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: From me at the-compiler.org Fri Nov 22 20:51:58 2019 From: me at the-compiler.org (Florian Bruhin) Date: Fri, 22 Nov 2019 20:51:58 +0100 Subject: [qutebrowser-announce] qutebrowser meetup Berlin (2019-11-28) Message-ID: <20191122195158.jv6ssejajy6w4x32@hooch.localdomain> Hey! Like you might already know, I'm currently in Berlin - I've met with Qt/QtWebEngine developers at Qt Contributors Summit and had some very interesting development discussions there. You can find some writeups here: https://wiki.qt.io/Category:QtCS2019 Next Thursday (28th) I'd like to have a small qutebrowser user meetup here :) We'll meet at 19:00 in the AfRA Hackerspace in Berlin Lichtenberg: https://afra-berlin.de/dokuwiki/doku.php?id=en:start See (some of) you there, hopefully! Florian -- https://www.qutebrowser.org | me at the-compiler.org (Mail/XMPP) GPG: 916E B0C8 FD55 A072 | https://the-compiler.org/pubkey.asc I love long mails! | https://email.is-not-s.ms/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: