[SECURITY] Fedora 27 Update: qutebrowser-1.4.1-1.fc27

-------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2018-35325c9faf 2018-07-19 17:46:53.575353 -------------------------------------------------------------------------------- Name : qutebrowser Product : Fedora 27 Version : 1.4.1 Release : 1.fc27 URL : http://www.qutebrowser.org Summary : A keyboard-driven, vim-like browser based on PyQt5 and QtWebEngine Description : qutebrowser is a keyboard-focused browser with a minimal GUI. It���s based on Python, PyQt5 and QtWebEngine and free software, licensed under the GPL. It was inspired by other browsers/addons like dwb and Vimperator/Pentadactyl. -------------------------------------------------------------------------------- Update Information: This update fix CVE-2018-10895 **[0]** and a few minor bugs. **[0]** : Due to a CSRF vulnerability affecting the `qute://settings` page, it was possible for websites to modify qutebrowser settings. Via settings like `editor.command`, this possibly **allowed websites to execute arbitrary code**. ---- This version fix compatibility issues with qtwebengine 5.11.x, add support for page printing, tab muting, third-party cookie blocking and has the web inspector "enabled" (does not require `--enable-webengine-inspector`) by default. It also ships a few bugfixes and changes. -------------------------------------------------------------------------------- ChangeLog: * Wed Jul 11 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.4.1-1 - Rebase to 1.4.1 - Remove patch introduced in 1.4.0-2, since included in upstream release 1.4.1 * Tue Jul 10 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.4.0-2 - Patch critical CSRF issues with qute://settings/set URL, leading to arbitrary code exexution. * Tue Jul 3 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.4.0-1 - Rebase to 1.4.0 * Mon Jul 2 2018 Miro Hron��ok <mhroncok(a)redhat.com&gt; - 1.3.3-2 - Rebuilt for Python 3.7 * Fri Jun 22 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.3.3-1 - Rebase to 1.3.3 * Tue Jun 19 2018 Miro Hron��ok <mhroncok(a)redhat.com&gt; - 1.3.2-2 - Rebuilt for Python 3.7 * Tue Jun 12 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.3.2-1 - Rebase to 1.3.2 * Tue May 29 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.3.1-1 - Rebase to 1.3.1 * Fri May 4 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.3.0-1 - Rebase to 1.3.0 * Tue Mar 20 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.2.1-1 - Rebase to 1.2.1 * Mon Mar 12 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.2.0-1 - Rebase to 1.2.0 * Mon Mar 5 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.1.2-1 - Rebase to 1.1.2 * Fri Feb 9 2018 Fedora Release Engineering <releng(a)fedoraproject.org&gt; - 1.1.1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild * Sun Jan 21 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.1.1-1 - Rebase to 1.1.1 * Thu Jan 18 2018 Igor Gnatenko <ignatenkobrain(a)fedoraproject.org&gt; - 1.1.0-2 - Remove obsolete scriptlets * Mon Jan 15 2018 Timoth��e Floure <fnux(a)fedoraproject.org&gt; - 1.1.0-1 - Rebase to 1.1.0 * Tue Nov 28 2017 Timoth��e Floure <timothee.floure(a)fnux.ch&gt; - 1.0.4-1 - Rebase to 1.0.4 * Tue Nov 14 2017 Timoth��e Floure <timothee.floure(a)fnux.ch&gt; - 1.0.3-2 - Fix typos in some (weak) Qt dependencies * Tue Nov 7 2017 Timoth��e Floure <timothee.floure(a)fnux.ch&gt; - 1.0.3-1 - Rebase to 1.0.3 - Fix dependency issue for architectures unsupported by qt5-qtwebengine * Fri Oct 20 2017 Timoth��e Floure <timothee.floure(a)fnux.ch&gt; - 1.0.2-1 - Rebase to 1.0.2 - Remove the deprecated Group tag - Add the python3-attrs dependency - Adapt the descriptions and dependencies to the QtWebEngine backend (new default) - Doc tag: do not package the PKG-INFO file anymore - Doc tag: package the full HTML documentation instead of sparse asciidoc files -------------------------------------------------------------------------------- References: [ 1 ] Bug #1600289 - CVE-2018-10895 qutebrowser: Cross-site request forgery flaw allows sites to access 'qute://*' URLs and execute arbitrary code [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1600289 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2018-35325c9faf' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys --------------------------------------------------------------------------------