Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Get Qt Extensions
  • Unsolved
Collapse
Brand Logo
  1. Home
  2. Qt Development
  3. General and Desktop
  4. CVEs Detected in Qt 6.10.2 by Mend (Whitesource) scan
Qt 6.11 is out! See what's new in the release blog

CVEs Detected in Qt 6.10.2 by Mend (Whitesource) scan

Scheduled Pinned Locked Moved Unsolved General and Desktop
2 Posts 2 Posters 199 Views 1 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • B Offline
    B Offline
    BabuP
    wrote on last edited by
    #1

    I recently used Mend to scan Qt version 6.10.2 for vulnerabilities, the scan flagged over 200 vulnerabilities, including...

    QT 6.10.2 (CVE-2023-2804)
    minimatch (CVE-2022-3517)
    Loadash-es (CVE-2020-28500)
    qs (CVE-2026-2391)
    body-parser (CVE-2024-45590)
    karma (CVE-2022-0437)
    and so on..

    I would like to understand how Qt addresses such issues and what actions, if any, should be taken.

    1. Are there plans to patch or update these affected third-party libraries in future Qt releases?
    2. What is Qt’s policy for monitoring and addressing CVEs discovered in third-party dependencies?
    3. Do we have guidance on above said few components for example, are included in the runtime distribution of Qt, or are they only used during build or testing?
    4. Are there any temporary mitigations or workarounds we should apply while waiting for official updates?
    5. Is it safe to remove or replace these components with patched versions of them without breaking Qt’s functionality?

    Any information would be greatly appreciated

    1 Reply Last reply
    0
    • SGaistS Offline
      SGaistS Offline
      SGaist
      Lifetime Qt Champion
      wrote on last edited by
      #2

      Hi and welcome to devnet,
      AFAIK:

      1. Vulnerabilities are treated seriously and patched. Note that sometimes, the vulnerability might be in a part not included within Qt's sources in which case it might not necessarily make sense to patch the included urgently.
      2. CVE's are monitored and dependencies are updated
      3. I am not sure to understand what you mean there
      4. If the issue affects you directly, I would say build the module/plugin you need the patch for
      5. Remove ? How would you do that ? As with any replacement, you need to test.

      How did you run the scan ?
      Typically on Linux distributions, Qt is built against system librairies rather than the ones embedded so you might be getting these flagged.

      Interested in AI ? www.idiap.ch
      Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct

      1 Reply Last reply
      0

      • Login
      • Login or register to search.
      • First post
        Last post
      0
      • Categories
      • Recent
      • Tags
      • Popular
      • Users
      • Groups
      • Search
      • Get Qt Extensions
      • Unsolved