Bug#855048: qgis: Ships an unsupported copy of QtWebkit in public Python path without any transition
Raphaël Hertzog
hertzog at debian.org
Mon Feb 13 14:57:43 UTC 2017
Source: qgis
Version: 2.14.11+dfsg-1
Severity: serious
Tags: security
User: devel at kali.org
Usertags: origin-kali
python-qt4 dropped support for QtWebkit it's because it was not
possible to provide security support for it (cf #784514). You disabled
that support in response to that bug.
But later you decided to re-enable it using an embedded copy, the net
result is that python-qgis is now shipping files that used to be
shipped by python-qt4:
/usr/lib/python2.7/dist-packages/PyQt4/QtWebKit.x86_64-linux-gnu.so
There are two problems:
1/ the upgrade is not safe, you can have conflicts with python-qt4 if
python-qgis is upgraded before python-qt4 (even more likely in Kali
where we kept QtWebkit a while longer in python-qt4)
2/ if QtWebkit cannot be suppported in python-qt4, it also cannot be
supported in python-qgis
IMO you should disable that embedded copy usage or at least get a prior
ack from the security team.
Cheers,
-- System Information:
Debian Release: 9.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Pkg-grass-devel
mailing list