Qt 5.11.3 Released with Important Security Updates

Qt 5.11.3 is released today. As a patch release it does not add any new functionality, but provides important bug fixes, security updates and other improvements.

Compared to Qt 5.11.2, the Qt 5.11.3 release provides fixes for over 100 bugs and it contains around 300 changes in total. For details of the most important changes, please check the Change files of Qt 5.11.3.

Qt 5.11.3 contains the following important security fixes:

• CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader
• CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file
• CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler
• CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion
• CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses
• CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference

All these security fixes are included in the upcoming Qt 5.12.0 release.

Qt 5.9.7 released earlier contains all the fixes, except the one for virtual keyboard, which is available as a set of patches here, here and here.

Qt 5.6.3 release can be patched with these security fixes available here, here, here, here, here, here, here and here.

Qt 5.11.3 is the last release of the Qt 5.11.x series. The 5.11 branch is now closed. All bug fixes go into Qt 5.12 and the most important ones are cherry picked into Qt 5.9 LTS.

The recommended way for getting Qt 5.11.3 is using the maintenance tool of the online installer. For new installations, please download latest online installer from Qt Account portal (commercial license holders) or from qt.io Download page (open source).

Offline packages are also available for those can’t use the online installer.