Hello community,
here is the log from the commit of package telepathy-gabble.1728 for openSUSE:12.3:Update checked in at 2013-06-14 16:52:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.3:Update/telepathy-gabble.1728 (Old)
and /work/SRC/openSUSE:12.3:Update/.telepathy-gabble.1728.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "telepathy-gabble.1728"
Changes:
--------
New Changes file:
--- /dev/null 2013-06-12 16:57:03.272031756 +0200
+++ /work/SRC/openSUSE:12.3:Update/.telepathy-gabble.1728.new/telepathy-gabble.changes 2013-06-14 16:52:03.000000000 +0200
@@ -0,0 +1,1710 @@
+-------------------------------------------------------------------
+Mon Jun 3 22:31:21 CEST 2013 - hpj@opensuse.org
+
+- Add telepathy-gabble-cve-2013-1431.patch (bnc#822586). This makes
+ it respect the TLS-required flag on legacy Jabber servers.
+ Identified as CVE-2013-1431.
+
+-------------------------------------------------------------------
+Thu Mar 14 21:22:50 CET 2013 - hpj@opensuse.org
+
+- Add telepathy-gabble-cve-2013-1769.patch (bnc#807449). This
+ fixes remotely-triggered DoS vulnerabilities identified as
+ CVE-2013-1769.
+
+-------------------------------------------------------------------
+Wed Sep 12 06:54:47 UTC 2012 - vuntz@opensuse.org
+
+- Update to version 0.17.1:
+ + Enhancements:
+ - fdo#32612: Old-style Tube channels have been removed.
+ - Tube and Text channels are no longer announced together.
+ + Fixes:
+ - Make sure capability discovery works for the camera-v1
+ capability bundle, avoiding an iChat bug in which it repeats
+ failed capability discovery requests in a rapid loop
+ (fdo#54634)
+ - Fix some race conditions and other brokenness in the tests
+- Add pkgconfig(glib-2.0) BuildRequires so it can be versioned.
+
+-------------------------------------------------------------------
+Mon Aug 27 08:11:16 UTC 2012 - dimstar@opensuse.org
+
+- Update to version 0.17.0:
+ + Fix calls with android devices.
+ + Implement WLM jidlookup. This makes possible to add MSN
+ contacts using XMPP.
+ + Fix google caps parsing.
+
+-------------------------------------------------------------------
+Thu Aug 23 11:14:24 UTC 2012 - mailaender@opensuse.org
+
+- Update to version 0.16.2
+ + Fixes: Crash in tp_base_channel_close (fdo#53087).
+
+-------------------------------------------------------------------
+Thu Jun 21 08:34:28 UTC 2012 - dimstar@opensuse.org
+
+- Update to version 0.16.1:
+ + "see-other-host" stream error is now supported. This fix
+ connection issue with Windows Live XMPP server.
+ + fdo#36998: Fail to establish a video call with Android.
+
+-------------------------------------------------------------------
+Thu Jun 7 19:41:40 UTC 2012 - mikhail.zabaluev@gmail.com
+
+- Moved the console plugin to telepathy-gabble-xmpp-console
+
+-------------------------------------------------------------------
+Fri Apr 6 14:11:58 UTC 2012 - vuntz@opensuse.org
+
+- Update to version 0.16.0:
+ + Install plugins in their own special (versioned) gabble
+ directory so we're not installing unversioned ABI-unstable
+ libraries.
+ + The DownloadAtConnection and Download ContactList members have
+ been implemented.
+ + Handle errors in IBB bytestreams (fdo#47999).
+
+-------------------------------------------------------------------
+Sun Mar 25 18:57:20 UTC 2012 - dimstar@opensuse.org
+
+- Update to version 0.15.5:
+ + Enhancements:
+ - fdo#46513: Refactor Jingle code to remove Telepathy in
+ preparation of moving it to Wocky.
+ - fdo#45602: Subclass TpBaseChannel in more channel
+ implemenations.
+ - fdo#47502: Add a --disable-voip configure flag to disable
+ building gabble with VoIP support.
+ + Fixes:
+ - Correctly convert between Telepathy and Jingle candidate
+ types.
+ - Start sending automatically on accepting bidirectional calls.
+- Change dbus-1-glib-devel BuildRequires to pkgconfig(dbus-glib-1).
+
+-------------------------------------------------------------------
+Wed Feb 22 07:20:36 UTC 2012 - vuntz@opensuse.org
+
+- Update to version 0.15.4:
+ + Enhancements:
+ - Add support for the final version of Call1 from
+ telepathy-spec 0.25.2 and remove the telepathy-yell
+ submodule.
+ - fdo#41790: Make file transfer support optional
+ - fdo#44056: telepathy-gabble-xmpp-console no longer mixes GIR
+ and pygtk.
+ - fdo#33911: The Loudmouth API compatibility layer has been
+ removed.
+ - fdo#45491: Error messages provided by the server in stanzas are now exposed via the SimplePresence
+ API. This makes it easier for users to distinguish contacts
+ being offline from contacts' servers being broken.
+ - fdo#44649: Gabble now has a gabble-plugins.so library,
+ similarly to mission-control.
+ + API changes to Wocky snapshot:
+ - fdo#45400: WockyPepService's API has changed a little bit.
+ - fdo#34975: WockyPorter is now responsible for sending back
+ error replies for unhandled IQs, whereas previously this was
+ up to Gabble.
+ - fdo#27489: including now includes all public
+ API from Wocky, and including any other header directly is
+ forbidden.
+ + Fixes:
+ - fdo#44331: Gabble plugin API fails at runtime on Windows:
+ gabble_plugin_create_sidecar function is renamed to
+ gabble_plugin_create_sidecar_async and new virtual function
+ gabble_plugin_create_sidecar_finish is introduced.
+ - fdo#45443 (workaround): avoid testing Credentials access
+ control, since recent Linux has stricter requirements for
+ credentials-passing (it's now opt-in) which we're not yet
+ meeting.
+ - fdo#46379: don't raise a GError with domain 0.
+ - fdo#44855: work around Google's unimplemented capability
+ discovery by hard-coding the capabilities of the GTalk echo
+ bot.
+ - Work around the deprecation of GValueArray.
+- Remove doc subpackage, and add appropriate Provides/Obsoletes to
+ the main subpackage: the doc is too small to make sense as a
+ separate package.
+
+-------------------------------------------------------------------
+Thu Dec 22 21:36:49 UTC 2011 - vuntz@opensuse.org
+
+- Update to version 0.15.3:
+ + Fixes:
+ - fdo#43891: Update wocky snapshot to fix
+ wocky_data_form_set_type()
+- Changes from version 0.15.2:
+ + Enhancements:
+ - fdo#43588, fdo#43889: Add public
+ gabble_connection_add_sidecar_own_caps_full() function which
+ includes data forms.
+ + Fixes:
+ - fdo#42462: Update wocky snapshot to fix gabble getting kicked
+ from D-Bus when non-character utf-8 is used by remote clients
+ - Fix the build when using GLib 2.32.
+
+-------------------------------------------------------------------
+Wed Dec 21 13:12:57 UTC 2011 - vuntz@opensuse.org
+
+- Split telepathy-gabble-xmpp-console tool in a
+ telepathy-gabble-xmpp-console subpackage, since it's not really
+ of interest to most people, and has many dependencies that
+ telepathy-gabble doesn't have.
+
+-------------------------------------------------------------------
+Fri Nov 25 09:43:26 UTC 2011 - dimstar@opensuse.org
+
+- Update to version 0.15.1:
+ + Enhancements:
+ - fdo#38568: Gabble now ships with an XMPP console interface
+ - fdo#32692, fdo#30296, fdo#41789: Gabble now implements the
+ freshly-undrafted Protocol.Interface.Addressing and the
+ still-unstable Connection.Interface.Addressing1, and uses
+ them to expose Facebook contacts' integer IDs.
+ - fdo#42446: Gabble can now be built on Android, using
+ Androgenizer.
+ + Fixes:
+ - capabilities.h and caps-channel-manager.h are no longer
+ erroneously omitted.
+
+-------------------------------------------------------------------
+Wed Nov 16 18:31:07 UTC 2011 - dimstar@opensuse.org
+
+- Update to version 0.15.0:
+ + Enhancements:
+ - fdo#42288: the Chan.I.FileTransfer.Metadata interface has
+ been implemented.
+ - Updated Wocky: The SASL auth server test now builds with new
+ and old versions of libsasl2.
+ + Bug fixes:
+ - fdo#42706: fix a typo when indexing a pointer array by using
+ the wrong counter!
+ - fd.o#32050: fix a crasher when using OLPC activities.
+ + Wocky:
+ - fdo#41719: don't bail on hashing caps if there's no FORM_TYPE
+ - fdo#39057: Accept from="server.com" as stanzas coming from
+ server.
+
+-------------------------------------------------------------------
+Tue Nov 15 09:58:07 UTC 2011 - vuntz@opensuse.org
+
+- Update to version 0.14.0:
+ + Enhancements:
+ - It's now possible to install Gabble's test suite.
+ - fdo#41417: when connected to Facebook, text channels now
+ produce 'accepted' delivery reports when the user sends a
++++ 1513 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.3:Update/.telepathy-gabble.1728.new/telepathy-gabble.changes
New:
----
telepathy-gabble-0.17.1.tar.gz
telepathy-gabble-cve-2013-1431.patch
telepathy-gabble-cve-2013-1769.patch
telepathy-gabble.changes
telepathy-gabble.spec
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ telepathy-gabble.spec ++++++
#
# spec file for package telepathy-gabble
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: telepathy-gabble
Version: 0.17.1
Release: 0
Summary: XMPP connection manager for Telepathy
License: LGPL-2.1+
Group: Productivity/Networking/Instant Messenger
Url: http://telepathy.freedesktop.org/wiki/
Source: http://telepathy.freedesktop.org/releases/telepathy-gabble/%{name}-%{version}.tar.gz
# PATCH-FIX-UPSTREAM telepathy-gabble-cve-2013-1769.patch bnc#807449 hpj@opensuse.org -- Fix remote DoS vulnerability CVE-2013-1769.
Patch0: telepathy-gabble-cve-2013-1769.patch
# PATCH-FIX-UPSTREAM telepathy-gabble-cve-2013-1431.patch bnc#822586 hpj@opensuse.org -- Respect TLS-required flag on legacy Jabber servers. CVE-2013-1431.
Patch1: telepathy-gabble-cve-2013-1431.patch
BuildRequires: libgnutls-devel
BuildRequires: libnice-devel >= 0.0.11
BuildRequires: libsoup-devel
BuildRequires: libxslt-devel
BuildRequires: python-xml
BuildRequires: sqlite3-devel
BuildRequires: telepathy-glib-devel >= 0.19.7
BuildRequires: pkgconfig(dbus-glib-1)
BuildRequires: pkgconfig(glib-2.0) >= 2.30
Recommends: ca-certificates
# doc subpackage removed during 12.2 development
Provides: %{name}-doc = %{version}
Obsoletes: %{name}-doc < %{version}
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Gabble is a Jabber/XMPP connection manager for the Telepathy framework,
currently supporting single user chats, multi user chats and
voice/video calls. Install this package to use Telepathy instant
messaging clients with Jabber/XMPP servers, including Google Talk.
%package xmpp-console
Summary: XMPP connection manager for Telepathy -- XMPP Console
Group: Productivity/Networking/Instant Messenger
Requires: %{name} = %{version}
Requires: python-gobject
%description xmpp-console
This utility is a XMPP console user interface, for telepathy-gabble.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%build
%configure \
--disable-static \
--docdir=%{_docdir}/%{name} \
--with-ca-certificates=%{_sysconfdir}/ssl/ca-bundle.pem
make %{?_smp_mflags}
%install
%make_install
find %{buildroot} -type f -name "*.la" -delete -print
cp AUTHORS ChangeLog COPYING %{buildroot}%{_docdir}/%{name}
%clean
rm -rf %{buildroot}
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%files
%defattr (-,root,root)
%doc AUTHORS ChangeLog COPYING NEWS README
%doc %{_docdir}/%{name}/*.html
%dir %{_datadir}/telepathy
%dir %{_datadir}/telepathy/managers
%dir %{_libdir}/telepathy
%dir %{_libdir}/telepathy/gabble-0
%dir %{_libdir}/telepathy/gabble-0/plugins
%{_libexecdir}/telepathy-gabble
%{_libdir}/telepathy/gabble-0/lib/
%{_libdir}/telepathy/gabble-0/plugins/libgateways.so
%{_datadir}/dbus-1/services/org.freedesktop.Telepathy.ConnectionManager.gabble.service
%{_datadir}/telepathy/managers/gabble.manager
%{_mandir}/man8/telepathy-gabble.8%{?ext_man}
%files xmpp-console
%defattr (-,root,root)
%{_bindir}/telepathy-gabble-xmpp-console
%{_libdir}/telepathy/gabble-0/plugins/libconsole.so
%changelog
++++++ telepathy-gabble-cve-2013-1431.patch ++++++
From: Simon McVittie
Date: Mon, 27 May 2013 13:16:22 +0100
Subject: [PATCH] security: respect tls-required flag on legacy Jabber servers
It's checked elsewhere for XMPP 1.0 servers, which can either
use "old SSL" or perform STARTTLS. Legacy Jabber can only use
"old SSL", which is similar to https - connect to a separate port,
typically 5223, and start speaking SSL - so if the connection was
ever going to be encrypted, by this point it already would be.
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=65036
Reviewed-by: Sjoerd Simons
Origin: upstream, 0.16.6
---
wocky/wocky-connector.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/ext/wocky/wocky/wocky-connector.c b/lib/ext/wocky/wocky/wocky-connector.c
index 133b9fd..3287285 100644
--- a/lib/ext/wocky/wocky/wocky-connector.c
+++ b/lib/ext/wocky/wocky/wocky-connector.c
@@ -1135,6 +1135,9 @@ xmpp_init_recv_cb (GObject *source,
if (!priv->legacy_support)
abort_connect_code (self, WOCKY_CONNECTOR_ERROR_NON_XMPP_V1_SERVER,
"Server not XMPP 1.0 Compliant");
+ else if (priv->tls_required && !priv->encrypted)
+ abort_connect_code (data, WOCKY_CONNECTOR_ERROR_TLS_UNAVAILABLE,
+ "TLS requested but server is not XMPP 1.0 compliant (try using \"old SSL\")");
else
jabber_request_auth (self);
}
++++++ telepathy-gabble-cve-2013-1769.patch ++++++
diff --git a/lib/ext/wocky/wocky/wocky-caps-hash.c b/lib/ext/wocky/wocky/wocky-caps-hash.c
index 1c18293..01006a7 100644
--- a/lib/ext/wocky/wocky/wocky-caps-hash.c
+++ b/lib/ext/wocky/wocky/wocky-caps-hash.c
@@ -80,8 +80,17 @@ dataforms_cmp (gconstpointer a,
else if (left_type != NULL && right_type == NULL)
return 1;
else /* left_type != NULL && right_type != NULL */
- return strcmp (g_value_get_string (left_type->default_value),
- g_value_get_string (right_type->default_value));
+ {
+ const gchar *left_value = NULL, *right_value = NULL;
+
+ if (left_type->raw_value_contents != NULL)
+ left_value = left_type->raw_value_contents[0];
+
+ if (right_type->raw_value_contents != NULL)
+ right_value = right_type->raw_value_contents[0];
+
+ return g_strcmp0 (left_value, right_value);
+ }
}
static GPtrArray *
@@ -190,16 +199,22 @@ wocky_caps_hash_compute_from_lists (
continue;
}
- form_name = g_value_get_string (field->default_value);
-
if (field->type != WOCKY_DATA_FORM_FIELD_TYPE_HIDDEN)
{
- DEBUG ("FORM_TYPE field of form '%s' is not hidden; "
- "ignoring form and moving onto next one",
- form_name);
+ DEBUG ("FORM_TYPE field is not hidden; "
+ "ignoring form and moving onto next one");
continue;
}
+ if (field->raw_value_contents == NULL ||
+ g_strv_length (field->raw_value_contents) != 1)
+ {
+ DEBUG ("FORM_TYPE field does not have exactly one value; failing");
+ goto cleanup;
+ }
+
+ form_name = field->raw_value_contents[0];
+
if (g_hash_table_lookup (form_names, form_name) != NULL)
{
DEBUG ("error: there are multiple data forms with the "
@@ -224,6 +239,14 @@ wocky_caps_hash_compute_from_lists (
field = l->data;
+ if (field->var == NULL)
+ {
+ DEBUG ("can't hash form '%s': it has an anonymous field",
+ form_name);
+ g_slist_free (fields);
+ goto cleanup;
+ }
+
if (!wocky_strdiff (field->var, "FORM_TYPE"))
continue;
diff --git a/lib/ext/wocky/wocky/wocky-data-form.c b/lib/ext/wocky/wocky/wocky-data-form.c
index 8428016..c74c1ae 100644
--- a/lib/ext/wocky/wocky/wocky-data-form.c
+++ b/lib/ext/wocky/wocky/wocky-data-form.c
@@ -1050,7 +1050,7 @@ gint
wocky_data_form_field_cmp (const WockyDataFormField *left,
const WockyDataFormField *right)
{
- return strcmp (left->var, right->var);
+ return g_strcmp0 (left->var, right->var);
}
static void
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org