openSUSE Security Update: Security update for mumble ______________________________________________________________________________ Announcement ID: openSUSE-SU-2020:1016-1 Rating: moderate References: #1174041 Affected Products: openSUSE Leap 15.2 openSUSE Leap 15.1 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update for mumble fixes the following issues: mumble was updated 1.3.2: * client: Fixed overlay not starting Update to upstream version 1.3.1 - Security * Fixed: Potential exploit in the OCB2 encryption (#4227) boo#1174041 - ICE * Fixed: Added missing UserKDFIterations field to UserInfo => Prevents getRegistration() from failing with enumerator out of range error (#3835) - GRPC * Fixed: Segmentation fault during murmur shutdown (#3938) - Client * Fixed: Crash when using multiple monitors (#3756) * Fixed: Don't send empty message from clipboard via shortcut, if clipboard is empty (#3864) * Fixed: Talking indicator being able to freeze to indicate talking when self-muted (#4006) * Fixed: High CPU usage for update-check if update server not available (#4019) * Fixed: DBus getCurrentUrl returning empty string when not in root-channel (#4029) * Fixed: Small parts of whispering leaking out (#4051) * Fixed: Last audio frame of normal talking is sent to last whisper target (#4050) * Fixed: LAN-icon not found in ConnectDialog (#4058) * Improved: Set maximal vertical size for User Volume Adjustment dialog (#3801) * Improved: Don't send empty data to PulseAudio (#3316) * Improved: Use the SRV resolved port for UDP connections (#3820) * Improved: Manual Plugin UI (#3919) * Improved: Don't start Jack server by default (#3990) * Improved: Overlay doesn't hook into all other processes by default (#4041) * Improved: Wait longer before disconnecting from a server due to unanswered Ping-messages (#4123) - Server * Fixed: Possibility to circumvent max user-count in channel (#3880) * Fixed: Rate-limit implementation susceptible to time-underflow (#4004) * Fixed: OpenSSL error 140E0197 with Qt >= 5.12.2 (#4032) * Fixed: VersionCheck for SQL for when to use the WAL feature (#4163) * Fixed: Wrong database encoding that could lead to server-crash (#4220) * Fixed: DB crash due to primary key violation (now performs "UPSERT" to avoid this) (#4105) * Improved: The fields in the Version ProtoBuf message are now size-restricted (#4101) - use the "profile profilename /path/to/binary" syntax to make "ps aufxZ" more readable Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.2: zypper in -t patch openSUSE-2020-1016=1 - openSUSE Leap 15.1: zypper in -t patch openSUSE-2020-1016=1 Package List: - openSUSE Leap 15.2 (i586 x86_64): mumble-1.3.2-lp152.2.3.1 mumble-debuginfo-1.3.2-lp152.2.3.1 mumble-debugsource-1.3.2-lp152.2.3.1 mumble-server-1.3.2-lp152.2.3.1 mumble-server-debuginfo-1.3.2-lp152.2.3.1 - openSUSE Leap 15.2 (x86_64): mumble-32bit-1.3.2-lp152.2.3.1 mumble-32bit-debuginfo-1.3.2-lp152.2.3.1 - openSUSE Leap 15.1 (i586 x86_64): mumble-1.3.2-lp151.4.12.1 mumble-debuginfo-1.3.2-lp151.4.12.1 mumble-debugsource-1.3.2-lp151.4.12.1 mumble-server-1.3.2-lp151.4.12.1 mumble-server-debuginfo-1.3.2-lp151.4.12.1 - openSUSE Leap 15.1 (x86_64): mumble-32bit-1.3.2-lp151.4.12.1 mumble-32bit-debuginfo-1.3.2-lp151.4.12.1 References: https://bugzilla.suse.com/1174041 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org