Mailinglist Archive: opensuse-updates (91 mails)

< Previous Next >
openSUSE-SU-2014:0239-1: moderate: update for pidgin, pidgin-branding-openSUSE
openSUSE Security Update: update for pidgin, pidgin-branding-openSUSE
______________________________________________________________________________

Announcement ID: openSUSE-SU-2014:0239-1
Rating: moderate
References: #861019
Cross-References: CVE-2012-6152 CVE-2013-6477 CVE-2013-6478
CVE-2013-6479 CVE-2013-6481 CVE-2013-6482
CVE-2013-6483 CVE-2013-6484 CVE-2013-6485
CVE-2013-6486 CVE-2013-6487 CVE-2014-0020

Affected Products:
openSUSE 13.1
openSUSE 12.3
______________________________________________________________________________

An update that fixes 12 vulnerabilities is now available.

Description:


- Update to version 2.10.8 (bnc#861019):
+ General: Python build scripts and example plugins are
now compatible with Python 3 (pidgin.im#15624).
+ libpurple:
- Fix potential crash if libpurple gets an error
attempting to read a reply from a STUN server
(CVE-2013-6484).
- Fix potential crash parsing a malformed HTTP response
(CVE-2013-6479).
- Fix buffer overflow when parsing a malformed HTTP
response with chunked Transfer-Encoding (CVE-2013-6485).
- Better handling of HTTP proxy responses with negative
Content-Lengths.
- Fix handling of SSL certificates without subjects
when using libnss.
- Fix handling of SSL certificates with timestamps in
the distant future when using libnss (pidgin.im#15586).
- Impose maximum download size for all HTTP fetches.
+ Pidgin:
- Fix crash displaying tooltip of long URLs
(CVE-2013-6478).
- Better handling of URLs longer than 1000 letters.
- Fix handling of multibyte UTF-8 characters in smiley
themes (pidgin.im#15756).
+ AIM: Fix untrusted certificate error.
+ AIM and ICQ: Fix a possible crash when receiving a
malformed message in a Direct IM session.
+ Gadu-Gadu:
- Fix buffer overflow with remote code execution
potential. Only triggerable by a Gadu-Gadu server or a
man-in-the-middle (CVE-2013-6487).
- Disabled buddy list import/export from/to server.
- Disabled new account registration and password change
options.
+ IRC:
- Fix bug where a malicious server or man-in-the-middle
could trigger a crash by not sending enough arguments with
various messages (CVE-2014-0020).
- Fix bug where initial IRC status would not be set
correctly.
- Fix bug where IRC wasn't available when libpurple was
compiled with Cyrus SASL support (pidgin.im#15517).
+ MSN:
- Fix NULL pointer dereference parsing headers in MSN
(CVE-2013-6482).
- Fix NULL pointer dereference parsing OIM data in MSN
(CVE-2013-6482).
- Fix NULL pointer dereference parsing SOAP data in MSN
(CVE-2013-6482).
- Fix possible crash when sending very long messages.
Not remotely-triggerable.
+ MXit:
- Fix buffer overflow with remote code execution
potential (CVE-2013-6487).
- Fix sporadic crashes that can happen after user is
disconnected.
- Fix crash when attempting to add a contact via search
results.
- Show error message if file transfer fails.
- Fix compiling with InstantBird.
- Fix display of some custom emoticons.
+ SILC: Correctly set whiteboard dimensions in whiteboard
sessions.
+ SIMPLE: Fix buffer overflow with remote code execution
potential (CVE-2013-6487).
+ XMPP:
- Prevent spoofing of iq replies by verifying that the
'from' address matches the 'to' address of the iq request
(CVE-2013-6483).
- Fix crash on some systems when receiving fake delay
timestamps with extreme values (CVE-2013-6477).
- Fix possible crash or other erratic behavior when
selecting a very small file for your own buddy icon.
- Fix crash if the user tries to initiate a voice/video
session with a resourceless JID.
- Fix login errors when the first two available auth
mechanisms fail but a subsequent mechanism would otherwise
work when using Cyrus SASL (pidgin.im#15524).
- Fix dropping incoming stanzas on BOSH connections
when we receive multiple HTTP responses at once
(pidgin.im#15684).
+ Yahoo!:
- Fix possible crashes handling incoming strings that
are not UTF-8 (CVE-2012-6152).
- Fix a bug reading a peer to peer message where a
remote user could trigger a crash (CVE-2013-6481).
+ Plugins:
- Fix crash in contact availability plugin.
- Fix perl function Purple::Network::ip_atoi.
- Add Unity integration plugin.
+ Windows specific fixes: (CVE-2013-6486,
pidgin.im#15520, pidgin.im#15521, bgo#668154).
- Drop pidgin-irc-sasl.patch, fixed upstream.

- Obsolete pidgin-facebookchat: the package is no longer
maintained and pidgin as built-in support for Facebook
Chat.

- Protect buildrequires for mono-devel with with_mono macro.

- Add pidgin-gstreamer1.patch: Port to GStreamer 1.0. Only
enabled on openSUSE 13.1 and newer.
- On openSUSE 13.1 and newer, use gstreamer-devel and
gstreamer-plugins-base-devel BuildRequires.


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch openSUSE-2014-132

- openSUSE 12.3:

zypper in -t patch openSUSE-2014-132

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 13.1 (i586 x86_64):

finch-2.10.9-4.6.1
finch-debuginfo-2.10.9-4.6.1
finch-devel-2.10.9-4.6.1
libpurple-2.10.9-4.6.1
libpurple-debuginfo-2.10.9-4.6.1
libpurple-devel-2.10.9-4.6.1
libpurple-meanwhile-2.10.9-4.6.1
libpurple-meanwhile-debuginfo-2.10.9-4.6.1
libpurple-tcl-2.10.9-4.6.1
libpurple-tcl-debuginfo-2.10.9-4.6.1
pidgin-2.10.9-4.6.1
pidgin-debuginfo-2.10.9-4.6.1
pidgin-debugsource-2.10.9-4.6.1
pidgin-devel-2.10.9-4.6.1

- openSUSE 13.1 (noarch):

libpurple-branding-openSUSE-13.1-2.6.1
libpurple-branding-upstream-2.10.9-4.6.1
libpurple-lang-2.10.9-4.6.1

- openSUSE 12.3 (i586 x86_64):

finch-2.10.9-4.10.1
finch-debuginfo-2.10.9-4.10.1
finch-devel-2.10.9-4.10.1
libpurple-2.10.9-4.10.1
libpurple-debuginfo-2.10.9-4.10.1
libpurple-devel-2.10.9-4.10.1
libpurple-meanwhile-2.10.9-4.10.1
libpurple-meanwhile-debuginfo-2.10.9-4.10.1
libpurple-tcl-2.10.9-4.10.1
libpurple-tcl-debuginfo-2.10.9-4.10.1
pidgin-2.10.9-4.10.1
pidgin-debuginfo-2.10.9-4.10.1
pidgin-debugsource-2.10.9-4.10.1
pidgin-devel-2.10.9-4.10.1

- openSUSE 12.3 (noarch):

libpurple-branding-openSUSE-12.2-4.10.1
libpurple-branding-upstream-2.10.9-4.10.1
libpurple-lang-2.10.9-4.10.1


References:

http://support.novell.com/security/cve/CVE-2012-6152.html
http://support.novell.com/security/cve/CVE-2013-6477.html
http://support.novell.com/security/cve/CVE-2013-6478.html
http://support.novell.com/security/cve/CVE-2013-6479.html
http://support.novell.com/security/cve/CVE-2013-6481.html
http://support.novell.com/security/cve/CVE-2013-6482.html
http://support.novell.com/security/cve/CVE-2013-6483.html
http://support.novell.com/security/cve/CVE-2013-6484.html
http://support.novell.com/security/cve/CVE-2013-6485.html
http://support.novell.com/security/cve/CVE-2013-6486.html
http://support.novell.com/security/cve/CVE-2013-6487.html
http://support.novell.com/security/cve/CVE-2014-0020.html
https://bugzilla.novell.com/861019


< Previous Next >
This Thread
  • No further messages