openSUSE Security Update: konversation: security and bugfix release to 1.5.1 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1406-1 Rating: moderate References: #902670 Cross-References: CVE-2014-8483 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: konversation was updated to version 1.5.1, fixing bugs and one security issue. Changes: * Konversation 1.5.1 is a maintenance release containing only bug fixes. The included changes address several minor behavioral defects and a low-risk DoS security defect in the Blowfish ECB support. The KDE Platform version dependency has increased to v4.9.0 to gain access to newer Qt socket transport security flags. * Fixed a bug causing wildcards in command alias replacement patterns not to be expanded. * Fixed a bug causing auto-joining of channels not starting in # or & to sometimes fail because the auto-join command was generated before we got the CHANTYPES pronouncement by the server. * Added a size sanity check for incoming Blowfish ECB blocks. The blind assumption of incoming blocks being the expected 12 bytes could lead to a crash or up to 11 byte information leak due to an out-of-bounds read. CVE-2014-8483. * Enabling SSL/TLS support for connections will now advertise the protocols Qt considers secure by default, instead of being hardcoded to TLSv1. * Fixed the bundled 'sysinfo' script not coping with empty lines in /etc/os-release. * Made disk space info in the bundled 'sysinfo' script more robust by forcing the C locale for 'df'. * Added an audio player type hint for Cantata to the bundled 'media' script. * Fixed some minor comparison logic errors turned up by static analysis. * Konversation now depends on KDE Platform v4.9.0 or higher. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2014-659 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): konversation-1.5.1-3.4.1 konversation-debuginfo-1.5.1-3.4.1 konversation-debugsource-1.5.1-3.4.1 - openSUSE 13.2 (noarch): konversation-lang-1.5.1-3.4.1 References: http://support.novell.com/security/cve/CVE-2014-8483.html https://bugzilla.suse.com/show_bug.cgi?id=902670