openSUSE-SU-2021:0312-1: moderate: Security update for mumble - openSUSE Security Announce

19 Feb 2021


      openSUSE Security Update: Security update for mumble
______________________________________________________________________________
Announcement ID:    openSUSE-SU-2021:0312-1
Rating:             moderate
References:         #1180068 #1182123 
Affected Products:
                    openSUSE Backports SLE-15-SP2
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update for mumble fixes the following issues:
mumble was updated to 1.3.4:
* Fix use of outdated (non-existent) notification icon names
   * Fix Security vulnerability caused by allowing non http/https URL schemes
     in public server list (boo#1182123)
   * Server: Fix Exit status for actions like --version or --supw
   * Fix packet loss & audio artifacts caused by OCB2 XEX* mitigation
- update apparmor profiles to get warning free again on 15.2
     - use abstractions for ssl files
     - allow inet dgram sockets as mumble can also work via udp
     - allow netlink socket (probably for dbus)
     - properly allow lsb_release again
     - add support for optional local include
   - start murmurd directly as user mumble-server it gets rid of the
     dac_override/setgid/setuid/chown permissions
Update to upstream version 1.3.3
Client:
* Fixed: Chatbox invisble (zero height) (#4388)
   * Fixed: Handling of invalid packet sizes (#4394)
   * Fixed: Race-condition leading to loss of shortcuts (#4430)
   * Fixed: Link in About dialog is now clickable again (#4454)
   * Fixed: Sizing issues in ACL-Editor (#4455)
   * Improved: PulseAudio now always samples at 48 kHz (#4449)
Server:
* Fixed: Crash due to problems when using PostgreSQL (#4370)
   * Fixed: Handling of invalid package sizes (#4392)
This update was imported from the openSUSE:Leap:15.2:Update update project.
Patch Instructions:
To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
- openSUSE Backports SLE-15-SP2:
zypper in -t patch openSUSE-2021-312=1
Package List:
- openSUSE Backports SLE-15-SP2 (aarch64 ppc64le s390x x86_64):
mumble-1.3.4-bp152.2.6.1
      mumble-server-1.3.4-bp152.2.6.1
- openSUSE Backports SLE-15-SP2 (aarch64_ilp32):
mumble-64bit-1.3.4-bp152.2.6.1
References:
https://bugzilla.suse.com/1180068
   https://bugzilla.suse.com/1182123