openSUSE Security Update: update for pidgin ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1397-1 Rating: moderate References: #853038 #874606 #902408 #902409 #902410 #902495 Cross-References: CVE-2014-3694 CVE-2014-3695 CVE-2014-3696 CVE-2014-3697 CVE-2014-3698 Affected Products: openSUSE 13.2 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has one errata is now available. Description: - Update to version 2.10.10: + General: - Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins (CVE-2014-3694, boo#902495). - Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL (im#15909). + libpurple3 compatibility: - Encrypted account passwords are preserved until the new one is set. - Fix loading Google Talk and Facebook XMPP accounts. + Windows-Specific Changes: Don't allow overwriting arbitrary files on the file system when the user installs a smiley theme via drag-and-drop (CVE-2014-3697). + Finch: Fix build against Python 3 (im#15969). + Gadu-Gadu: Updated internal libgadu to version 1.12.0. + Groupwise: Fix potential remote crash parsing server message that indicates that a large amount of memory should be allocated (CVE-2014-3696, boo#902410). + IRC: Fix a possible leak of unencrypted data when using /me command with OTR (im#15750). + MXit: Fix potential remote crash parsing a malformed emoticon response (CVE-2014-3695, boo#902409). + XMPP: - Fix potential information leak where a malicious XMPP server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory (CVE-2014-3698, boo#902408). - Fix Facebook XMPP roster quirks (im#15041, im#15957). + Yahoo: Fix login when using the GnuTLS library for TLS connections (im#16172, boo#874606). - Drop pidgin-gstreamer1.patch: causes crashes and Video still does not work (boo#853038). Drop BuildRequires conditions switching to GStreamer 1.0. - Rebase pidgin-crash-missing-gst-registry.patch. + add pidgin-crash-missing-gst-registry.patch according to the GST doc, "gst_init" should be called before any other calls. Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.2: zypper in -t patch openSUSE-2014-648 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.2 (i586 x86_64): finch-2.10.10-5.4.1 finch-debuginfo-2.10.10-5.4.1 finch-devel-2.10.10-5.4.1 libpurple-2.10.10-5.4.1 libpurple-debuginfo-2.10.10-5.4.1 libpurple-devel-2.10.10-5.4.1 libpurple-meanwhile-2.10.10-5.4.1 libpurple-meanwhile-debuginfo-2.10.10-5.4.1 libpurple-tcl-2.10.10-5.4.1 libpurple-tcl-debuginfo-2.10.10-5.4.1 pidgin-2.10.10-5.4.1 pidgin-debuginfo-2.10.10-5.4.1 pidgin-debugsource-2.10.10-5.4.1 pidgin-devel-2.10.10-5.4.1 - openSUSE 13.2 (noarch): libpurple-branding-openSUSE-13.2-2.3.1 libpurple-branding-upstream-2.10.10-5.4.1 libpurple-lang-2.10.10-5.4.1 References: http://support.novell.com/security/cve/CVE-2014-3694.html http://support.novell.com/security/cve/CVE-2014-3695.html http://support.novell.com/security/cve/CVE-2014-3696.html http://support.novell.com/security/cve/CVE-2014-3697.html http://support.novell.com/security/cve/CVE-2014-3698.html https://bugzilla.suse.com/show_bug.cgi?id=853038 https://bugzilla.suse.com/show_bug.cgi?id=874606 https://bugzilla.suse.com/show_bug.cgi?id=902408 https://bugzilla.suse.com/show_bug.cgi?id=902409 https://bugzilla.suse.com/show_bug.cgi?id=902410 https://bugzilla.suse.com/show_bug.cgi?id=902495