openSUSE Security Update: update for pidgin ______________________________________________________________________________ Announcement ID: openSUSE-SU-2014:1376-1 Rating: moderate References: #853038 #874606 #902408 #902409 #902410 #902495 Cross-References: CVE-2014-3694 CVE-2014-3695 CVE-2014-3696 CVE-2014-3697 CVE-2014-3698 Affected Products: openSUSE 13.1 openSUSE 12.3 ______________________________________________________________________________ An update that solves 5 vulnerabilities and has one errata is now available. Description: The following issues were fixed in this update: + General: - Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins (CVE-2014-3694, boo#902495). - Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL (im#15909). + libpurple3 compatibility: - Encrypted account passwords are preserved until the new one is set. - Fix loading Google Talk and Facebook XMPP accounts. + Groupwise: Fix potential remote crash parsing server message that indicates that a large amount of memory should be allocated (CVE-2014-3696, boo#902410). + IRC: Fix a possible leak of unencrypted data when using /me command with OTR (im#15750). + MXit: Fix potential remote crash parsing a malformed emoticon response (CVE-2014-3695, boo#902409). + XMPP: - Fix potential information leak where a malicious XMPP server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory (CVE-2014-3698, boo#902408). + Yahoo: Fix login when using the GnuTLS library for TLS connections (im#16172, boo#874606). Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 13.1: zypper in -t patch openSUSE-2014-635 - openSUSE 12.3: zypper in -t patch openSUSE-2014-635 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 13.1 (i586 x86_64): finch-2.10.10-4.22.1 finch-debuginfo-2.10.10-4.22.1 finch-devel-2.10.10-4.22.1 libpurple-2.10.10-4.22.1 libpurple-debuginfo-2.10.10-4.22.1 libpurple-devel-2.10.10-4.22.1 libpurple-meanwhile-2.10.10-4.22.1 libpurple-meanwhile-debuginfo-2.10.10-4.22.1 libpurple-tcl-2.10.10-4.22.1 libpurple-tcl-debuginfo-2.10.10-4.22.1 pidgin-2.10.10-4.22.1 pidgin-debuginfo-2.10.10-4.22.1 pidgin-debugsource-2.10.10-4.22.1 pidgin-devel-2.10.10-4.22.1 pidgin-otr-4.0.0-4.7.1 pidgin-otr-debuginfo-4.0.0-4.7.1 pidgin-otr-debugsource-4.0.0-4.7.1 - openSUSE 13.1 (noarch): libpurple-branding-openSUSE-13.1-2.17.1 libpurple-branding-upstream-2.10.10-4.22.1 libpurple-lang-2.10.10-4.22.1 - openSUSE 12.3 (i586 x86_64): finch-2.10.10-4.16.1 finch-debuginfo-2.10.10-4.16.1 finch-devel-2.10.10-4.16.1 libpurple-2.10.10-4.16.1 libpurple-debuginfo-2.10.10-4.16.1 libpurple-devel-2.10.10-4.16.1 libpurple-meanwhile-2.10.10-4.16.1 libpurple-meanwhile-debuginfo-2.10.10-4.16.1 libpurple-tcl-2.10.10-4.16.1 libpurple-tcl-debuginfo-2.10.10-4.16.1 pidgin-2.10.10-4.16.1 pidgin-debuginfo-2.10.10-4.16.1 pidgin-debugsource-2.10.10-4.16.1 pidgin-devel-2.10.10-4.16.1 pidgin-otr-4.0.0-2.11.1 pidgin-otr-debuginfo-4.0.0-2.11.1 pidgin-otr-debugsource-4.0.0-2.11.1 - openSUSE 12.3 (noarch): libpurple-branding-openSUSE-12.2-4.21.1 libpurple-branding-upstream-2.10.10-4.16.1 libpurple-lang-2.10.10-4.16.1 References: http://support.novell.com/security/cve/CVE-2014-3694.html http://support.novell.com/security/cve/CVE-2014-3695.html http://support.novell.com/security/cve/CVE-2014-3696.html http://support.novell.com/security/cve/CVE-2014-3697.html http://support.novell.com/security/cve/CVE-2014-3698.html https://bugzilla.suse.com/show_bug.cgi?id=853038 https://bugzilla.suse.com/show_bug.cgi?id=874606 https://bugzilla.suse.com/show_bug.cgi?id=902408 https://bugzilla.suse.com/show_bug.cgi?id=902409 https://bugzilla.suse.com/show_bug.cgi?id=902410 https://bugzilla.suse.com/show_bug.cgi?id=902495