openSUSE Security Update: konversation: security and bugfix release to 1.5.1 ______________________________________________________________________________
Announcement ID: openSUSE-SU-2014:1406-1 Rating: moderate References: #902670 Cross-References: CVE-2014-8483 Affected Products: openSUSE 13.2 ______________________________________________________________________________
An update that fixes one vulnerability is now available.
Description:
konversation was updated to version 1.5.1, fixing bugs and one security issue.
Changes: * Konversation 1.5.1 is a maintenance release containing only bug fixes. The included changes address several minor behavioral defects and a low-risk DoS security defect in the Blowfish ECB support. The KDE Platform version dependency has increased to v4.9.0 to gain access to newer Qt socket transport security flags. * Fixed a bug causing wildcards in command alias replacement patterns not to be expanded. * Fixed a bug causing auto-joining of channels not starting in # or & to sometimes fail because the auto-join command was generated before we got the CHANTYPES pronouncement by the server. * Added a size sanity check for incoming Blowfish ECB blocks. The blind assumption of incoming blocks being the expected 12 bytes could lead to a crash or up to 11 byte information leak due to an out-of-bounds read. CVE-2014-8483. * Enabling SSL/TLS support for connections will now advertise the protocols Qt considers secure by default, instead of being hardcoded to TLSv1. * Fixed the bundled 'sysinfo' script not coping with empty lines in /etc/os-release. * Made disk space info in the bundled 'sysinfo' script more robust by forcing the C locale for 'df'. * Added an audio player type hint for Cantata to the bundled 'media' script. * Fixed some minor comparison logic errors turned up by static analysis. * Konversation now depends on KDE Platform v4.9.0 or higher.
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE 13.2:
zypper in -t patch openSUSE-2014-659
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE 13.2 (i586 x86_64):
konversation-1.5.1-3.4.1 konversation-debuginfo-1.5.1-3.4.1 konversation-debugsource-1.5.1-3.4.1
- openSUSE 13.2 (noarch):
konversation-lang-1.5.1-3.4.1
References:
http://support.novell.com/security/cve/CVE-2014-8483.html https://bugzilla.suse.com/show_bug.cgi?id=902670