Mailinglist Archive: opensuse-updates (119 mails)

< Previous Next >
openSUSE-SU-2013:0511-1: important: pidgin: 2.10.7 update to fix security issues and bugs
openSUSE Security Update: pidgin: 2.10.7 update to fix security issues and

Announcement ID: openSUSE-SU-2013:0511-1
Rating: important
References: #804742 #806975
Cross-References: CVE-2013-0271 CVE-2013-0272 CVE-2013-0273
Affected Products:
openSUSE 12.3

An update that fixes four vulnerabilities is now available.


Pidgin was updated to 2.10.7 to fix various security issues
and the bug that IRC did not work at all in 12.3.

- Add pidgin-irc-sasl.patch: link irc module to SASL.
Allows the IRC module to be loaded (bnc#806975).

- Update to version 2.10.7 (bnc#804742):
+ Alien hatchery:
- No changes
+ General:
- The configure script will now exit with status 1 when
specifying invalid protocol plugins using the
--with-static-prpls and --with-dynamic-prpls
arguments. (
+ libpurple:
- Fix a crash when receiving UPnP responses with
abnormally long values. (CVE-2013-0274)
- Don't link directly to libgcrypt when building with
GnuTLS support. (
- Fix UPnP mappings on routers that return empty
<URLBase/> elements in their response. (
- Tcl plugin uses saner, race-free plugin loading.
- Fix the Tcl signals-test plugin for
savedstatus-changed. (
+ Pidgin:
- Make Pidgin more friendly to non-X11 GTK+, such as
MacPorts' +no_x11 variant.
+ Gadu-Gadu:
- Fix a crash at startup with large contact list.
Avatar support for buddies will be disabled until 3.0.0.
+ IRC:
- Support for SASL authentication. (
- Print topic setter information at channel join.
+ MSN:
- Fix SSL certificate issue when signing into MSN for
some users.
- Fix a crash when removing a user before its icon is
loaded. (
+ MXit:
- Fix a bug where a remote MXit user could possibly
specify a local file path to be written to. (CVE-2013-0271)
- Fix a bug where the MXit server or a
man-in-the-middle could potentially send specially crafted
data that could overflow a buffer and lead to a crash or
remote code execution. (CVE-2013-0272)
- Display farewell messages in a different colour to
distinguish them from normal messages.
- Add support for typing notification.
- Add support for the Relationship Status profile
- Remove all reference to Hidden Number.
- Ignore new invites to join a GroupChat if you're
already joined, or still have a pending invite.
- The buddy's name was not centered vertically in the
buddy-list if they did not have a status-message or mood
- Fix decoding of font-size changes in the markup of
received messages.
- Increase the maximum file size that can be
transferred to 1 MB.
- When setting an avatar image, no longer downscale it
to 96x96.
+ Sametime:
- Fix a crash in Sametime when a malicious server sends
us an abnormally long user ID. (CVE-2013-0273)
+ Yahoo!:
- Fix a double-free in profile/picture loading code.
- Fix retrieving server-side buddy aliases.
+ Plugins:
- The Voice/Video Settings plugin supports using the
sndio GStreamer backends. (
- Fix a crash in the Contact Availability Detection
plugin. (
- Make the Message Notification plugin more friendly to
non-X11 GTK+, such as MacPorts' +no_x11 variant.
+ Windows-Specific Changes:
- Compile with secure flags (
- Installer downloads GTK+ Runtime and Debug Symbols
more securely. (
- Updates to a number of dependencies, some of which
have security related fixes. (,, . ATK 1.32.0-2 . Cyrus
SASL 2.1.25 . expat 2.1.0-1 . freetype 2.4.10-1 . gettext . Glib 2.28.8-1 . libpng 1.4.12-1 . libxml2
2.9.0-1 . NSS 3.13.6 and NSPR 4.9.2 . Pango 1.29.4-1 . SILC
1.1.10 . zlib 1.2.5-2
- Patch libmeanwhile (sametime library) to fix crash.

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.3:

zypper in -t patch openSUSE-2013-231

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE 12.3 (i586 x86_64):


- openSUSE 12.3 (noarch):



< Previous Next >
This Thread
  • No further messages