openSUSE Security Update: pidgin: 2.10.7 update to fix security issues and bugs
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2013:0511-1
Rating:             important
References:         #804742 #806975 
Cross-References:   CVE-2013-0271 CVE-2013-0272 CVE-2013-0273
                    CVE-2013-0274
Affected Products:
                    openSUSE 12.3
______________________________________________________________________________

   An update that fixes four vulnerabilities is now available.

Description:


   Pidgin was updated to 2.10.7 to fix various security issues
   and the bug that IRC did not work at all in 12.3.

   Changes:
   - Add pidgin-irc-sasl.patch: link irc module to SASL.
   Allows the IRC module to be loaded (bnc#806975).

   - Update to version 2.10.7 (bnc#804742):
   + Alien hatchery:
   - No changes
   + General:
   - The configure script will now exit with status 1 when
   specifying invalid protocol plugins using the
   --with-static-prpls and --with-dynamic-prpls
   arguments. (pidgin.im#15316)
   + libpurple:
   - Fix a crash when receiving UPnP responses with
   abnormally long values. (CVE-2013-0274)
   - Don't link directly to libgcrypt when building with
   GnuTLS support. (pidgin.im#15329)
   - Fix UPnP mappings on routers that return empty
    elements in their response. (pidgin.im#15373)
   - Tcl plugin uses saner, race-free plugin loading.
   - Fix the Tcl signals-test plugin for
   savedstatus-changed. (pidgin.im#15443)
   + Pidgin:
   - Make Pidgin more friendly to non-X11 GTK+, such as
   MacPorts' +no_x11 variant.
   + Gadu-Gadu:
   - Fix a crash at startup with large contact list.
   Avatar support for buddies will be disabled until 3.0.0.
   (pidgin.im#15226, pidgin.im#14305)
   + IRC:
   - Support for SASL authentication. (pidgin.im#13270)
   - Print topic setter information at channel join.
   (pidgin.im#13317)
   + MSN:
   - Fix SSL certificate issue when signing into MSN for
   some users.
   - Fix a crash when removing a user before its icon is
   loaded. (pidgin.im#15217)
   + MXit:
   - Fix a bug where a remote MXit user could possibly
   specify a local file path to be written to. (CVE-2013-0271)
   - Fix a bug where the MXit server or a
   man-in-the-middle could potentially send specially crafted
   data that could overflow a buffer and lead to a crash or
   remote code execution. (CVE-2013-0272)
   - Display farewell messages in a different colour to
   distinguish them from normal messages.
   - Add support for typing notification.
   - Add support for the Relationship Status profile
   attribute.
   - Remove all reference to Hidden Number.
   - Ignore new invites to join a GroupChat if you're
   already joined, or still have a pending invite.
   - The buddy's name was not centered vertically in the
   buddy-list if they did not have a status-message or mood
   set.
   - Fix decoding of font-size changes in the markup of
   received messages.
   - Increase the maximum file size that can be
   transferred to 1 MB.
   - When setting an avatar image, no longer downscale it
   to 96x96.
   + Sametime:
   - Fix a crash in Sametime when a malicious server sends
   us an abnormally long user ID. (CVE-2013-0273)
   + Yahoo!:
   - Fix a double-free in profile/picture loading code.
   (pidgin.im#15053)
   - Fix retrieving server-side buddy aliases.
   (pidgin.im#15381)
   + Plugins:
   - The Voice/Video Settings plugin supports using the
   sndio GStreamer backends. (pidgin.im#14414)
   - Fix a crash in the Contact Availability Detection
   plugin. (pidgin.im#15327)
   - Make the Message Notification plugin more friendly to
   non-X11 GTK+, such as MacPorts' +no_x11 variant.
   + Windows-Specific Changes:
   - Compile with secure flags (pidgin.im#15290)
   - Installer downloads GTK+ Runtime and Debug Symbols
   more securely. (pidgin.im#15277)
   - Updates to a number of dependencies, some of which
   have security related fixes. (pidgin.im#14571,
   pidgin.im#15285, pidgin.im#15286) . ATK 1.32.0-2 . Cyrus
   SASL 2.1.25 . expat 2.1.0-1 . freetype 2.4.10-1 . gettext
   0.18.1.1-2 . Glib 2.28.8-1 . libpng 1.4.12-1 . libxml2
   2.9.0-1 . NSS 3.13.6 and NSPR 4.9.2 . Pango 1.29.4-1 . SILC
   1.1.10 . zlib 1.2.5-2
   - Patch libmeanwhile (sametime library) to fix crash.
   (pidgin.im#12637)


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 12.3:

      zypper in -t patch openSUSE-2013-231

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 12.3 (i586 x86_64):

      finch-2.10.7-4.4.1
      finch-debuginfo-2.10.7-4.4.1
      finch-devel-2.10.7-4.4.1
      libpurple-2.10.7-4.4.1
      libpurple-debuginfo-2.10.7-4.4.1
      libpurple-devel-2.10.7-4.4.1
      libpurple-meanwhile-2.10.7-4.4.1
      libpurple-meanwhile-debuginfo-2.10.7-4.4.1
      libpurple-tcl-2.10.7-4.4.1
      libpurple-tcl-debuginfo-2.10.7-4.4.1
      pidgin-2.10.7-4.4.1
      pidgin-debuginfo-2.10.7-4.4.1
      pidgin-debugsource-2.10.7-4.4.1
      pidgin-devel-2.10.7-4.4.1

   - openSUSE 12.3 (noarch):

      libpurple-branding-upstream-2.10.7-4.4.1
      libpurple-lang-2.10.7-4.4.1


References:

   https://www.suse.com/security/cve/CVE-2013-0271.html
   https://www.suse.com/security/cve/CVE-2013-0272.html
   https://www.suse.com/security/cve/CVE-2013-0273.html
   https://www.suse.com/security/cve/CVE-2013-0274.html
   https://bugzilla.novell.com/804742
   https://bugzilla.novell.com/806975

openSUSE: 2013:0511-1: important: pidgin

March 21, 2013
An update that fixes four vulnerabilities is now available

Description

Pidgin was updated to 2.10.7 to fix various security issues and the bug that IRC did not work at all in 12.3. Changes: - Add pidgin-irc-sasl.patch: link irc module to SASL. Allows the IRC module to be loaded (bnc#806975). - Update to version 2.10.7 (bnc#804742): + Alien hatchery: - No changes + General: - The configure script will now exit with status 1 when specifying invalid protocol plugins using the --with-static-prpls and --with-dynamic-prpls arguments. (pidgin.im#15316) + libpurple: - Fix a crash when receiving UPnP responses with abnormally long values. (CVE-2013-0274) - Don't link directly to libgcrypt when building with GnuTLS support. (pidgin.im#15329) - Fix UPnP mappings on routers that return empty elements in their response. (pidgin.im#15373) - Tcl plugin uses saner, race-free plugin loading. - Fix the Tcl signals-test plugin for savedstatus-changed. (pidgin.im#15443) + Pidgin: - Make Pidgin more friendly to non-X11 GTK+, such as MacPorts' +no_x11 variant. + Gadu-Gadu: - Fix a crash at startup with large contact list. Avatar support for buddies will be disabled until 3.0.0. (pidgin.im#15226, pidgin.im#14305) + IRC: - Support for SASL authentication. (pidgin.im#13270) - Print topic setter information at channel join. (pidgin.im#13317) + MSN: - Fix SSL certificate issue when signing into MSN for some users. - Fix a crash when removing a user before its icon is loaded. (pidgin.im#15217) + MXit: - Fix a bug where a remote MXit user could possibly specify a local file path to be written to. (CVE-2013-0271) - Fix a bug where the MXit server or a man-in-the-middle could potentially send specially crafted data that could overflow a buffer and lead to a crash or remote code execution. (CVE-2013-0272) - Display farewell messages in a different colour to distinguish them from normal messages. - Add support for typing notification. - Add support for the Relationship Status profile attribute. - Remove all reference to Hidden Number. - Ignore new invites to join a GroupChat if you're already joined, or still have a pending invite. - The buddy's name was not centered vertically in the buddy-list if they did not have a status-message or mood set. - Fix decoding of font-size changes in the markup of received messages. - Increase the maximum file size that can be transferred to 1 MB. - When setting an avatar image, no longer downscale it to 96x96. + Sametime: - Fix a crash in Sametime when a malicious server sends us an abnormally long user ID. (CVE-2013-0273) + Yahoo!: - Fix a double-free in profile/picture loading code. (pidgin.im#15053) - Fix retrieving server-side buddy aliases. (pidgin.im#15381) + Plugins: - The Voice/Video Settings plugin supports using the sndio GStreamer backends. (pidgin.im#14414) - Fix a crash in the Contact Availability Detection plugin. (pidgin.im#15327) - Make the Message Notification plugin more friendly to non-X11 GTK+, such as MacPorts' +no_x11 variant. + Windows-Specific Changes: - Compile with secure flags (pidgin.im#15290) - Installer downloads GTK+ Runtime and Debug Symbols more securely. (pidgin.im#15277) - Updates to a number of dependencies, some of which have security related fixes. (pidgin.im#14571, pidgin.im#15285, pidgin.im#15286) . ATK 1.32.0-2 . Cyrus SASL 2.1.25 . expat 2.1.0-1 . freetype 2.4.10-1 . gettext 0.18.1.1-2 . Glib 2.28.8-1 . libpng 1.4.12-1 . libxml2 2.9.0-1 . NSS 3.13.6 and NSPR 4.9.2 . Pango 1.29.4-1 . SILC 1.1.10 . zlib 1.2.5-2 - Patch libmeanwhile (sametime library) to fix crash. (pidgin.im#12637)

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-231 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 12.3 (i586 x86_64): finch-2.10.7-4.4.1 finch-debuginfo-2.10.7-4.4.1 finch-devel-2.10.7-4.4.1 libpurple-2.10.7-4.4.1 libpurple-debuginfo-2.10.7-4.4.1 libpurple-devel-2.10.7-4.4.1 libpurple-meanwhile-2.10.7-4.4.1 libpurple-meanwhile-debuginfo-2.10.7-4.4.1 libpurple-tcl-2.10.7-4.4.1 libpurple-tcl-debuginfo-2.10.7-4.4.1 pidgin-2.10.7-4.4.1 pidgin-debuginfo-2.10.7-4.4.1 pidgin-debugsource-2.10.7-4.4.1 pidgin-devel-2.10.7-4.4.1 - openSUSE 12.3 (noarch): libpurple-branding-upstream-2.10.7-4.4.1 libpurple-lang-2.10.7-4.4.1


References

https://www.suse.com/security/cve/CVE-2013-0271.html https://www.suse.com/security/cve/CVE-2013-0272.html https://www.suse.com/security/cve/CVE-2013-0273.html https://www.suse.com/security/cve/CVE-2013-0274.html https://bugzilla.novell.com/804742 https://bugzilla.novell.com/806975


Severity
Announcement ID: openSUSE-SU-2013:0511-1
Rating: important
Affected Products: openSUSE 12.3 .

Related News

Fighting Back Against Hadooken Malware by Strengthening WebLogic Security
2 - 4 min read
Cybercriminals have been relentlessly attacking the digital landscape, aiming to exploit vulnerabilities in well-known systems. One such exploit is
CISA Sounds Alarm on Newly Exploited Vulnerabilities: Is Your System at Risk?
3 - 5 min read
CISA regularly publishes updates regarding vulnerabilities that present severe threats to global cybersecurity. Recently, CISA added three
Defending Against Remote Code Execution in Google Chrome: A Critical Update
2 - 3 min read
Google Chrome, a widely used web browser, serves millions of internet users by connecting them to the online world. Unfortunately, severe
Navigating the Linux Kernel
2 - 4 min read
The Linux operating system, widely acclaimed for its robustness and security , recently received widespread media attention due to a significant
Staying a Step Ahead of Adversaries: Mitigating Chromium
2 - 4 min read
Google Chrome, one of the world's most widely used web browsers, has recently been scrutinized due to the discovery of multiple Chromium
Unmasking Cicada3301: Examining the Threat of the New Rust-Based Ransomware
2 - 4 min read
Ransomware has long been a severe threat to organizations and admins alike. Recently, cybersecurity researchers discovered a new variant called
Buffer Overflow Exploits in Linux: Origins, Impact, and Countermeasures
3 - 6 min read
Buffer overflow vulnerabilities have long been one of the biggest headaches in computer security, especially on Linux operating systems that power
8 Expert-Recommended Security Practices to Fortify Your Linux Systems
4 - 8 min read
As a Linux admin or an infosec professional, you understand how the security landscape changes due to evolving threats, newly discovered

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved