openSUSE Security Update: Security update for weechat
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2022:0083-1
Rating:             moderate
References:         #1190206 
Cross-References:   CVE-2021-40516
Affected Products:
                    openSUSE Backports SLE-15-SP3
______________________________________________________________________________

   An update that fixes one vulnerability is now available.

Description:

   This update for weechat fixes the following issues:

   update to 3.2.1:

   * CVE-2021-40516: relay: fix crash when decoding a malformed websocket
     frame (boo#1190206)

   update to 3.2

   main changes:

     * use XDG directories by default (config, data, cache, runtime)
     * add support of IRC SASL mechanisms SCRAM-SHA-1, SCRAM-SHA-256 and
       SCRAM-SHA-512
     * automatically load system certificates without giving a hardcoded path
       to the file with certificates
     * add options to customize commands executed on system signals received
       (SIGHUP, SIGQUIT, SIGTERM, SIGUSR1, SIGUSR2)
     * add bar item "tls_version" and buflist format
     * add signals "cursor_start" and "cursor_end"
     * add function crypto_hmac in API
     * add translated string in evaluation of expressions with "translate:xxx"
     * add info "weechat_daemon"
     * add Python stub for WeeChat API
     * add variables "${tg_shell_argc}" and "${tg_shell_argvN}" in command
       trigger evaluated strings
     * many bugs fixed.

   for all changes, please visit:
   https://weechat.org/files/changelog/ChangeLog-3.2.html

   update to 3.1

   New features

     * core: add options weechat.look.hotlist_update_on_buffer_switch and
       weechat.look.read_marker_update_on_buffer_switch (issue #992, issue
       #993)
     * core: add option sec.crypt.passphrase_command to read passphrase from
       an external program on startup, remove option
       sec.crypt.passphrase_file (issue #141)
     * core: improve debug in command /eval: display more verbose debug with
       two "-d", add indentation and colors
     * core: add options "setvar" and "delvar" in command /buffer, rename
       option "localvar" to "listvar"
     * core: add buffer local variable "completion_default_template"
       (evaluated) to override the value of option
       "weechat.completion.default_template" (issue #1600)
     * core: add option "recreate" in command /filter
     * core: add raw string in evaluation of expressions with "raw:xxx"
       (issue #1611)
     * core: add evaluation of conditions in evaluation of expressions with
       "eval_cond:xxx" (issue #1582)
     * api: add info_hashtable "secured_data"
     * irc: add info "irc_is_message_ignored"
     * irc: add server option "default_chantypes", used when the server does
       not send them in message 005 (issue #1610)
     * trigger: add variable "${tg_trigger_name}" in command trigger
       evaluated strings (issue #1580)

   - Bug fixes

     * core: fix quoted line in cursor mode (issue #1602)
     * core: fix wrong size of the new window after vertical split (issue
       #1612)
     * core: do not remove quotes in arguments of command /eval as they can
       be part of the evaluated expression/condition (issue #1601)
     * core: display an error when the buffer is not found with command
       /command -buffer
     * buflist: add option buflist.look.use_items to speed up display of
       buflist (issue #1613)
     * irc: add bar item "irc_nick_prefix"
     * irc: fix separator between nick and host in bar item "irc_nick_host"
     * irc: fix completion of commands /halfop and /dehalfop

   - Documentation

     * do not build weechat-headless man page if headless binary is disabled
       (issue #1607)

   update to 3.0.1:

     * exec: fix search of command by identifier
     * spell: fix refresh of bar item "spell_suggest" when the input becomes
       empty (issue #1586)
     * spell: fix crash with IRC color codes in command line (issue #1589)

   update to 3.0

   New features

     * api: add optional list of colors in infos "nick_color" and
       "nick_color_name" (issue #1565)
     * api: add argument "bytes" in function string_dyn_concat
     * api: add function string_color_code_size (issue #1547)
     * exec: add option "-oerr" to send stderr to buffer (now disabled by
       default) (issue #1566)
     * fset: add option fset.look.auto_refresh (issue #1553)
     * irc: add pointer to irc_nick in focus of bar item "buffer_nicklist"
       (issue #1535, issue #1538)
     * irc: allow to send text on buffers with commands /allchan, /allpv and
       /allserv
     * irc: evaluate command executed by commands /allchan, /allpv and
       /allserv (issue #1536)
     * script: add option script.scripts.download_enabled (issue #1548)
     * trigger: add variable "tg_argc" in data set by command trigger (issue
       #1576)
     * trigger: add variable "tg_trigger_name" in data set by all triggers
       (issue #1567, issue #1568)

   Bug fixes

     * core: set "notify_level" to 3 if there is a highlight in the line
       (issue #1529)
     * core: do not add line with highlight and tag "notify_none" to hotlist
       (issue #1529)
     * irc: remove SASL timeout message displayed by error after successful
       SASL authentication (issue #1515)
     * irc: send all channels in a single JOIN command when reconnecting to
       the server (issue #1551)
     * script: do not automatically download list of scripts on startup if
       the file is too old (issue #1548)
     * spell: properly skip WeeChat and IRC color codes when checking words
       in input (issue #1547)
     * trigger: fix recursive calls to triggers using regex (issue #1546)
     * trigger: add ${tg_tags} !!- ,notify_none, in conditions of default
       trigger "beep" (issue #1529)

   - Tests

     * core: add tests on GUI line functions

   - Build

     * core: disable debug by default in autotools build
     * tests: fix compilation with CppUTest ??? 4.0

   - new .desktop file from weechat sources
   - update to 2.9
   - New features
     * core: add bar option "color_bg_inactive": color for window bars in
       inactive window (issue #732)
     * core: add Alacritty title escape sequence support (issue #1517)
     * core: display notify level for current buffer with command /buffer
       notify (issue #1505)
     * core: count only visible nicks in bar item "buffer_nicklist_count",
       add bar items "buffer_nicklist_count_groups" and
       "buffer_nicklist_count_all" (issue #1506)
     * core: set default size for input bar to 0 (automatic) (issue #1498)
     * core: add default key Alt+Enter to insert a newline (issue #1498)
     * core: add flag "input_multiline" in buffer (issue #984, issue #1063)
     * core: add a scalable WeeChat logo (SVG) (issue #1454, issue #1456)
     * core: add base 16/32/64 encoding/decoding in evaluation of expressions
       with "base_encode:base,xxx" and "base_decode:base,xxx"
     * core: add case sensitive wildcard matching comparison operator (==*
       and !!*) and case sensitive/insensitive include comparison operators
       (==-, !!-, =-, !-) in evaluation of expressions
     * core: add default key Alt+Shift+N to toggle nicklist bar
     * core: add command line option "--stdout" in weechat-headless binary to
       log to stdout rather than ~/.weechat/weechat.log (issue #1475, issue
       #1477)
     * core: reload configuration files on SIGHUP (issue #1476)
     * api: add pointer "_bar_window" in hashtable sent to hook focus
       callback (issue #1450)
     * api: add info_hashtable "focus_info" (issue #1245, issue #1257)
     * api: rename function hook_completion_get_string to
       completion_get_string and hook_completion_list_add to
       completion_list_add
     * api: add functions completion_new, completion_search and
       completion_free
     * api: add hdata "completion_word"
     * buflist: add default key Alt+Shift+B to toggle buflist
     * buflist: add options enable/disable/toggle in command /buflist
     * buflist: evaluate option buflist.look.sort so that sort can be
       customized for each of the three buflist bar items (issue #1465)
     * irc: add support of UTF8MAPPING (issue #1528)
     * irc: display account messages in buffers (issue #1250)
     * python: add WeeChat sharedir python directory to PYTHONPATH (issue
       #1537)
     * relay: increase default limits for IRC backlog options
     * relay: add command "handshake" in weechat relay protocol and nonce to
       prevent replay attacks, add options relay.network.password_hash_algo,
       relay.network.password_hash_iterations, relay.network.nonce_size
       (issue #1474)
     * relay: add command "completion" in weechat relay protocol to perform a
       completion on a string at a given position (issue #1484)
     * relay: add option relay.network.auth_timeout
     * relay: update default colors for client status
     * relay: add status "waiting_auth" in irc and weechat protocols (issue
       #1358)
     * trigger: evaluate arguments of command when the trigger is created
       (issue #1472)
   - Bug fixes
     * core: fix command /window scroll_beyond_end when buffer has fewer
       lines than chat height (issue #1509)
     * core: force buffer property "time_for_each_line" to 0 for buffers with
       free content (issue #1485)
     * core: don???t collapse consecutive newlines in lines displayed before
       the first buffer is created
     * core: don???t remove consecutive newlines when pasting text (issue
       #1500)
     * core: don???t collapse consecutive newlines in bar content (issue
       #1500)
     * core: fix WEECHAT_SHAREDIR with CMake build (issue #1461)
     * core: fix memory leak in calculation of expression on FreeBSD (issue
       #1469)
     * core: fix resize of a bar when its size is 0 (automatic) (issue #1470)
     * api: fix use of pointer after free in function key_unbind
     * api: replace plugin and buffer name by buffer pointer in argument
       "modifier_data" sent to weechat_print modifier callback (issue #42)
     * buflist: add "window" pointer in bar item evaluation only if it???s
       not NULL (if bar type is "window")
     * exec: fix use of same task id for different tasks (issue #1491)
     * fifo: fix errors when writing in the FIFO pipe (issue #713)
     * guile: enable again /guile eval (issue #1514)
     * irc: use new default chantypes "#&" when the server does not send it
     * irc: add support of optional server in info "irc_is_nick", fix check
       of nick using UTF8MAPPING isupport value (issue #1528)
     * irc: fix add of ignore with flags in regex, display full ignore mask
       in list of ignores (issue #1518)
     * irc: do not remove spaces at the end of users messages received (issue
       #1513)
     * irc: fix realname delimiter color in WHO/WHOX response (issue #1497)
     * irc: reuse a buffer with wrong type "channel" when a private message
       is received (issue #869)
     * python: fix crash when invalid UTF-8 string is in a WeeChat hashtable
       converted to a Python dict (issue #1463)
     * relay: add missing field "notify_level" in message
       "_buffer_line_added" (issue #1529)
     * relay: fix slow send of data to clients when SSL is enabled
     * trigger: only return trigger???s return code when condition evaluates
       to true (issue #592)
     * trigger: fix truncated trigger command with commands /trigger
       input|output|recreate
     * trigger: do not hide values of options with /set command in cmd_pass
       trigger
   - Documentation
     * add includes directory
     * merge 53 auto-generated files into 11 files
     * fix broken literal blocks in Japanese docs with Firefox (issue #1466)
   - Tests
     * core: add CI with GitHub Actions, move codecov.io upload to GitHub
       Actions
     * core: switch to Ubuntu Bionic on Travis CI, use pylint3 to lint Python
       scripts
     * core: run tests on plugins only if the plugins are enabled and compiled
     * irc: add tests on IRC color and channel functions
   - Build
     * javascript: disable build by default and remove Debian packaging
       of JavaScript plugin (issue #360)
     * core: make GnuTLS a required dependency
     * core: fix build with CMake 3.17.0
     * core: fix build with cygport on Cygwin


Patch Instructions:

   To install this openSUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Backports SLE-15-SP3:

      zypper in -t patch openSUSE-2022-83=1



Package List:

   - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

      weechat-3.2.1-bp153.2.3.1
      weechat-devel-3.2.1-bp153.2.3.1
      weechat-lua-3.2.1-bp153.2.3.1
      weechat-perl-3.2.1-bp153.2.3.1
      weechat-python-3.2.1-bp153.2.3.1
      weechat-ruby-3.2.1-bp153.2.3.1
      weechat-spell-3.2.1-bp153.2.3.1
      weechat-tcl-3.2.1-bp153.2.3.1

   - openSUSE Backports SLE-15-SP3 (noarch):

      weechat-lang-3.2.1-bp153.2.3.1


References:

   https://www.suse.com/security/cve/CVE-2021-40516.html
   https://bugzilla.suse.com/1190206