Security update for pidgin SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:0925-1 Final 1 1 2017-04-04T12:36:38Z current 2017-04-04T12:36:38Z 2017-04-04T12:36:38Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for pidgin This update for pidgin fixes the following issues: Feature update: - Update to GNOME 3.20.2 (fate#318572). Security issues fixed: - CVE-2017-2640: Fix an out of bounds memory read in purple_markup_unescape_entity. (boo#1028835) - CVE-2014-3698: remote information leak via crafted XMPP message (boo#902408). - CVE-2014-3696: denial of service parsing Groupwise server message (boo#902410). - CVE-2014-3695: crash in MXit protocol plug-in (boo#902409). Bugfixes - Correctly remove *.so files for plugins (fixes devel-file-in-non-devel-package). - Remove generation of a plugin list to package, simply add it all in %files with exclusions. - Build with GStreamer 1.x on SLE 12 SP2. - Fix SASL EXTERNAL fingerprint authentication (boo#1009974). - Use ALSA as default for avoiding broken volume control of pa sink (boo#886670). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-04/msg00013.html E-Mail link for openSUSE-SU-2017:0925-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 finch-2.10.11-9.1 finch-devel-2.10.11-9.1 libpurple-2.10.11-9.1 libpurple-branding-upstream-2.10.11-9.1 libpurple-devel-2.10.11-9.1 libpurple-lang-2.10.11-9.1 libpurple-meanwhile-2.10.11-9.1 libpurple-tcl-2.10.11-9.1 pidgin-2.10.11-9.1 pidgin-devel-2.10.11-9.1 finch-2.10.11-9.1 as a component of openSUSE Leap 42.1 finch-devel-2.10.11-9.1 as a component of openSUSE Leap 42.1 libpurple-2.10.11-9.1 as a component of openSUSE Leap 42.1 libpurple-branding-upstream-2.10.11-9.1 as a component of openSUSE Leap 42.1 libpurple-devel-2.10.11-9.1 as a component of openSUSE Leap 42.1 libpurple-lang-2.10.11-9.1 as a component of openSUSE Leap 42.1 libpurple-meanwhile-2.10.11-9.1 as a component of openSUSE Leap 42.1 libpurple-tcl-2.10.11-9.1 as a component of openSUSE Leap 42.1 pidgin-2.10.11-9.1 as a component of openSUSE Leap 42.1 pidgin-devel-2.10.11-9.1 as a component of openSUSE Leap 42.1 markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response. CVE-2014-3695 openSUSE Leap 42.1:finch-2.10.11-9.1 openSUSE Leap 42.1:finch-devel-2.10.11-9.1 openSUSE Leap 42.1:libpurple-2.10.11-9.1 openSUSE Leap 42.1:libpurple-branding-upstream-2.10.11-9.1 openSUSE Leap 42.1:libpurple-devel-2.10.11-9.1 openSUSE Leap 42.1:libpurple-lang-2.10.11-9.1 openSUSE Leap 42.1:libpurple-meanwhile-2.10.11-9.1 openSUSE Leap 42.1:libpurple-tcl-2.10.11-9.1 openSUSE Leap 42.1:pidgin-2.10.11-9.1 openSUSE Leap 42.1:pidgin-devel-2.10.11-9.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00013.html https://www.suse.com/security/cve/CVE-2014-3695.html CVE-2014-3695 https://bugzilla.suse.com/902409 SUSE Bug 902409 nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. CVE-2014-3696 openSUSE Leap 42.1:finch-2.10.11-9.1 openSUSE Leap 42.1:finch-devel-2.10.11-9.1 openSUSE Leap 42.1:libpurple-2.10.11-9.1 openSUSE Leap 42.1:libpurple-branding-upstream-2.10.11-9.1 openSUSE Leap 42.1:libpurple-devel-2.10.11-9.1 openSUSE Leap 42.1:libpurple-lang-2.10.11-9.1 openSUSE Leap 42.1:libpurple-meanwhile-2.10.11-9.1 openSUSE Leap 42.1:libpurple-tcl-2.10.11-9.1 openSUSE Leap 42.1:pidgin-2.10.11-9.1 openSUSE Leap 42.1:pidgin-devel-2.10.11-9.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00013.html https://www.suse.com/security/cve/CVE-2014-3696.html CVE-2014-3696 https://bugzilla.suse.com/902410 SUSE Bug 902410 The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message. CVE-2014-3698 openSUSE Leap 42.1:finch-2.10.11-9.1 openSUSE Leap 42.1:finch-devel-2.10.11-9.1 openSUSE Leap 42.1:libpurple-2.10.11-9.1 openSUSE Leap 42.1:libpurple-branding-upstream-2.10.11-9.1 openSUSE Leap 42.1:libpurple-devel-2.10.11-9.1 openSUSE Leap 42.1:libpurple-lang-2.10.11-9.1 openSUSE Leap 42.1:libpurple-meanwhile-2.10.11-9.1 openSUSE Leap 42.1:libpurple-tcl-2.10.11-9.1 openSUSE Leap 42.1:pidgin-2.10.11-9.1 openSUSE Leap 42.1:pidgin-devel-2.10.11-9.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00013.html https://www.suse.com/security/cve/CVE-2014-3698.html CVE-2014-3698 https://bugzilla.suse.com/902408 SUSE Bug 902408 An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process. CVE-2017-2640 openSUSE Leap 42.1:finch-2.10.11-9.1 openSUSE Leap 42.1:finch-devel-2.10.11-9.1 openSUSE Leap 42.1:libpurple-2.10.11-9.1 openSUSE Leap 42.1:libpurple-branding-upstream-2.10.11-9.1 openSUSE Leap 42.1:libpurple-devel-2.10.11-9.1 openSUSE Leap 42.1:libpurple-lang-2.10.11-9.1 openSUSE Leap 42.1:libpurple-meanwhile-2.10.11-9.1 openSUSE Leap 42.1:libpurple-tcl-2.10.11-9.1 openSUSE Leap 42.1:pidgin-2.10.11-9.1 openSUSE Leap 42.1:pidgin-devel-2.10.11-9.1 important 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-04/msg00013.html https://www.suse.com/security/cve/CVE-2017-2640.html CVE-2017-2640 https://bugzilla.suse.com/1028835 SUSE Bug 1028835