openSUSE Security Update: pidgin: 2.10.7 update to fix security issues and bugs
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2013:0511-1
Rating:             important
References:         #804742 #806975 
Cross-References:   CVE-2013-0271 CVE-2013-0272 CVE-2013-0273
                    CVE-2013-0274
Affected Products:
                    openSUSE 12.3
______________________________________________________________________________

   An update that fixes four vulnerabilities is now available.

Description:


   Pidgin was updated to 2.10.7 to fix various security issues
   and the bug that IRC did not work at all in 12.3.

   Changes:
   - Add pidgin-irc-sasl.patch: link irc module to SASL.
   Allows the IRC module to be loaded (bnc#806975).

   - Update to version 2.10.7 (bnc#804742):
   + Alien hatchery:
   - No changes
   + General:
   - The configure script will now exit with status 1 when
   specifying invalid protocol plugins using the
   --with-static-prpls and --with-dynamic-prpls
   arguments. (pidgin.im#15316)
   + libpurple:
   - Fix a crash when receiving UPnP responses with
   abnormally long values. (CVE-2013-0274)
   - Don't link directly to libgcrypt when building with
   GnuTLS support. (pidgin.im#15329)
   - Fix UPnP mappings on routers that return empty
    elements in their response. (pidgin.im#15373)
   - Tcl plugin uses saner, race-free plugin loading.
   - Fix the Tcl signals-test plugin for
   savedstatus-changed. (pidgin.im#15443)
   + Pidgin:
   - Make Pidgin more friendly to non-X11 GTK+, such as
   MacPorts' +no_x11 variant.
   + Gadu-Gadu:
   - Fix a crash at startup with large contact list.
   Avatar support for buddies will be disabled until 3.0.0.
   (pidgin.im#15226, pidgin.im#14305)
   + IRC:
   - Support for SASL authentication. (pidgin.im#13270)
   - Print topic setter information at channel join.
   (pidgin.im#13317)
   + MSN:
   - Fix SSL certificate issue when signing into MSN for
   some users.
   - Fix a crash when removing a user before its icon is
   loaded. (pidgin.im#15217)
   + MXit:
   - Fix a bug where a remote MXit user could possibly
   specify a local file path to be written to. (CVE-2013-0271)
   - Fix a bug where the MXit server or a
   man-in-the-middle could potentially send specially crafted
   data that could overflow a buffer and lead to a crash or
   remote code execution. (CVE-2013-0272)
   - Display farewell messages in a different colour to
   distinguish them from normal messages.
   - Add support for typing notification.
   - Add support for the Relationship Status profile
   attribute.
   - Remove all reference to Hidden Number.
   - Ignore new invites to join a GroupChat if you're
   already joined, or still have a pending invite.
   - The buddy's name was not centered vertically in the
   buddy-list if they did not have a status-message or mood
   set.
   - Fix decoding of font-size changes in the markup of
   received messages.
   - Increase the maximum file size that can be
   transferred to 1 MB.
   - When setting an avatar image, no longer downscale it
   to 96x96.
   + Sametime:
   - Fix a crash in Sametime when a malicious server sends
   us an abnormally long user ID. (CVE-2013-0273)
   + Yahoo!:
   - Fix a double-free in profile/picture loading code.
   (pidgin.im#15053)
   - Fix retrieving server-side buddy aliases.
   (pidgin.im#15381)
   + Plugins:
   - The Voice/Video Settings plugin supports using the
   sndio GStreamer backends. (pidgin.im#14414)
   - Fix a crash in the Contact Availability Detection
   plugin. (pidgin.im#15327)
   - Make the Message Notification plugin more friendly to
   non-X11 GTK+, such as MacPorts' +no_x11 variant.
   + Windows-Specific Changes:
   - Compile with secure flags (pidgin.im#15290)
   - Installer downloads GTK+ Runtime and Debug Symbols
   more securely. (pidgin.im#15277)
   - Updates to a number of dependencies, some of which
   have security related fixes. (pidgin.im#14571,
   pidgin.im#15285, pidgin.im#15286) . ATK 1.32.0-2 . Cyrus
   SASL 2.1.25 . expat 2.1.0-1 . freetype 2.4.10-1 . gettext
   0.18.1.1-2 . Glib 2.28.8-1 . libpng 1.4.12-1 . libxml2
   2.9.0-1 . NSS 3.13.6 and NSPR 4.9.2 . Pango 1.29.4-1 . SILC
   1.1.10 . zlib 1.2.5-2
   - Patch libmeanwhile (sametime library) to fix crash.
   (pidgin.im#12637)


Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 12.3:

      zypper in -t patch openSUSE-2013-231

   To bring your system up-to-date, use "zypper patch".


Package List:

   - openSUSE 12.3 (i586 x86_64):

      finch-2.10.7-4.4.1
      finch-debuginfo-2.10.7-4.4.1
      finch-devel-2.10.7-4.4.1
      libpurple-2.10.7-4.4.1
      libpurple-debuginfo-2.10.7-4.4.1
      libpurple-devel-2.10.7-4.4.1
      libpurple-meanwhile-2.10.7-4.4.1
      libpurple-meanwhile-debuginfo-2.10.7-4.4.1
      libpurple-tcl-2.10.7-4.4.1
      libpurple-tcl-debuginfo-2.10.7-4.4.1
      pidgin-2.10.7-4.4.1
      pidgin-debuginfo-2.10.7-4.4.1
      pidgin-debugsource-2.10.7-4.4.1
      pidgin-devel-2.10.7-4.4.1

   - openSUSE 12.3 (noarch):

      libpurple-branding-upstream-2.10.7-4.4.1
      libpurple-lang-2.10.7-4.4.1


References:

   https://www.suse.com/security/cve/CVE-2013-0271.html
   https://www.suse.com/security/cve/CVE-2013-0272.html
   https://www.suse.com/security/cve/CVE-2013-0273.html
   https://www.suse.com/security/cve/CVE-2013-0274.html
   https://bugzilla.novell.com/804742
   https://bugzilla.novell.com/806975

openSUSE: 2013:0511-1: important: pidgin

March 21, 2013
An update that fixes four vulnerabilities is now available

Description

Pidgin was updated to 2.10.7 to fix various security issues and the bug that IRC did not work at all in 12.3. Changes: - Add pidgin-irc-sasl.patch: link irc module to SASL. Allows the IRC module to be loaded (bnc#806975). - Update to version 2.10.7 (bnc#804742): + Alien hatchery: - No changes + General: - The configure script will now exit with status 1 when specifying invalid protocol plugins using the --with-static-prpls and --with-dynamic-prpls arguments. (pidgin.im#15316) + libpurple: - Fix a crash when receiving UPnP responses with abnormally long values. (CVE-2013-0274) - Don't link directly to libgcrypt when building with GnuTLS support. (pidgin.im#15329) - Fix UPnP mappings on routers that return empty elements in their response. (pidgin.im#15373) - Tcl plugin uses saner, race-free plugin loading. - Fix the Tcl signals-test plugin for savedstatus-changed. (pidgin.im#15443) + Pidgin: - Make Pidgin mor...

Read the Full Advisory

 

Patch

Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.3: zypper in -t patch openSUSE-2013-231 To bring your system up-to-date, use "zypper patch".


Package List

- openSUSE 12.3 (i586 x86_64): finch-2.10.7-4.4.1 finch-debuginfo-2.10.7-4.4.1 finch-devel-2.10.7-4.4.1 libpurple-2.10.7-4.4.1 libpurple-debuginfo-2.10.7-4.4.1 libpurple-devel-2.10.7-4.4.1 libpurple-meanwhile-2.10.7-4.4.1 libpurple-meanwhile-debuginfo-2.10.7-4.4.1 libpurple-tcl-2.10.7-4.4.1 libpurple-tcl-debuginfo-2.10.7-4.4.1 pidgin-2.10.7-4.4.1 pidgin-debuginfo-2.10.7-4.4.1 pidgin-debugsource-2.10.7-4.4.1 pidgin-devel-2.10.7-4.4.1 - openSUSE 12.3 (noarch): libpurple-branding-upstream-2.10.7-4.4.1 libpurple-lang-2.10.7-4.4.1


References

https://www.suse.com/security/cve/CVE-2013-0271.html https://www.suse.com/security/cve/CVE-2013-0272.html https://www.suse.com/security/cve/CVE-2013-0273.html https://www.suse.com/security/cve/CVE-2013-0274.html https://bugzilla.novell.com/804742 https://bugzilla.novell.com/806975


Severity
Announcement ID: openSUSE-SU-2013:0511-1
Rating: important
Affected Products: openSUSE 12.3 .

Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved