File _patchinfo of Package patchinfo.2528

<patchinfo>
  <issue id="861019" tracker="bnc">pidgin: new pidgin version fixes various issues</issue>
  <issue id="CVE-2013-6483" tracker="cve" />
  <issue id="CVE-2013-6482" tracker="cve" />
  <issue id="CVE-2014-0020" tracker="cve" />
  <issue id="CVE-2013-6487" tracker="cve" />
  <issue id="CVE-2013-6486" tracker="cve" />
  <issue id="CVE-2013-6485" tracker="cve" />
  <issue id="CVE-2013-6484" tracker="cve" />
  <issue id="CVE-2013-6481" tracker="cve" />
  <issue id="CVE-2013-6477" tracker="cve" />
  <issue id="CVE-2012-6152" tracker="cve" />
  <issue id="CVE-2013-6478" tracker="cve" />
  <issue id="CVE-2013-6479" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>Zaitor</packager>
  <description>
- Update to version 2.10.8 (bnc#861019):
  + General: Python build scripts and example plugins are now
    compatible with Python 3 (pidgin.im#15624).
  + libpurple:
    - Fix potential crash if libpurple gets an error attempting to
      read a reply from a STUN server (CVE-2013-6484).
    - Fix potential crash parsing a malformed HTTP response
      (CVE-2013-6479).
    - Fix buffer overflow when parsing a malformed HTTP response
      with chunked Transfer-Encoding (CVE-2013-6485).
    - Better handling of HTTP proxy responses with negative
      Content-Lengths.
    - Fix handling of SSL certificates without subjects when
      using libnss.
    - Fix handling of SSL certificates with timestamps in the
      distant future when using libnss (pidgin.im#15586).
    - Impose maximum download size for all HTTP fetches.
  + Pidgin:
    - Fix crash displaying tooltip of long URLs (CVE-2013-6478).
    - Better handling of URLs longer than 1000 letters.
    - Fix handling of multibyte UTF-8 characters in smiley themes
      (pidgin.im#15756).
  + AIM: Fix untrusted certificate error.
  + AIM and ICQ: Fix a possible crash when receiving a malformed
    message in a Direct IM session.
  + Gadu-Gadu:
    - Fix buffer overflow with remote code execution potential.
      Only triggerable by a Gadu-Gadu server or a
      man-in-the-middle (CVE-2013-6487).
    - Disabled buddy list import/export from/to server.
    - Disabled new account registration and password change
      options.
  + IRC:
    - Fix bug where a malicious server or man-in-the-middle
      could trigger a crash by not sending enough arguments with
      various messages (CVE-2014-0020).
    - Fix bug where initial IRC status would not be set correctly.
    - Fix bug where IRC wasn't available when libpurple was
      compiled with Cyrus SASL support (pidgin.im#15517).
  + MSN:
    - Fix NULL pointer dereference parsing headers in MSN
      (CVE-2013-6482).
    - Fix NULL pointer dereference parsing OIM data in MSN
      (CVE-2013-6482).
    - Fix NULL pointer dereference parsing SOAP data in MSN
      (CVE-2013-6482).
    - Fix possible crash when sending very long messages. Not
      remotely-triggerable.
  + MXit:
    - Fix buffer overflow with remote code execution potential
      (CVE-2013-6487).
    - Fix sporadic crashes that can happen after user is
      disconnected.
    - Fix crash when attempting to add a contact via search
      results.
    - Show error message if file transfer fails.
    - Fix compiling with InstantBird.
    - Fix display of some custom emoticons.
  + SILC: Correctly set whiteboard dimensions in whiteboard
    sessions.
  + SIMPLE: Fix buffer overflow with remote code execution
    potential (CVE-2013-6487).
  + XMPP:
    - Prevent spoofing of iq replies by verifying that the
      'from' address matches the 'to' address of the iq request
      (CVE-2013-6483).
    - Fix crash on some systems when receiving fake delay
      timestamps with extreme values (CVE-2013-6477).
    - Fix possible crash or other erratic behavior when selecting a
      very small file for your own buddy icon.
    - Fix crash if the user tries to initiate a voice/video session
      with a resourceless JID.
    - Fix login errors when the first two available auth mechanisms
      fail but a subsequent mechanism would otherwise work when
      using Cyrus SASL (pidgin.im#15524).
    - Fix dropping incoming stanzas on BOSH connections when we
      receive multiple HTTP responses at once (pidgin.im#15684).
  + Yahoo!:
    - Fix possible crashes handling incoming strings that are not
      UTF-8 (CVE-2012-6152).
    - Fix a bug reading a peer to peer message where a remote user
      could trigger a crash (CVE-2013-6481).
  + Plugins:
    - Fix crash in contact availability plugin.
    - Fix perl function Purple::Network::ip_atoi.
    - Add Unity integration plugin.
  + Windows specific fixes: (CVE-2013-6486, pidgin.im#15520,
    pidgin.im#15521, bgo#668154).
- Drop pidgin-irc-sasl.patch, fixed upstream.

- Obsolete pidgin-facebookchat: the package is no longer maintained
  and pidgin as built-in support for Facebook Chat.

- Protect buildrequires for mono-devel with with_mono macro.

- Add pidgin-gstreamer1.patch: Port to GStreamer 1.0. Only enabled
  on openSUSE 13.1 and newer.
- On openSUSE 13.1 and newer, use gstreamer-devel and
  gstreamer-plugins-base-devel BuildRequires.

</description>
  <summary>update for pidgin, pidgin-branding-openSUSE</summary>
</patchinfo>