Overview

File _patchinfo of Package patchinfo.3098

<patchinfo>
  <issue id="902408" tracker="bnc">CVE-2014-3698 pidgin: remote information leak via crafted XMPP message</issue>
  <issue id="902410" tracker="bnc">CVE-2014-3696: pidgin: denial of service parsing Groupwise server message</issue>
  <issue id="902409" tracker="bnc">CVE-2014-3695: pidgin: crash in MXit protocol plug-in</issue>
  <issue id="853038" tracker="bnc">pidgin xmpp video support missing</issue>
  <issue id="874606" tracker="bnc">Pidgin (2.9.10) does not connect to Yahoo anymore</issue>
  <issue id="902495" tracker="bnc">VUL-0: CVE-2014-3694: pidgin: SSL/TLS plug-ins failed to check Basic Constraints</issue>
  <issue id="CVE-2014-3698" tracker="cve" />
  <issue id="CVE-2014-3694" tracker="cve" />
  <issue id="CVE-2014-3695" tracker="cve" />
  <issue id="CVE-2014-3696" tracker="cve" />
  <issue id="CVE-2014-3697" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>dimstar</packager>
  <description>
  The following issues were fixed in this update:
  + General:
    - Check the basic constraints extension when validating
      SSL/TLS certificates. This fixes a security hole that allowed
      a malicious man-in-the-middle to impersonate an IM server or
      any other https endpoint. This affected both the NSS and
      GnuTLS plugins (CVE-2014-3694, boo#902495).
    - Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin
      for SSL (im#15909).
  + libpurple3 compatibility:
    - Encrypted account passwords are preserved until the new one
      is set.
    - Fix loading Google Talk and Facebook XMPP accounts.
  + Groupwise: Fix potential remote crash parsing server message
    that indicates that a large amount of memory should be
    allocated (CVE-2014-3696, boo#902410).
  + IRC: Fix a possible leak of unencrypted data when using /me
    command with OTR (im#15750).
  + MXit: Fix potential remote crash parsing a malformed emoticon
    response (CVE-2014-3695, boo#902409).
  + XMPP:
    - Fix potential information leak where a malicious XMPP server
      and possibly even a malicious remote user could create a
      carefully crafted XMPP message that causes libpurple to send
      an XMPP message containing arbitrary memory (CVE-2014-3698,
      boo#902408).
  + Yahoo: Fix login when using the GnuTLS library for TLS
    connections (im#16172, boo#874606).
</description>
  <summary>update for pidgin</summary>
</patchinfo>
openSUSE Build Service is sponsored by
Places