File _patchinfo of Package patchinfo.3105

<patchinfo>
  <issue id="902408" tracker="bnc">CVE-2014-3698 pidgin: remote information leak via crafted XMPP message</issue>
  <issue id="902410" tracker="bnc">CVE-2014-3696: pidgin: denial of service parsing Groupwise server message</issue>
  <issue id="902409" tracker="bnc">CVE-2014-3695: pidgin: crash in MXit protocol plug-in</issue>
  <issue id="853038" tracker="bnc">pidgin xmpp video support missing</issue>
  <issue id="874606" tracker="bnc">Pidgin (2.9.10) does not connect to Yahoo anymore</issue>
  <issue id="902495" tracker="bnc">CVE-2014-3694: pidgin: SSL/TLS plug-ins failed to check Basic Constraints</issue>
  <issue id="CVE-2014-3698" tracker="cve" />
  <issue id="CVE-2014-3694" tracker="cve" />
  <issue id="CVE-2014-3695" tracker="cve" />
  <issue id="CVE-2014-3696" tracker="cve" />
  <issue id="CVE-2014-3697" tracker="cve" />
  <category>security</category>
  <rating>moderate</rating>
  <packager>dimstar</packager>
  <description>
- Update to version 2.10.10:
  + General:
    - Check the basic constraints extension when validating
      SSL/TLS certificates. This fixes a security hole that allowed
      a malicious man-in-the-middle to impersonate an IM server or
      any other https endpoint. This affected both the NSS and
      GnuTLS plugins (CVE-2014-3694, boo#902495).
    - Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin
      for SSL (im#15909).
  + libpurple3 compatibility:
    - Encrypted account passwords are preserved until the new one
      is set.
    - Fix loading Google Talk and Facebook XMPP accounts.
  + Windows-Specific Changes: Don't allow overwriting arbitrary
    files on the file system when the user installs a smiley theme
    via drag-and-drop (CVE-2014-3697).
  + Finch: Fix build against Python 3 (im#15969).
  + Gadu-Gadu: Updated internal libgadu to version 1.12.0.
  + Groupwise: Fix potential remote crash parsing server message
    that indicates that a large amount of memory should be
    allocated (CVE-2014-3696, boo#902410).
  + IRC: Fix a possible leak of unencrypted data when using /me
    command with OTR (im#15750).
  + MXit: Fix potential remote crash parsing a malformed emoticon
    response (CVE-2014-3695, boo#902409).
  + XMPP:
    - Fix potential information leak where a malicious XMPP server
      and possibly even a malicious remote user could create a
      carefully crafted XMPP message that causes libpurple to send
      an XMPP message containing arbitrary memory (CVE-2014-3698,
      boo#902408).
    - Fix Facebook XMPP roster quirks (im#15041, im#15957).
  + Yahoo: Fix login when using the GnuTLS library for TLS
    connections (im#16172, boo#874606).
- Drop pidgin-gstreamer1.patch: causes crashes and Video still does
  not work (boo#853038). Drop BuildRequires conditions switching to
  GStreamer 1.0.
- Rebase pidgin-crash-missing-gst-registry.patch.

  + add pidgin-crash-missing-gst-registry.patch according to the
    GST doc, "gst_init" should be called before any other calls.</description>
  <summary>update for pidgin</summary>
</patchinfo>