mumble-1.2.17-1.2 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10080-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z mumble-1.2.17-1.2 on GA media These are all security issues fixed in the mumble-1.2.17-1.2 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10080 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-2490/ SUSE CVE CVE-2010-2490 page https://www.suse.com/security/cve/CVE-2012-0863/ SUSE CVE CVE-2012-0863 page https://www.suse.com/security/cve/CVE-2014-0044/ SUSE CVE CVE-2014-0044 page https://www.suse.com/security/cve/CVE-2014-0045/ SUSE CVE CVE-2014-0045 page https://www.suse.com/security/cve/CVE-2014-3755/ SUSE CVE CVE-2014-3755 page https://www.suse.com/security/cve/CVE-2014-3756/ SUSE CVE CVE-2014-3756 page openSUSE Tumbleweed mumble-1.2.17-1.2 mumble-32bit-1.2.17-1.2 mumble-server-1.2.17-1.2 mumble-1.2.17-1.2 as a component of openSUSE Tumbleweed mumble-32bit-1.2.17-1.2 as a component of openSUSE Tumbleweed mumble-server-1.2.17-1.2 as a component of openSUSE Tumbleweed Mumble: murmur-server has DoS due to malformed client query CVE-2010-2490 openSUSE Tumbleweed:mumble-1.2.17-1.2 openSUSE Tumbleweed:mumble-32bit-1.2.17-1.2 openSUSE Tumbleweed:mumble-server-1.2.17-1.2 moderate 6.8 AV:N/AC:L/Au:S/C:N/I:N/A:C To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-2490.html CVE-2010-2490 Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file. CVE-2012-0863 openSUSE Tumbleweed:mumble-1.2.17-1.2 openSUSE Tumbleweed:mumble-32bit-1.2.17-1.2 openSUSE Tumbleweed:mumble-server-1.2.17-1.2 moderate 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-0863.html CVE-2012-0863 https://bugzilla.suse.com/747833 SUSE Bug 747833 The opus_packet_get_samples_per_frame function in client in Mumble 1.2.4 and the 1.2.3 pre-release snapshots allows remote attackers to cause a denial of service (crash) via a crafted length prefix value, which triggers a NULL pointer dereference or a heap-based buffer over-read (aka "out-of-bounds array access"). CVE-2014-0044 openSUSE Tumbleweed:mumble-1.2.17-1.2 openSUSE Tumbleweed:mumble-32bit-1.2.17-1.2 openSUSE Tumbleweed:mumble-server-1.2.17-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0044.html CVE-2014-0044 https://bugzilla.suse.com/862527 SUSE Bug 862527 The needSamples method in AudioOutputSpeech.cpp in the client in Mumble 1.2.4 and the 1.2.3 pre-release snapshots, Mumble for iOS 1.1 through 1.2.2, and MumbleKit before commit fd190328a9b24d37382b269a5674b0c0c7a7e36d does not check the return value of the opus_decode_float function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Opus voice packet, which triggers an error in opus_decode_float, a conversion of a negative integer to an unsigned integer, and a heap-based buffer over-read and over-write. CVE-2014-0045 openSUSE Tumbleweed:mumble-1.2.17-1.2 openSUSE Tumbleweed:mumble-32bit-1.2.17-1.2 openSUSE Tumbleweed:mumble-server-1.2.17-1.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0045.html CVE-2014-0045 https://bugzilla.suse.com/862527 SUSE Bug 862527 The QSvg module in Qt, as used in the Mumble client 1.2.x before 1.2.6, allows remote attackers to cause a denial of service (hang and resource consumption) via a local file reference in an (1) image tag or (2) XML stylesheet in an SVG file. CVE-2014-3755 openSUSE Tumbleweed:mumble-1.2.17-1.2 openSUSE Tumbleweed:mumble-32bit-1.2.17-1.2 openSUSE Tumbleweed:mumble-server-1.2.17-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3755.html CVE-2014-3755 https://bugzilla.suse.com/877969 SUSE Bug 877969 The client in Mumble 1.2.x before 1.2.6 allows remote attackers to force the loading of an external file and cause a denial of service (hang and resource consumption) via a crafted string that is treated as rich-text by a Qt widget, as demonstrated by the (1) user or (2) channel name in a Qt dialog, (3) subject common name or (4) email address to the Certificate Wizard, or (5) server name in a tooltip. CVE-2014-3756 openSUSE Tumbleweed:mumble-1.2.17-1.2 openSUSE Tumbleweed:mumble-32bit-1.2.17-1.2 openSUSE Tumbleweed:mumble-server-1.2.17-1.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3756.html CVE-2014-3756 https://bugzilla.suse.com/877971 SUSE Bug 877971