finch-2.11.0-4.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10432 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z finch-2.11.0-4.1 on GA media These are all security issues fixed in the finch-2.11.0-4.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10432 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10432 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2009-2694/ SUSE CVE CVE-2009-2694 page https://www.suse.com/security/cve/CVE-2009-2703/ SUSE CVE CVE-2009-2703 page https://www.suse.com/security/cve/CVE-2009-3026/ SUSE CVE CVE-2009-3026 page https://www.suse.com/security/cve/CVE-2009-3083/ SUSE CVE CVE-2009-3083 page https://www.suse.com/security/cve/CVE-2009-3084/ SUSE CVE CVE-2009-3084 page https://www.suse.com/security/cve/CVE-2009-3085/ SUSE CVE CVE-2009-3085 page https://www.suse.com/security/cve/CVE-2009-3615/ SUSE CVE CVE-2009-3615 page https://www.suse.com/security/cve/CVE-2010-0013/ SUSE CVE CVE-2010-0013 page https://www.suse.com/security/cve/CVE-2010-0277/ SUSE CVE CVE-2010-0277 page https://www.suse.com/security/cve/CVE-2010-0420/ SUSE CVE CVE-2010-0420 page https://www.suse.com/security/cve/CVE-2010-0423/ SUSE CVE CVE-2010-0423 page https://www.suse.com/security/cve/CVE-2010-1624/ SUSE CVE CVE-2010-1624 page https://www.suse.com/security/cve/CVE-2010-2528/ SUSE CVE CVE-2010-2528 page https://www.suse.com/security/cve/CVE-2010-3711/ SUSE CVE CVE-2010-3711 page https://www.suse.com/security/cve/CVE-2011-1091/ SUSE CVE CVE-2011-1091 page https://www.suse.com/security/cve/CVE-2011-3594/ SUSE CVE CVE-2011-3594 page https://www.suse.com/security/cve/CVE-2012-2214/ SUSE CVE CVE-2012-2214 page https://www.suse.com/security/cve/CVE-2012-3374/ SUSE CVE CVE-2012-3374 page https://www.suse.com/security/cve/CVE-2012-6152/ SUSE CVE CVE-2012-6152 page https://www.suse.com/security/cve/CVE-2013-0271/ SUSE CVE CVE-2013-0271 page https://www.suse.com/security/cve/CVE-2013-0272/ SUSE CVE CVE-2013-0272 page https://www.suse.com/security/cve/CVE-2013-0273/ SUSE CVE CVE-2013-0273 page https://www.suse.com/security/cve/CVE-2013-0274/ SUSE CVE CVE-2013-0274 page https://www.suse.com/security/cve/CVE-2013-6477/ SUSE CVE CVE-2013-6477 page https://www.suse.com/security/cve/CVE-2013-6478/ SUSE CVE CVE-2013-6478 page https://www.suse.com/security/cve/CVE-2013-6479/ SUSE CVE CVE-2013-6479 page https://www.suse.com/security/cve/CVE-2013-6481/ SUSE CVE CVE-2013-6481 page https://www.suse.com/security/cve/CVE-2013-6482/ SUSE CVE CVE-2013-6482 page https://www.suse.com/security/cve/CVE-2013-6483/ SUSE CVE CVE-2013-6483 page https://www.suse.com/security/cve/CVE-2013-6484/ SUSE CVE CVE-2013-6484 page https://www.suse.com/security/cve/CVE-2013-6485/ SUSE CVE CVE-2013-6485 page https://www.suse.com/security/cve/CVE-2013-6486/ SUSE CVE CVE-2013-6486 page https://www.suse.com/security/cve/CVE-2013-6487/ SUSE CVE CVE-2013-6487 page https://www.suse.com/security/cve/CVE-2014-0020/ SUSE CVE CVE-2014-0020 page https://www.suse.com/security/cve/CVE-2014-3694/ SUSE CVE CVE-2014-3694 page https://www.suse.com/security/cve/CVE-2014-3695/ SUSE CVE CVE-2014-3695 page https://www.suse.com/security/cve/CVE-2014-3696/ SUSE CVE CVE-2014-3696 page https://www.suse.com/security/cve/CVE-2014-3697/ SUSE CVE CVE-2014-3697 page https://www.suse.com/security/cve/CVE-2014-3698/ SUSE CVE CVE-2014-3698 page openSUSE Tumbleweed finch-2.11.0-4.1 finch-devel-2.11.0-4.1 libpurple-2.11.0-4.1 libpurple-branding-upstream-2.11.0-4.1 libpurple-devel-2.11.0-4.1 libpurple-lang-2.11.0-4.1 libpurple-plugin-sametime-2.11.0-4.1 libpurple-tcl-2.11.0-4.1 pidgin-2.11.0-4.1 pidgin-devel-2.11.0-4.1 finch-2.11.0-4.1 as a component of openSUSE Tumbleweed finch-devel-2.11.0-4.1 as a component of openSUSE Tumbleweed libpurple-2.11.0-4.1 as a component of openSUSE Tumbleweed libpurple-branding-upstream-2.11.0-4.1 as a component of openSUSE Tumbleweed libpurple-devel-2.11.0-4.1 as a component of openSUSE Tumbleweed libpurple-lang-2.11.0-4.1 as a component of openSUSE Tumbleweed libpurple-plugin-sametime-2.11.0-4.1 as a component of openSUSE Tumbleweed libpurple-tcl-2.11.0-4.1 as a component of openSUSE Tumbleweed pidgin-2.11.0-4.1 as a component of openSUSE Tumbleweed pidgin-devel-2.11.0-4.1 as a component of openSUSE Tumbleweed The msn_slplink_process_msg function in libpurple/protocols/msn/slplink.c in libpurple, as used in Pidgin (formerly Gaim) before 2.5.9 and Adium 1.3.5 and earlier, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by sending multiple crafted SLP (aka MSNSLP) messages to trigger an overwrite of an arbitrary memory location. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1376. CVE-2009-2694 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-2694.html CVE-2009-2694 https://bugzilla.suse.com/527100 SUSE Bug 527100 libpurple/protocols/irc/msgs.c in the IRC protocol plugin in libpurple in Pidgin before 2.6.2 allows remote IRC servers to cause a denial of service (NULL pointer dereference and application crash) via a TOPIC message that lacks a topic string. CVE-2009-2703 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-2703.html CVE-2009-2703 https://bugzilla.suse.com/537214 SUSE Bug 537214 protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions. CVE-2009-3026 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-3026.html CVE-2009-3026 https://bugzilla.suse.com/535570 SUSE Bug 535570 https://bugzilla.suse.com/550170 SUSE Bug 550170 The msn_slp_sip_recv function in libpurple/protocols/msn/slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an SLP invite message that lacks certain required fields, as demonstrated by a malformed message from a KMess client. CVE-2009-3083 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-3083.html CVE-2009-3083 https://bugzilla.suse.com/536602 SUSE Bug 536602 https://bugzilla.suse.com/550170 SUSE Bug 550170 The msn_slp_process_msg function in libpurple/protocols/msn/slpcall.c in the MSN protocol plugin in libpurple 2.6.0 and 2.6.1, as used in Pidgin before 2.6.2, allows remote attackers to cause a denial of service (application crash) via a handwritten (aka Ink) message, related to an uninitialized variable and the incorrect "UTF16-LE" charset name. CVE-2009-3084 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-3084.html CVE-2009-3084 https://bugzilla.suse.com/536602 SUSE Bug 536602 https://bugzilla.suse.com/550170 SUSE Bug 550170 The XMPP protocol plugin in libpurple in Pidgin before 2.6.2 does not properly handle an error IQ stanza during an attempted fetch of a custom smiley, which allows remote attackers to cause a denial of service (application crash) via XHTML-IM content with cid: images. CVE-2009-3085 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-3085.html CVE-2009-3085 https://bugzilla.suse.com/536602 SUSE Bug 536602 https://bugzilla.suse.com/550170 SUSE Bug 550170 The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium before 1.3.7 allows remote attackers to cause a denial of service (application crash) via crafted contact-list data for (1) ICQ and possibly (2) AIM, as demonstrated by the SIM IM client. CVE-2009-3615 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2009-3615.html CVE-2009-3615 https://bugzilla.suse.com/548072 SUSE Bug 548072 https://bugzilla.suse.com/550170 SUSE Bug 550170 Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon. CVE-2010-0013 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-0013.html CVE-2010-0013 https://bugzilla.suse.com/567799 SUSE Bug 567799 https://bugzilla.suse.com/569616 SUSE Bug 569616 https://bugzilla.suse.com/581201 SUSE Bug 581201 slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013. CVE-2010-0277 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-0277.html CVE-2010-0277 https://bugzilla.suse.com/567799 SUSE Bug 567799 https://bugzilla.suse.com/569616 SUSE Bug 569616 https://bugzilla.suse.com/581201 SUSE Bug 581201 libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname. CVE-2010-0420 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-0420.html CVE-2010-0420 https://bugzilla.suse.com/569616 SUSE Bug 569616 https://bugzilla.suse.com/581201 SUSE Bug 581201 gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat. CVE-2010-0423 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-0423.html CVE-2010-0423 https://bugzilla.suse.com/569616 SUSE Bug 569616 https://bugzilla.suse.com/581201 SUSE Bug 581201 The msn_emoticon_msg function in slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.7.0 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a custom emoticon in a malformed SLP message. CVE-2010-1624 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-1624.html CVE-2010-1624 https://bugzilla.suse.com/604225 SUSE Bug 604225 The clientautoresp function in family_icbm.c in the oscar protocol plugin in libpurple in Pidgin before 2.7.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via an X-Status message that lacks the expected end tag for a (1) desc or (2) title element. CVE-2010-2528 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-2528.html CVE-2010-2528 https://bugzilla.suse.com/630965 SUSE Bug 630965 libpurple in Pidgin before 2.7.4 does not properly validate the return value of the purple_base64_decode function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a crafted message, related to the plugins for MSN, MySpaceIM, XMPP, and Yahoo! and the NTLM authentication support. CVE-2010-3711 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-3711.html CVE-2010-3711 https://bugzilla.suse.com/648273 SUSE Bug 648273 libymsg.c in the Yahoo! protocol plugin in libpurple in Pidgin 2.6.0 through 2.7.10 allows (1) remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a malformed YMSG notification packet, and allows (2) remote Yahoo! servers to cause a denial of service (NULL pointer dereference and application crash) via a malformed YMSG SMS message. CVE-2011-1091 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-1091.html CVE-2011-1091 https://bugzilla.suse.com/736189 SUSE Bug 736189 The g_markup_escape_text function in the SILC protocol plug-in in libpurple 2.10.0 and earlier, as used in Pidgin and possibly other products, allows remote attackers to cause a denial of service (crash) via invalid UTF-8 sequences that trigger use of invalid pointers and an out-of-bounds read, related to interactions with certain versions of glib2. CVE-2011-3594 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-3594.html CVE-2011-3594 https://bugzilla.suse.com/722199 SUSE Bug 722199 https://bugzilla.suse.com/736161 SUSE Bug 736161 proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle canceled SOCKS5 connection attempts, which allows user-assisted remote authenticated users to cause a denial of service (application crash) via a sequence of XMPP file-transfer requests. CVE-2012-2214 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-2214.html CVE-2012-2214 https://bugzilla.suse.com/760890 SUSE Bug 760890 Buffer overflow in markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.5 allows remote attackers to execute arbitrary code via a crafted inline image in a message. CVE-2012-3374 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-3374.html CVE-2012-3374 https://bugzilla.suse.com/770304 SUSE Bug 770304 The Yahoo! protocol plugin in libpurple in Pidgin before 2.10.8 does not properly validate UTF-8 data, which allows remote attackers to cause a denial of service (application crash) via crafted byte sequences. CVE-2012-6152 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate 7.1 AV:N/AC:M/Au:N/C:C/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-6152.html CVE-2012-6152 https://bugzilla.suse.com/861019 SUSE Bug 861019 The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might allow remote attackers to create or overwrite files via a crafted (1) mxit or (2) mxit/imagestrips pathname. CVE-2013-0271 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0271.html CVE-2013-0271 https://bugzilla.suse.com/804742 SUSE Bug 804742 Buffer overflow in http.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.7 allows remote servers to execute arbitrary code via a long HTTP header. CVE-2013-0272 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0272.html CVE-2013-0272 https://bugzilla.suse.com/804742 SUSE Bug 804742 sametime.c in the Sametime protocol plugin in libpurple in Pidgin before 2.10.7 does not properly terminate long user IDs, which allows remote servers to cause a denial of service (application crash) via a crafted packet. CVE-2013-0273 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0273.html CVE-2013-0273 https://bugzilla.suse.com/804742 SUSE Bug 804742 upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate long strings in UPnP responses, which allows remote attackers to cause a denial of service (application crash) by leveraging access to the local network. CVE-2013-0274 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-0274.html CVE-2013-0274 https://bugzilla.suse.com/804742 SUSE Bug 804742 Multiple integer signedness errors in libpurple in Pidgin before 2.10.8 allow remote attackers to cause a denial of service (application crash) via a crafted timestamp value in an XMPP message. CVE-2013-6477 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6477.html CVE-2013-6477 https://bugzilla.suse.com/861019 SUSE Bug 861019 gtkimhtml.c in Pidgin before 2.10.8 does not properly interact with underlying library support for wide Pango layouts, which allows user-assisted remote attackers to cause a denial of service (application crash) via a long URL that is examined with a tooltip. CVE-2013-6478 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6478.html CVE-2013-6478 https://bugzilla.suse.com/861019 SUSE Bug 861019 util.c in libpurple in Pidgin before 2.10.8 does not properly allocate memory for HTTP responses that are inconsistent with the Content-Length header, which allows remote HTTP servers to cause a denial of service (application crash) via a crafted response. CVE-2013-6479 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6479.html CVE-2013-6479 https://bugzilla.suse.com/861019 SUSE Bug 861019 libpurple/protocols/yahoo/libymsg.c in Pidgin before 2.10.8 allows remote attackers to cause a denial of service (crash) via a Yahoo! P2P message with a crafted length field, which triggers a buffer over-read. CVE-2013-6481 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6481.html CVE-2013-6481 https://bugzilla.suse.com/861019 SUSE Bug 861019 Pidgin before 2.10.8 allows remote MSN servers to cause a denial of service (NULL pointer dereference and crash) via a crafted (1) SOAP response, (2) OIM XML response, or (3) Content-Length header. CVE-2013-6482 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6482.html CVE-2013-6482 https://bugzilla.suse.com/861019 SUSE Bug 861019 The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not properly determine whether the from address in an iq reply is consistent with the to address in an iq request, which allows remote attackers to spoof iq traffic or cause a denial of service (NULL pointer dereference and application crash) via a crafted reply. CVE-2013-6483 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6483.html CVE-2013-6483 https://bugzilla.suse.com/861019 SUSE Bug 861019 The STUN protocol implementation in libpurple in Pidgin before 2.10.8 allows remote STUN servers to cause a denial of service (out-of-bounds write operation and application crash) by triggering a socket read error. CVE-2013-6484 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6484.html CVE-2013-6484 https://bugzilla.suse.com/861019 SUSE Bug 861019 Buffer overflow in util.c in libpurple in Pidgin before 2.10.8 allows remote HTTP servers to cause a denial of service (application crash) or possibly have unspecified other impact via an invalid chunk-size field in chunked transfer-coding data. CVE-2013-6485 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6485.html CVE-2013-6485 https://bugzilla.suse.com/861019 SUSE Bug 861019 gtkutils.c in Pidgin before 2.10.8 on Windows allows user-assisted remote attackers to execute arbitrary programs via a message containing a file: URL that is improperly handled during construction of an explorer.exe command. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-3185. CVE-2013-6486 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6486.html CVE-2013-6486 https://bugzilla.suse.com/861019 SUSE Bug 861019 Integer overflow in libpurple/protocols/gg/lib/http.c in the Gadu-Gadu (gg) parser in Pidgin before 2.10.8 allows remote attackers to have an unspecified impact via a large Content-Length value, which triggers a buffer overflow. CVE-2013-6487 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-6487.html CVE-2013-6487 https://bugzilla.suse.com/861019 SUSE Bug 861019 https://bugzilla.suse.com/878540 SUSE Bug 878540 The IRC protocol plugin in libpurple in Pidgin before 2.10.8 does not validate argument counts, which allows remote IRC servers to cause a denial of service (application crash) via a crafted message. CVE-2014-0020 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0020.html CVE-2014-0020 https://bugzilla.suse.com/861019 SUSE Bug 861019 The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. CVE-2014-3694 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3694.html CVE-2014-3694 https://bugzilla.suse.com/902495 SUSE Bug 902495 markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response. CVE-2014-3695 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3695.html CVE-2014-3695 https://bugzilla.suse.com/902409 SUSE Bug 902409 nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. CVE-2014-3696 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3696.html CVE-2014-3696 https://bugzilla.suse.com/902410 SUSE Bug 902410 Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme. CVE-2014-3697 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3697.html CVE-2014-3697 The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message. CVE-2014-3698 openSUSE Tumbleweed:finch-2.11.0-4.1 openSUSE Tumbleweed:finch-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-2.11.0-4.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.11.0-4.1 openSUSE Tumbleweed:libpurple-devel-2.11.0-4.1 openSUSE Tumbleweed:libpurple-lang-2.11.0-4.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.11.0-4.1 openSUSE Tumbleweed:libpurple-tcl-2.11.0-4.1 openSUSE Tumbleweed:pidgin-2.11.0-4.1 openSUSE Tumbleweed:pidgin-devel-2.11.0-4.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-3698.html CVE-2014-3698 https://bugzilla.suse.com/902408 SUSE Bug 902408