finch-2.14.7-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11172 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z finch-2.14.7-1.1 on GA media These are all security issues fixed in the finch-2.14.7-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11172 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11172 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2008-2927/ SUSE CVE CVE-2008-2927 page https://www.suse.com/security/cve/CVE-2008-2955/ SUSE CVE CVE-2008-2955 page https://www.suse.com/security/cve/CVE-2008-3532/ SUSE CVE CVE-2008-3532 page https://www.suse.com/security/cve/CVE-2017-2640/ SUSE CVE CVE-2017-2640 page openSUSE Tumbleweed finch-2.14.7-1.1 finch-devel-2.14.7-1.1 libpurple-2.14.7-1.1 libpurple-branding-upstream-2.14.7-1.1 libpurple-devel-2.14.7-1.1 libpurple-lang-2.14.7-1.1 libpurple-plugin-sametime-2.14.7-1.1 libpurple-tcl-2.14.7-1.1 pidgin-2.14.7-1.1 pidgin-devel-2.14.7-1.1 finch-2.14.7-1.1 as a component of openSUSE Tumbleweed finch-devel-2.14.7-1.1 as a component of openSUSE Tumbleweed libpurple-2.14.7-1.1 as a component of openSUSE Tumbleweed libpurple-branding-upstream-2.14.7-1.1 as a component of openSUSE Tumbleweed libpurple-devel-2.14.7-1.1 as a component of openSUSE Tumbleweed libpurple-lang-2.14.7-1.1 as a component of openSUSE Tumbleweed libpurple-plugin-sametime-2.14.7-1.1 as a component of openSUSE Tumbleweed libpurple-tcl-2.14.7-1.1 as a component of openSUSE Tumbleweed pidgin-2.14.7-1.1 as a component of openSUSE Tumbleweed pidgin-devel-2.14.7-1.1 as a component of openSUSE Tumbleweed Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/slplink.c and (2) libpurple/protocols/msnp9/slplink.c in Pidgin before 2.4.3 and Adium before 1.3 allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, a different vulnerability than CVE-2008-2955. CVE-2008-2927 openSUSE Tumbleweed:finch-2.14.7-1.1 openSUSE Tumbleweed:finch-devel-2.14.7-1.1 openSUSE Tumbleweed:libpurple-2.14.7-1.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.14.7-1.1 openSUSE Tumbleweed:libpurple-devel-2.14.7-1.1 openSUSE Tumbleweed:libpurple-lang-2.14.7-1.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.14.7-1.1 openSUSE Tumbleweed:libpurple-tcl-2.14.7-1.1 openSUSE Tumbleweed:pidgin-2.14.7-1.1 openSUSE Tumbleweed:pidgin-devel-2.14.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-2927.html CVE-2008-2927 https://bugzilla.suse.com/406416 SUSE Bug 406416 https://bugzilla.suse.com/503447 SUSE Bug 503447 https://bugzilla.suse.com/527100 SUSE Bug 527100 Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function. CVE-2008-2955 openSUSE Tumbleweed:finch-2.14.7-1.1 openSUSE Tumbleweed:finch-devel-2.14.7-1.1 openSUSE Tumbleweed:libpurple-2.14.7-1.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.14.7-1.1 openSUSE Tumbleweed:libpurple-devel-2.14.7-1.1 openSUSE Tumbleweed:libpurple-lang-2.14.7-1.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.14.7-1.1 openSUSE Tumbleweed:libpurple-tcl-2.14.7-1.1 openSUSE Tumbleweed:pidgin-2.14.7-1.1 openSUSE Tumbleweed:pidgin-devel-2.14.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-2955.html CVE-2008-2955 https://bugzilla.suse.com/404163 SUSE Bug 404163 https://bugzilla.suse.com/406416 SUSE Bug 406416 https://bugzilla.suse.com/503447 SUSE Bug 503447 The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service. CVE-2008-3532 openSUSE Tumbleweed:finch-2.14.7-1.1 openSUSE Tumbleweed:finch-devel-2.14.7-1.1 openSUSE Tumbleweed:libpurple-2.14.7-1.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.14.7-1.1 openSUSE Tumbleweed:libpurple-devel-2.14.7-1.1 openSUSE Tumbleweed:libpurple-lang-2.14.7-1.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.14.7-1.1 openSUSE Tumbleweed:libpurple-tcl-2.14.7-1.1 openSUSE Tumbleweed:pidgin-2.14.7-1.1 openSUSE Tumbleweed:pidgin-devel-2.14.7-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2008-3532.html CVE-2008-3532 https://bugzilla.suse.com/415679 SUSE Bug 415679 An out-of-bounds write flaw was found in the way Pidgin before 2.12.0 processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process. CVE-2017-2640 openSUSE Tumbleweed:finch-2.14.7-1.1 openSUSE Tumbleweed:finch-devel-2.14.7-1.1 openSUSE Tumbleweed:libpurple-2.14.7-1.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.14.7-1.1 openSUSE Tumbleweed:libpurple-devel-2.14.7-1.1 openSUSE Tumbleweed:libpurple-lang-2.14.7-1.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.14.7-1.1 openSUSE Tumbleweed:libpurple-tcl-2.14.7-1.1 openSUSE Tumbleweed:pidgin-2.14.7-1.1 openSUSE Tumbleweed:pidgin-devel-2.14.7-1.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-2640.html CVE-2017-2640 https://bugzilla.suse.com/1028835 SUSE Bug 1028835