python36-slixmpp-1.5.2-1.9 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11274-1 Final 1 1 2024-06-15T00:00:00Z current 2024-06-15T00:00:00Z 2024-06-15T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z python36-slixmpp-1.5.2-1.9 on GA media These are all security issues fixed in the python36-slixmpp-1.5.2-1.9 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11274 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2017-5589/ SUSE CVE CVE-2017-5589 page https://www.suse.com/security/cve/CVE-2019-1000021/ SUSE CVE CVE-2019-1000021 page openSUSE Tumbleweed python36-slixmpp-1.5.2-1.9 python38-slixmpp-1.5.2-1.9 python39-slixmpp-1.5.2-1.9 python36-slixmpp-1.5.2-1.9 as a component of openSUSE Tumbleweed python38-slixmpp-1.5.2-1.9 as a component of openSUSE Tumbleweed python39-slixmpp-1.5.2-1.9 as a component of openSUSE Tumbleweed An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for yaxim and Bruno (0.8.6 - 0.8.8; Android). CVE-2017-5589 openSUSE Tumbleweed:python36-slixmpp-1.5.2-1.9 openSUSE Tumbleweed:python38-slixmpp-1.5.2-1.9 openSUSE Tumbleweed:python39-slixmpp-1.5.2-1.9 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2017-5589.html CVE-2017-5589 https://bugzilla.suse.com/1024687 SUSE Bug 1024687 https://bugzilla.suse.com/1024696 SUSE Bug 1024696 https://bugzilla.suse.com/1024736 SUSE Bug 1024736 slixmpp version before commit 7cd73b594e8122dddf847953fcfc85ab4d316416 contains an incorrect Access Control vulnerability in XEP-0223 plugin (Persistent Storage of Private Data via PubSub) options profile, used for the configuration of default access model that can result in all of the contacts of the victim can see private data having been published to a PEP node. This attack appears to be exploitable if the user of this library publishes any private data on PEP, the node isn't configured to be private. This vulnerability appears to have been fixed in commit 7cd73b594e8122dddf847953fcfc85ab4d316416 which is included in slixmpp 1.4.2. CVE-2019-1000021 openSUSE Tumbleweed:python36-slixmpp-1.5.2-1.9 openSUSE Tumbleweed:python38-slixmpp-1.5.2-1.9 openSUSE Tumbleweed:python39-slixmpp-1.5.2-1.9 low 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-1000021.html CVE-2019-1000021 https://bugzilla.suse.com/1124322 SUSE Bug 1124322