finch-2.14.9-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:12036 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z finch-2.14.9-1.1 on GA media These are all security issues fixed in the finch-2.14.9-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-12036 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:12036 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-26491/ SUSE CVE CVE-2022-26491 page openSUSE Tumbleweed finch-2.14.9-1.1 finch-devel-2.14.9-1.1 libpurple-2.14.9-1.1 libpurple-branding-upstream-2.14.9-1.1 libpurple-client0-2.14.9-1.1 libpurple-devel-2.14.9-1.1 libpurple-lang-2.14.9-1.1 libpurple-plugin-sametime-2.14.9-1.1 libpurple-tcl-2.14.9-1.1 libpurple0-2.14.9-1.1 pidgin-2.14.9-1.1 pidgin-devel-2.14.9-1.1 finch-2.14.9-1.1 as a component of openSUSE Tumbleweed finch-devel-2.14.9-1.1 as a component of openSUSE Tumbleweed libpurple-2.14.9-1.1 as a component of openSUSE Tumbleweed libpurple-branding-upstream-2.14.9-1.1 as a component of openSUSE Tumbleweed libpurple-client0-2.14.9-1.1 as a component of openSUSE Tumbleweed libpurple-devel-2.14.9-1.1 as a component of openSUSE Tumbleweed libpurple-lang-2.14.9-1.1 as a component of openSUSE Tumbleweed libpurple-plugin-sametime-2.14.9-1.1 as a component of openSUSE Tumbleweed libpurple-tcl-2.14.9-1.1 as a component of openSUSE Tumbleweed libpurple0-2.14.9-1.1 as a component of openSUSE Tumbleweed pidgin-2.14.9-1.1 as a component of openSUSE Tumbleweed pidgin-devel-2.14.9-1.1 as a component of openSUSE Tumbleweed An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968. CVE-2022-26491 openSUSE Tumbleweed:finch-2.14.9-1.1 openSUSE Tumbleweed:finch-devel-2.14.9-1.1 openSUSE Tumbleweed:libpurple-2.14.9-1.1 openSUSE Tumbleweed:libpurple-branding-upstream-2.14.9-1.1 openSUSE Tumbleweed:libpurple-client0-2.14.9-1.1 openSUSE Tumbleweed:libpurple-devel-2.14.9-1.1 openSUSE Tumbleweed:libpurple-lang-2.14.9-1.1 openSUSE Tumbleweed:libpurple-plugin-sametime-2.14.9-1.1 openSUSE Tumbleweed:libpurple-tcl-2.14.9-1.1 openSUSE Tumbleweed:libpurple0-2.14.9-1.1 openSUSE Tumbleweed:pidgin-2.14.9-1.1 openSUSE Tumbleweed:pidgin-devel-2.14.9-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-26491.html CVE-2022-26491 https://bugzilla.suse.com/1199025 SUSE Bug 1199025