Upstream has released 0.16.5 and 0.17.3 to fix a remotely triggerable crash (denial of service) issue in telepathy-gabble. Freeze push requested for 0.17.3 in Cauldron. Updated package uploaded for Mageia 2. Note to QA: You can test telepathy-gabble with a Jabber account in empathy. Advisory: ======================== Updated telepathy-gabble packages fix security vulnerability: NULL pointer dereference in telepathy-gabble before 0.16.5 which causes a crash when processing weirdly-shaped data forms in caps query replies. This bug can be triggered by any XMPP user who knows the bare JID of a user of a vulnerable client, without needing to be authorized to see that user's presence (CVE-2013-1769). The telepathy-gabble package has been updated to version to 0.16.5 to fix this issue as well as several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1769 http://lists.freedesktop.org/archives/telepathy/2013-March/006379.html https://bugs.freedesktop.org/show_bug.cgi?id=61433 http://lists.freedesktop.org/archives/telepathy/2013-March/006377.html http://lists.freedesktop.org/archives/telepathy/2012-November/006299.html http://lists.freedesktop.org/archives/telepathy/2012-September/006234.html http://lists.freedesktop.org/archives/telepathy/2012-August/006224.html http://lists.freedesktop.org/archives/telepathy/2012-June/006145.html ======================== Updated packages in core/updates_testing: ======================== telepathy-gabble-0.16.5-1.mga2 from telepathy-gabble-0.16.5-1.mga2.src.rpm Reproducible: Steps to Reproduce:
telepathy-gabble-0.17.3-1.mga3 is uploaded in Cauldron.
Testing complete mga2 32 Connected to jabber in empathy with gmail credentials. Thanks for the procedure David.
Whiteboard: (none) => has_procedure mga2-32-ok
Fedora has issued an advisory for this on March 5: http://lists.fedoraproject.org/pipermail/package-announce/2013-March/100083.html
URL: (none) => http://lwn.net/Vulnerabilities/542913/
Testing complete mga2 64 Connected to jabber and gchat in empathy, replicating Claire's test.
CC: (none) => tristan.b.campbell
Update Validated See bug 9406 for new issues found See comment 1 for Advisory and SRPM Could sysadmin please push from core/updates_testing to core/updates. Thank you!
Whiteboard: has_procedure mga2-32-ok => has_procedure mga2-32-ok mga2-64-ok
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Update pushed : https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0096
Status: NEW => RESOLVEDCC: (none) => dmorganecResolution: (none) => FIXED