openSUSE Security Update : konversation (openSUSE-SU-2014:1406-1)

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

konversation was updated to version 1.5.1, fixing bugs and one
security issue.

Changes :

- Konversation 1.5.1 is a maintenance release containing
only bug fixes. The included changes address several
minor behavioral defects and a low-risk DoS security
defect in the Blowfish ECB support. The KDE Platform
version dependency has increased to v4.9.0 to gain
access to newer Qt socket transport security flags.

- Fixed a bug causing wildcards in command alias
replacement patterns not to be expanded.

- Fixed a bug causing auto-joining of channels not
starting in # or & to sometimes fail because the
auto-join command was generated before we got the
CHANTYPES pronouncement by the server.

- Added a size sanity check for incoming Blowfish ECB
blocks. The blind assumption of incoming blocks being
the expected 12 bytes could lead to a crash or up to 11
byte information leak due to an out-of-bounds read.
CVE-2014-8483.

- Enabling SSL/TLS support for connections will now
advertise the protocols Qt considers secure by default,
instead of being hardcoded to TLSv1.

- Fixed the bundled 'sysinfo' script not coping with empty
lines in /etc/os-release.

- Made disk space info in the bundled 'sysinfo' script
more robust by forcing the C locale for 'df'.

- Added an audio player type hint for Cantata to the
bundled 'media' script.

- Fixed some minor comparison logic errors turned up by
static analysis.

- Konversation now depends on KDE Platform v4.9.0 or
higher.

See also :

http://lists.opensuse.org/opensuse-updates/2014-11/msg00046.html
https://bugzilla.opensuse.org/show_bug.cgi?id=902670

Solution :

Update the affected konversation packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 79226 ()

Bugtraq ID:

CVE ID: CVE-2014-8483

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now