Synopsis
The remote SUSE host is missing a security update.
Description
The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2026:2967-1 advisory.
This update for libgnt, meson, pidgin fixes the following issues
Security issue:
- CVE-2019-25544: denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation (bsc#1260058).
Non security issues:
Changes for meson:
- Update to version 0.46.0.
- Require python2-devel for the testsuite (bsc#1125736)
- Update to version 0.45.0:
- Config-Tool based dependencies can be specified in a cross file.
+ Visual Studio C# compiler support.
+ Removed two deprecated features:
+ Generator outputs can preserve directory structure.
+ Hexadecimal string literals.
+ install_data()` defaults to `{datadir}/{projectname}`.
+ install_subdir() supports strip_directory.
+ Integer options.
+ New method meson.project_license().
+ Rust cross-compilation.
+ Rust compiler-private library disambiguation.
+ Project templates.
+ Improve test setup selection.
+ Yielding subproject option to superproject.
- Update to version 0.44.1:
+ Support running out-of-tree tests against a meson in PATH.
+ Don't add rpaths to system libraries.
+ Fix meson location detection from other meson tools.
+ Various boost, pkg-config and vala related fixes.
- Update to version 0.44.0:
- New features:
- Added warning function.
- Adds support for additional Qt5-Module keyword moc_extra_arguments.
- Prefix-dependent defaults for sysconfdir, localstatedir and sharedstatedir.
- An array type for user options.
- LLVM dependency supports both dynamic and static linking.
- Added if_found to subdir.
- get_unquoted() method for the configuration data object.
- Added disabler object.
- Config-Tool based dependencies gained a method to get arbitrary options.
+ Disable tests for static llvm: we don't ship the static libs.
+ Add cmake(Qt5LinguistTools), libwmf-devel BuildRequires and zlib-devel-static: new dependencies for various tests.
- Require python3-xml: mesonbuild/modules/qt5.py imports the xml module (bsc#1068818).
- Update to version 0.43.0:
- Generator learned capture: Generators can now be configured to capture the standard output.
+ Can index CustomTarget objects: The CustomTarget object can now be indexed like an array. The resulting object can be used as a source file for other Targets, this will create a dependency on the original CustomTarget, but will only insert the generated file corresponding to the index value of the CustomTarget's output keyword.
+ The cross file can now be used for overriding the result of find_program. Then issuing the command find_program('objdump') will return the version specified in the cross file.
+ Easier handling of supported compiler arguments.
+ Better support for shared libraries in non-system paths: This release adds feature parity to shared libraries that are either in non-standard system paths or shipped as part of your project. On systems that support rpath, Meson automatically adds rpath entries to built targets using manually found external libraries.
+ The Wrap dependency system now supports Subversion (svn). This support is rudimentary. The repository url has to point to a specific (sub)directory containing the meson.build file (typically trunk/). However, providing a revision is supported.
- Don't use obsolete boost-devel for openSUSE Leap 15.0 and newer (bsc#1062785).
- Update to version 0.42.1.
- Tumbleweed meson 0.42.0-1.1fails for clang++ projects (bsc#1057701).
- Update to version 0.42.0:
+ Distribution tarballs from Mercurial repositories. Creating distribution tarballs can now be made out of projects based on Mercurial. As before, this remains possible only with the Ninja backend.
+ Keyword argument verification. Meson will now check the keyword arguments used when calling any function and print a warning if any of the keyword arguments is not known. In the future this will become a hard error.
+ Add support for Genie to Vala compiler. The Vala compiler has an alternative syntax, Genie, that uses the .gs file extension.
Meson now recognises and uses Genie files.
+ Pkgconfig support for additional cflags. The Pkgconfig module object can add arbitrary extra cflags to the Cflags value in the .pc file, using the 'extra_cflags' keyword.
+ Base options accessible via get_option(). Base options are now accessible via the get_option() function.
+ Allow crate type configuration for Rust compiler. Rust targets now take an optional rust_crate_type keyword, allowing you to set the crate type of the resulting artifact. Valid crate types are dylib or cdylib for shared libraries, and rlib or staticlib for static libraries. For more, see Rust's linkage reference.
+ Simultaneous use of Address- and Undefined Behavior Sanitizers.
Both the address- and undefined behavior sanitizers can now be used simultaneously by passing -Db_sanitize=address,undefined to Meson.
+ Unstable SIMD module. A new experimental module to compile code with many different SIMD instruction sets and selecting the best one at runtime. This module is unstable, meaning it's API is subject to change in later releases. It might also be removed altogether.
+ Import libraries for executables on Windows. The new keyword implib to executable() allows generation of an import library for the executable.
+ Added build_rpath keyword argument. You can specify build_rpath: '/foo/bar' in build targets and the given path will get added to the target's rpath in the build tree. It is removed during the install step.
+ Meson will print a warning when the user tries to add an rpath linker flag manually, e.g. via link_args to a target. This is not recommended because having multiple rpath causes them to stomp on each other. This warning will become a hard error in some future release.
+ Vulkan dependency module. Vulkan can now be used as native dependency. The dependency module will detect the VULKAN_SDK environment variable or otherwise try to receive the vulkan library and header via pkgconfig or from the system.
+ Limiting the maximum number of linker processes. With the Ninja backend it is now possible to limit the maximum number of concurrent linker processes. This is usually only needed for projects that have many large link steps that cause the system to run out of memory if they are run in parallel. This limit can be set with the new backend_max_links option.
+ Disable implicit include directories. By default Meson adds the current source and build directories to the header search path.
On some rare occasions this is not desired. Setting the implicit_include_directories keyword argument to false these directories are not used.
+ Support for MPI dependency. MPI is now supported as a dependency. Because dependencies are language-specific, you must specify the requested language with the language keyword, i.e., dependency('mpi', language='c') will request the C MPI headers and libraries. See the MPI dependency for more information.
+ Allow excluding files or directories from install_subdir. The install_subdir command accepts the new exclude_files and exclude_directories keyword arguments that allow specified files or directories to be excluded from the installed subdirectory.
+ Make all Meson functionality invokable via the main executable.
Previously Meson had multiple executables such as mesonintrospect and mesontest. They are now invokable via the main Meson executable like this: meson configure <arguments> # equivalent to mesonconf <options> meson test <arguments> # equivalent to mesontest <arguments> The old commands are still available but they are deprecated and will be removed in some future release.
+ Pcap dependency detector. Meson will automatically obtain dependency information for pcap using the pcap-config tool. It is used like any other dependency.
+ GNOME module mkenums_simple() addition. Most libraries and applications use the same standard templates for glib-mkenums.
There is now a new mkenums_simple() convenience method that passes those default templates to glib-mkenums and allows some tweaks such as optional function decorators or leading underscores.
- Update to version 0.41.2:
- Various gtkdoc fixes.
+ Fix how rpath directories are handled.
+ pkgconfig: avoid appending slash at Cflags.
+ Fix a missing path issue causing Python traceback.
+ Qt4 support.
+ Skip handling non-available dependencies.
+ vala: Only add --use-header for unity builds regression.
+ Tag functions in asm properly.
- Update to version 0.41.1:
+ wxwidgets: Fix usage of multiple dependency() calls.
+ Make external library no-op when used with incompatible target (gh#mesonbuild/meson#1941).
+ Failing test for -D dedupping.
+ Preserve standalone -D arguments always.
+ Handle both pkg-config and pkgconf argument order (gh#mesonbuild/meson#1934).
- Update to version 0.41.0:
+ Native support for linking against LLVM using the dependency function.
+ Pkgconfig support for custom variables.
+ A target for creating tarballs using 'ninja dist'.
+ Support for passing arguments to Rust compiler.
+ All known issues regarding reproducible builds are fixed.
+ Extended template substitution in configure_file for @BASENAME@ and @PLAINNAME@ .
+ Support for capturing stdout of a command in configure_file.
- Update to version 0.40.1:
- Outputs of generators can be used in custom targets in the VS + Visual Studio 2017 support.
+ Automatic initialization of subprojects that are git submodules.
+ No download mode for wraps.
+ Overriding options per target.
+ Compiler object get define.
+ Cygwin support.
+ Multiple install directories.
+ Can specify method of obtaining dependencies.
+ Link whole contents of static libraries.
+ Unity builds only for subprojects.
+ Running mesonintrospect from scripts.
- Update to version 0.39.1:
- Allow specifying extra arguments for tests.
+ Bug fixes and minor polishes.
- Update to version 0.38.1:
- New Uninstall target.
+ Support for arbitrary test setups.
+ Intel C/C++ compiler support.
+ Get values from configuration data objects.
+ Python 3 module support simplified.
+ Default options to subprojects.
+ Set targets to be built (or not) by default.
+ Add option to mesonconf to wipe cached data.
+ Can specify file permissions and owner when installing data.
+ has_header() checks are now faster.
+ Array indexing now supports fallback values.
+ Silent mode for Mesontest.
- Update to version 0.37.1.
- Update to version 0.37.0:
- Mesontest: a new testing tool that allows you to run your tests in many different ways.
+ New shared_module function allows shared modules creation.
+ GNOME module now detects required programs and prints useful errors if any are missing.
+ GNOME module uses depfile support available in GLib >= 2.52.0.
+ i18n module has a new merge_file() function for creating translated files.
+ LLVM IR compilation is now supported.
+ .wrap files for subprojects can now include a separate push URL to allow developers to push changes directly from a subproject git checkout.
+ Multiple version restrictions while searching for pkg-config dependencies is now supported.
+ Support for localstatedir has been added.
+ You can now pass arguments to install scripts added with meson.add_install_script().
+ Added new options sbindir and infodir that can be used for installation.
- Update to version 0.36.0:
+ Add option to run under gdb.
+ Always specify installed data with a File object (gh#mesonbuild/meson#858).
+ Made has_function survive optimization flags (gh#mesonbuild/meson#1053).
+ Can give many alternative names to find_program to simplify searching.
+ Can set compiler arguments in Java.
- Changes from version 0.34.0:
- Correctly install .typelib files to libdir.
+ Add option for as-needed link option.
+ Print the CFLAGS/LDFLAGS/etc inherited from the environment.
+ Only append compile flags to the link flags when appropriate.
- Update to version 0.32.0.
- Update to version 0.31.0.
- Update to 0.29.0.
- Update to 0.28.0.
- Update to 0.27.0.
- Update to 0.26.0.
Changes for libgnt:
- update to 2.14.3:
- Added an option to disable python2 support.
+ Add an option to disable building the docs.
+ Fix a SEGFAULT in gnt_combo_box_get_dropdown.
+ Fix an invalid read/write when hiding widgets + Look for python-2.7.pc as well as python2.pc + Bump the minimum meson version from 0.37.0 to 0.41.0 + Fix a buffer size in gntwm.c
Changes for pidgin:
- Update to version 2.14.8:
- Fix a regression in purple_str_to_time
- Update to version 2.14.7:
- Fix leak in purple_markup_find_tag on error + Fix an assert in purple_markup_html_to_xhtml + Correctly free parse tags at end of purple_html_to_xhtml + Fix leak that may occur when xmlnode_from_str fails + Port purple_str_to_time to use a regular expressions
- Update to version 2.14.6:
- Update references to point to our current websites.
+ Add a donate link to the help menu.
Finch:
+ Check pkg-config for ncurses before looking for it manually.
Pidgin:
+ Replace newlines in topics with spaces.
libpurple:
+ Added support for the no_proxy environment variable.
+ Added infrastructure for fuzzing as well as some initial fuzzers.
+ Fix an out of bounds write in purple_markup_linkify.
XMPP:
+ Enable session management after binding a resource.
Zephyr:
+ Fix a clang logical-not-parentheses warning.
- Update to version 2.14.5:
- static code analysis fixes + Disable UPnP and NAT-PMP by default for new user + IRC: Change the default server to irc.libera.chat
- Update to version 2.14.4:
- Use LT_LIB_M to find the math library. This should simplify things for various distros including the BSD's. (RR #608) (and, Justin Lechner) + Update purple-remote and purple-url-handler to have a Python 3 shebang.
+ Install our AppData file into the $prefix/share/metainfo.
Windows-Specific Changes:
+ Output pkg-config files so that our Windows builds can be seen by meson.
Grim owes a blog post on how this works.
+ Update the debug symbols download in the installer to the inetc plugin.
+ Make sure the uninstaller removes all files that we install.
+ Removed the AIM protocol plugin. AIM has been shut down since December 15th of 2017. We left it around because of a third party server, but our plugin no longer works with it. (RR #598) (Gary Kramlich) + Standardize on wprintf in pidgin/win32/winpidgin.c + Use the inetc nsis plugin that supports https + If building under msys2 copy libgcc_s_dw2-1.dll and libwinpthread to the install directory. (RR #593) (PIDGIN-17511) (Gary Kramlich) + Fix a build issue when compiling with gstreamer but without voice and video.
+ Enable cyrus-sasl by default.
+ Fix an issue with opening link in Firefox.
+ Fix a regression from 2.14.0 where extra whitespace would be displayed when pasting <p> elements from HTML.
+ Require Python 3 for generating the D-Bus bindings.
+ Fix an issue where pasting <hr>'s and other HTML elements would eventually lead to a crash.
- Update to version 2.14.1:
- Fix an issue that caused the Mercurial revision in the About box to be 'unknown'.
- Update to version 2.14.0:
General:
+ Fixed a memory leak in search results (pidgin.im#17292).
+ Support SNI with GnuTLS (pidgin.im#17300 tiagosalem).
+ Add additional error handling to NSS and GnuTLS.
+ libpurple:
+ Add invisible buddy support to support presence/name/photos for non-buddies (pidgin.im#17295).
+ Make purple-remote compatible with both Python 2 and Python 3.
+ Fix some leaky deprecation warnings.
+ Fix HTML logs which were writing invalid HTML (pidgin.im#17280).
+ Fix use after free in purple_smiley_set_data_impl.
+ Added the chat_send_file ability to protocol plugins.
Pidgin:
+ Treat <p> tags as line breaks when pasting.
+ Reverted pidgin.im#17232.
It caused more harm than good.
Bonjour:
+ Always use port fallback for IPv4 addresses.
+ XMPP:
+ Support for XEP-0198 Stream Management.
+ Decrease delay for file transfer using streamhosts.
+ Voice & Video:
+ Improve webcam failure handling.
+ Show error when creating media pipeline fails.
+ Clip audio level reporting (pidgin.im#14426).
+ Keep track of devices managed by GstDeviceMonitor.
+ Ignore PulseAudio monitors.
+ Backport native Voice & Video prefs from 3.0.
+ Fix building against GStreamer 0.10.
+ Fix initial delay on incoming audio.
+ Properly cleanup timeouts.
+ Add an audio mixer so mixed sources don't cause a pipe failure.
+ Add screen share support for Wayland via XDP Portal.
+ Handle unplug and replug events of selected media device.
- Update to version 2.13.0:
- Unified string comparison.
+ Properlly shell escape URI's when opening them.
+ Fix a one byte buffer overread in function purple_markup_linkify.
+ Fix an issue were utf8 was incorrectly truncated which could lead to crashes as we were potentially feeding garbage into glib/gtk.
libgnt:
+ Partially fix building against curses 6.0 with opaque structs set (pidgin.im#16764).
+ Fix a crash when resizing the window (pidgin.im#16680).
+ Fix a bashism in autotools (pidgin.im#16836).
+ Show XEP-0066 OOB URLs in any message, not just headlines.
+ Fix a user after free (pidgin.im#17200).
+ Remove pipelining from BOSH connections (pidgin.im#17025).
+ Don't try to TLS already secured BOSH connections (pidgin.im#17270).
IRC:
+ Fix 'Registration timeout' on SASL auth with InspIRCd servers (and possibly others not based on charybdis/ratbox/ircd-seven).
+ Fix issues with plugins that modify outgoing messages (such as the custom PART/QUIT feature of the IRC More plugin).
+ Fix IRC buffer handling (pidgin.im#12562).
+ Properly handle AUTHENTICATE as a normal command with server prefix.
+ Fix a crash caused by a use after free of the MOTD.
+ Fix an out of bounds read in irc_nick_skip_mode.
+ Fix a write of a single byte before the start of a buffer in irc_parse_ctcp.
+ Better support for dark themes (pidgin.im#12572).
+ Fix IPv6 links by not escaping []'s. (pidgin.im#16391).
+ Only write buddy icons to the cache if they're not already cached.
+ Rejoin persistent chats after reconnect (pidgin.im#15687).
+ Make the WIN32 Transparency plugin work on all platforms (pidgin.im#3124).
+ Ensure search results buttons are labelled.
+ Fix matching unicode emoticons (pidgin.im#17232).
+ Correctly update mute/unmute status when the remote side mutes/unmutes us (pidgin.im#17273).
+ Rework the status icon blinking to not use deprecated API (pidgin.im#17174).
+ Do not allow adding a buddy to protocols that don't have an add_buddy callback.
+ Finch:
+ Fix handling of search results (pidgin.im#17238).
+ Port backend-fs to newer api for farstream relay-info property (pidgin.im#17274).
- Add purple-import-empathy Recommends for SLE15 (FATE#322984).
- Remove obsolete translation-update-upstream support (jsc#SLE-21105).
- Extract libpurple.so.* and libpurple-client.so.* to own packages (bsc#1191780).
- don't package directories owned by filesystem rpm (bsc#1184786)
- Drop support for openSUSE older than Leap 15.0.
- No longer recommend -lang: supplements are in use
- Drop pkgconfig(NetworkManager) BuildRequires and Requires: this legacy symbol is no longer maintained and pidgin is not yet ready to move to libnm. As a side-effect, we no longer depend on NM for all situations, even if the system were to run wicked.
- Replace --enable-nm configure parameter with --disable-nm.
- Instead of removing the libjabber.so, liboscar.so symlinks, move them to the devel package.
- Export PYTHON=python3 in %build.
- Adjust scripts to invoke python3, not python2.
- Drop support for SLE 11 and openSUSE older than 42.x.
- Correct the licence to GPL-2.0.
- Explicitly require python2
- Drop dependency over silc-toolkit-devel as we want to remove it from the distribution
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.
Plugin Details
File Name: suse_SU-2026-2967-1.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus
Risk Information
Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Threat Vector: CVSS:4.0/E:P
Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:finch-devel, p-cpe:/a:novell:suse_linux:libpurple, p-cpe:/a:novell:suse_linux:libgnt-devel, p-cpe:/a:novell:suse_linux:libpurple-lang, p-cpe:/a:novell:suse_linux:libnice-devel, p-cpe:/a:novell:suse_linux:libpurple0, p-cpe:/a:novell:suse_linux:typelib-1_0-farstream-0_2, p-cpe:/a:novell:suse_linux:farstream-data, p-cpe:/a:novell:suse_linux:farstream-devel, p-cpe:/a:novell:suse_linux:typelib-1_0-gupnp-1_0, p-cpe:/a:novell:suse_linux:libpurple-client0, p-cpe:/a:novell:suse_linux:libpurple-tcl, p-cpe:/a:novell:suse_linux:libgupnp-igd-1_0-4, p-cpe:/a:novell:suse_linux:libgnt0-32bit, p-cpe:/a:novell:suse_linux:typelib-1_0-gssdp-1_0, p-cpe:/a:novell:suse_linux:typelib-1_0-gupnpigd-1_0, p-cpe:/a:novell:suse_linux:libfarstream-0_2-5, p-cpe:/a:novell:suse_linux:pidgin-devel, p-cpe:/a:novell:suse_linux:libgupnp-igd-devel, p-cpe:/a:novell:suse_linux:libgssdp-1_0-3, p-cpe:/a:novell:suse_linux:libpurple-branding-upstream, p-cpe:/a:novell:suse_linux:libpurple-devel, p-cpe:/a:novell:suse_linux:libgssdp-devel, p-cpe:/a:novell:suse_linux:libgupnp-devel, p-cpe:/a:novell:suse_linux:libnice10, p-cpe:/a:novell:suse_linux:finch, p-cpe:/a:novell:suse_linux:libgnt0, cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:libgupnp-1_0-4, p-cpe:/a:novell:suse_linux:gstreamer-plugins-farstream
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 7/14/2026
Vulnerability Publication Date: 3/21/2026