Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 510380 (CVE-2014-3755)

Summary: <media-sound/mumble-1.2.6: two vulnerabilities (CVE-2014-{3755,3756})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: tgurr
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/05/15/1
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-05-15 07:34:25 UTC
From ${URL} :

The Mumble team has just released Mumble 1.2.6, which contains fixes
for the two following vulnerabilities:

  Mumble-SA-2014-005  [http://mumble.info/security/Mumble-SA-2014-005.txt]
    - SVG images with local file references could trigger client DoS

  Mumble-SA-2014-006  [http://mumble.info/security/Mumble-SA-2014-006.txt]
    - The Mumble client did not properly HTML-escape some external strings
       before using them in a rich-text (HTML) context.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Timo Gurr (RETIRED) gentoo-dev 2014-05-15 18:37:06 UTC
I've just committed Mumble (and murmur) 1.2.6 to CVS. Both can be stabilized right away since the only change to 1.2.5 are the security fixes for the Mumble client and just the version number increment for the murmur server part.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2014-06-03 01:45:03 UTC
(In reply to Timo Gurr from comment #1)
> I've just committed Mumble (and murmur) 1.2.6 to CVS. Both can be stabilized
> right away since the only change to 1.2.5 are the security fixes for the
> Mumble client and just the version number increment for the murmur server
> part.

Thank you, Timo.

Arches, please test and mark stable:
=media-sound/mumble-1.2.6
Target KEYWORDS="amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-06-04 16:04:40 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-06-04 16:05:02 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2014-06-05 00:29:33 UTC
Added to existing GLSA request.
Comment 6 Sergey Popov (RETIRED) gentoo-dev 2014-06-06 12:13:30 UTC
+  06 Jun 2014; Sergey Popov <pinkbyte@gentoo.org> -mumble-1.2.5.ebuild:
+  Security cleanup, wrt bug #510380
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-06-06 12:34:28 UTC
This issue was resolved and addressed in
 GLSA 201406-06 at http://security.gentoo.org/glsa/glsa-201406-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).