Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 510380 (CVE-2014-3755) - <media-sound/mumble-1.2.6: two vulnerabilities (CVE-2014-{3755,3756})
Summary: <media-sound/mumble-1.2.6: two vulnerabilities (CVE-2014-{3755,3756})
Status: RESOLVED FIXED
Alias: CVE-2014-3755
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2014-05-15 07:34 UTC by Agostino Sarubbo
Modified: 2014-06-06 12:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-15 07:34:25 UTC
From ${URL} :

The Mumble team has just released Mumble 1.2.6, which contains fixes
for the two following vulnerabilities:

  Mumble-SA-2014-005  [http://mumble.info/security/Mumble-SA-2014-005.txt]
    - SVG images with local file references could trigger client DoS

  Mumble-SA-2014-006  [http://mumble.info/security/Mumble-SA-2014-006.txt]
    - The Mumble client did not properly HTML-escape some external strings
       before using them in a rich-text (HTML) context.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Timo Gurr (RETIRED) gentoo-dev 2014-05-15 18:37:06 UTC
I've just committed Mumble (and murmur) 1.2.6 to CVS. Both can be stabilized right away since the only change to 1.2.5 are the security fixes for the Mumble client and just the version number increment for the murmur server part.
Comment 2 Sean Amoss gentoo-dev Security 2014-06-03 01:45:03 UTC
(In reply to Timo Gurr from comment #1)
> I've just committed Mumble (and murmur) 1.2.6 to CVS. Both can be stabilized
> right away since the only change to 1.2.5 are the security fixes for the
> Mumble client and just the version number increment for the murmur server
> part.

Thank you, Timo.

Arches, please test and mark stable:
=media-sound/mumble-1.2.6
Target KEYWORDS="amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2014-06-04 16:04:40 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2014-06-04 16:05:02 UTC
x86 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2014-06-05 00:29:33 UTC
Added to existing GLSA request.
Comment 6 Sergey Popov gentoo-dev 2014-06-06 12:13:30 UTC
+  06 Jun 2014; Sergey Popov <pinkbyte@gentoo.org> -mumble-1.2.5.ebuild:
+  Security cleanup, wrt bug #510380
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2014-06-06 12:34:28 UTC
This issue was resolved and addressed in
 GLSA 201406-06 at http://security.gentoo.org/glsa/glsa-201406-06.xml
by GLSA coordinator Sergey Popov (pinkbyte).