Advisories ยป MGASA-2014-0245

Updated mumble packages fix two security vulnervabilitites

Publication date: 30 May 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3755 , CVE-2014-3756

Description

Updated mumble packages fix security vulnerabilities:

In Mumble before 1.2.6, the Mumble client is vulnerable to a Denial of
Service attack when rendering crafted SVG files that contain references to
files on the local computer, due to an issue in Qt's SVG renderer module.
This issue can be triggered remotely by an entity participating in a Mumble
voice chat, using text messages, channel comments, user comments and user
textures/avatars (CVE-2014-3755).

In Mumble before 1.2.6, The Mumble client did not properly HTML-escape some
external strings before using them in a rich-text (HTML) context. In some
situations, this could be abused to perform a Denial of Service attack on a
Mumble client by causing it to load external files via the HTML
(CVE-2014-3756).
                

References

SRPMS

4/core

3/core