Updated mumble packages fix two security vulnervabilitites
Publication date: 30 May 2014Modification date: 30 May 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3755 , CVE-2014-3756
Description
Updated mumble packages fix security vulnerabilities:
In Mumble before 1.2.6, the Mumble client is vulnerable to a Denial of
Service attack when rendering crafted SVG files that contain references to
files on the local computer, due to an issue in Qt's SVG renderer module.
This issue can be triggered remotely by an entity participating in a Mumble
voice chat, using text messages, channel comments, user comments and user
textures/avatars (CVE-2014-3755).
In Mumble before 1.2.6, The Mumble client did not properly HTML-escape some
external strings before using them in a rich-text (HTML) context. In some
situations, this could be abused to perform a Denial of Service attack on a
Mumble client by causing it to load external files via the HTML
(CVE-2014-3756).
References
- http://mumble.info/security/Mumble-SA-2014-005.txt
- http://mumble.info/security/Mumble-SA-2014-006.txt
- http://openwall.com/lists/oss-security/2014/05/15/4
- https://bugs.mageia.org/show_bug.cgi?id=13382
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3755
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3756
SRPMS
3/core
- mumble-1.2.3-10.1.mga3
4/core
- mumble-1.2.3-14.1.mga4