SUSE 5146 Published by

A weechat security update has been released for SUSE Linux Enterprise 15 SP3.



openSUSE-SU-2022:0083-1: moderate: Security update for weechat


openSUSE Security Update: Security update for weechat
______________________________________________________________________________

Announcement ID: openSUSE-SU-2022:0083-1
Rating: moderate
References: #1190206
Cross-References: CVE-2021-40516
Affected Products:
openSUSE Backports SLE-15-SP3
______________________________________________________________________________

An update that fixes one vulnerability is now available.

Description:

This update for weechat fixes the following issues:

update to 3.2.1:

* CVE-2021-40516: relay: fix crash when decoding a malformed websocket
frame (boo#1190206)

update to 3.2

main changes:

* use XDG directories by default (config, data, cache, runtime)
* add support of IRC SASL mechanisms SCRAM-SHA-1, SCRAM-SHA-256 and
SCRAM-SHA-512
* automatically load system certificates without giving a hardcoded path
to the file with certificates
* add options to customize commands executed on system signals received
(SIGHUP, SIGQUIT, SIGTERM, SIGUSR1, SIGUSR2)
* add bar item "tls_version" and buflist format
* add signals "cursor_start" and "cursor_end"
* add function crypto_hmac in API
* add translated string in evaluation of expressions with "translate:xxx"
* add info "weechat_daemon"
* add Python stub for WeeChat API
* add variables "${tg_shell_argc}" and "${tg_shell_argvN}" in command
trigger evaluated strings
* many bugs fixed.

for all changes, please visit:
  https://weechat.org/files/changelog/ChangeLog-3.2.html

update to 3.1

New features

* core: add options weechat.look.hotlist_update_on_buffer_switch and
weechat.look.read_marker_update_on_buffer_switch (issue #992, issue
#993)
* core: add option sec.crypt.passphrase_command to read passphrase from
an external program on startup, remove option
sec.crypt.passphrase_file (issue #141)
* core: improve debug in command /eval: display more verbose debug with
two "-d", add indentation and colors
* core: add options "setvar" and "delvar" in command /buffer, rename
option "localvar" to "listvar"
* core: add buffer local variable "completion_default_template"
(evaluated) to override the value of option
"weechat.completion.default_template" (issue #1600)
* core: add option "recreate" in command /filter
* core: add raw string in evaluation of expressions with "raw:xxx"
(issue #1611)
* core: add evaluation of conditions in evaluation of expressions with
"eval_cond:xxx" (issue #1582)
* api: add info_hashtable "secured_data"
* irc: add info "irc_is_message_ignored"
* irc: add server option "default_chantypes", used when the server does
not send them in message 005 (issue #1610)
* trigger: add variable "${tg_trigger_name}" in command trigger
evaluated strings (issue #1580)

- Bug fixes

* core: fix quoted line in cursor mode (issue #1602)
* core: fix wrong size of the new window after vertical split (issue
#1612)
* core: do not remove quotes in arguments of command /eval as they can
be part of the evaluated expression/condition (issue #1601)
* core: display an error when the buffer is not found with command
/command -buffer
* buflist: add option buflist.look.use_items to speed up display of
buflist (issue #1613)
* irc: add bar item "irc_nick_prefix"
* irc: fix separator between nick and host in bar item "irc_nick_host"
* irc: fix completion of commands /halfop and /dehalfop

- Documentation

* do not build weechat-headless man page if headless binary is disabled
(issue #1607)

update to 3.0.1:

* exec: fix search of command by identifier
* spell: fix refresh of bar item "spell_suggest" when the input becomes
empty (issue #1586)
* spell: fix crash with IRC color codes in command line (issue #1589)

update to 3.0

New features

* api: add optional list of colors in infos "nick_color" and
"nick_color_name" (issue #1565)
* api: add argument "bytes" in function string_dyn_concat
* api: add function string_color_code_size (issue #1547)
* exec: add option "-oerr" to send stderr to buffer (now disabled by
default) (issue #1566)
* fset: add option fset.look.auto_refresh (issue #1553)
* irc: add pointer to irc_nick in focus of bar item "buffer_nicklist"
(issue #1535, issue #1538)
* irc: allow to send text on buffers with commands /allchan, /allpv and
/allserv
* irc: evaluate command executed by commands /allchan, /allpv and
/allserv (issue #1536)
* script: add option script.scripts.download_enabled (issue #1548)
* trigger: add variable "tg_argc" in data set by command trigger (issue
#1576)
* trigger: add variable "tg_trigger_name" in data set by all triggers
(issue #1567, issue #1568)

Bug fixes

* core: set "notify_level" to 3 if there is a highlight in the line
(issue #1529)
* core: do not add line with highlight and tag "notify_none" to hotlist
(issue #1529)
* irc: remove SASL timeout message displayed by error after successful
SASL authentication (issue #1515)
* irc: send all channels in a single JOIN command when reconnecting to
the server (issue #1551)
* script: do not automatically download list of scripts on startup if
the file is too old (issue #1548)
* spell: properly skip WeeChat and IRC color codes when checking words
in input (issue #1547)
* trigger: fix recursive calls to triggers using regex (issue #1546)
* trigger: add ${tg_tags} !!- ,notify_none, in conditions of default
trigger "beep" (issue #1529)

- Tests

* core: add tests on GUI line functions

- Build

* core: disable debug by default in autotools build
* tests: fix compilation with CppUTest ??? 4.0

- new .desktop file from weechat sources
- update to 2.9
- New features
* core: add bar option "color_bg_inactive": color for window bars in
inactive window (issue #732)
* core: add Alacritty title escape sequence support (issue #1517)
* core: display notify level for current buffer with command /buffer
notify (issue #1505)
* core: count only visible nicks in bar item "buffer_nicklist_count",
add bar items "buffer_nicklist_count_groups" and
"buffer_nicklist_count_all" (issue #1506)
* core: set default size for input bar to 0 (automatic) (issue #1498)
* core: add default key Alt+Enter to insert a newline (issue #1498)
* core: add flag "input_multiline" in buffer (issue #984, issue #1063)
* core: add a scalable WeeChat logo (SVG) (issue #1454, issue #1456)
* core: add base 16/32/64 encoding/decoding in evaluation of expressions
with "base_encode:base,xxx" and "base_decode:base,xxx"
* core: add case sensitive wildcard matching comparison operator (==*
and !!*) and case sensitive/insensitive include comparison operators
(==-, !!-, =-, !-) in evaluation of expressions
* core: add default key Alt+Shift+N to toggle nicklist bar
* core: add command line option "--stdout" in weechat-headless binary to
log to stdout rather than ~/.weechat/weechat.log (issue #1475, issue
#1477)
* core: reload configuration files on SIGHUP (issue #1476)
* api: add pointer "_bar_window" in hashtable sent to hook focus
callback (issue #1450)
* api: add info_hashtable "focus_info" (issue #1245, issue #1257)
* api: rename function hook_completion_get_string to
completion_get_string and hook_completion_list_add to
completion_list_add
* api: add functions completion_new, completion_search and
completion_free
* api: add hdata "completion_word"
* buflist: add default key Alt+Shift+B to toggle buflist
* buflist: add options enable/disable/toggle in command /buflist
* buflist: evaluate option buflist.look.sort so that sort can be
customized for each of the three buflist bar items (issue #1465)
* irc: add support of UTF8MAPPING (issue #1528)
* irc: display account messages in buffers (issue #1250)
* python: add WeeChat sharedir python directory to PYTHONPATH (issue
#1537)
* relay: increase default limits for IRC backlog options
* relay: add command "handshake" in weechat relay protocol and nonce to
prevent replay attacks, add options relay.network.password_hash_algo,
relay.network.password_hash_iterations, relay.network.nonce_size
(issue #1474)
* relay: add command "completion" in weechat relay protocol to perform a
completion on a string at a given position (issue #1484)
* relay: add option relay.network.auth_timeout
* relay: update default colors for client status
* relay: add status "waiting_auth" in irc and weechat protocols (issue
#1358)
* trigger: evaluate arguments of command when the trigger is created
(issue #1472)
- Bug fixes
* core: fix command /window scroll_beyond_end when buffer has fewer
lines than chat height (issue #1509)
* core: force buffer property "time_for_each_line" to 0 for buffers with
free content (issue #1485)
* core: don???t collapse consecutive newlines in lines displayed before
the first buffer is created
* core: don???t remove consecutive newlines when pasting text (issue
#1500)
* core: don???t collapse consecutive newlines in bar content (issue
#1500)
* core: fix WEECHAT_SHAREDIR with CMake build (issue #1461)
* core: fix memory leak in calculation of expression on FreeBSD (issue
#1469)
* core: fix resize of a bar when its size is 0 (automatic) (issue #1470)
* api: fix use of pointer after free in function key_unbind
* api: replace plugin and buffer name by buffer pointer in argument
"modifier_data" sent to weechat_print modifier callback (issue #42)
* buflist: add "window" pointer in bar item evaluation only if it???s
not NULL (if bar type is "window")
* exec: fix use of same task id for different tasks (issue #1491)
* fifo: fix errors when writing in the FIFO pipe (issue #713)
* guile: enable again /guile eval (issue #1514)
* irc: use new default chantypes "#&" when the server does not send it
* irc: add support of optional server in info "irc_is_nick", fix check
of nick using UTF8MAPPING isupport value (issue #1528)
* irc: fix add of ignore with flags in regex, display full ignore mask
in list of ignores (issue #1518)
* irc: do not remove spaces at the end of users messages received (issue
#1513)
* irc: fix realname delimiter color in WHO/WHOX response (issue #1497)
* irc: reuse a buffer with wrong type "channel" when a private message
is received (issue #869)
* python: fix crash when invalid UTF-8 string is in a WeeChat hashtable
converted to a Python dict (issue #1463)
* relay: add missing field "notify_level" in message
"_buffer_line_added" (issue #1529)
* relay: fix slow send of data to clients when SSL is enabled
* trigger: only return trigger???s return code when condition evaluates
to true (issue #592)
* trigger: fix truncated trigger command with commands /trigger
input|output|recreate
* trigger: do not hide values of options with /set command in cmd_pass
trigger
- Documentation
* add includes directory
* merge 53 auto-generated files into 11 files
* fix broken literal blocks in Japanese docs with Firefox (issue #1466)
- Tests
* core: add CI with GitHub Actions, move codecov.io upload to GitHub
Actions
* core: switch to Ubuntu Bionic on Travis CI, use pylint3 to lint Python
scripts
* core: run tests on plugins only if the plugins are enabled and compiled
* irc: add tests on IRC color and channel functions
- Build
* javascript: disable build by default and remove Debian packaging
of JavaScript plugin (issue #360)
* core: make GnuTLS a required dependency
* core: fix build with CMake 3.17.0
* core: fix build with cygport on Cygwin

Patch Instructions:

To install this openSUSE Security Update use the SUSE recommended installation methods
like YaST online_update or "zypper patch".

Alternatively you can run the command listed for your product:

- openSUSE Backports SLE-15-SP3:

zypper in -t patch openSUSE-2022-83=1


Package List:

- openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64):

weechat-3.2.1-bp153.2.3.1
weechat-devel-3.2.1-bp153.2.3.1
weechat-lua-3.2.1-bp153.2.3.1
weechat-perl-3.2.1-bp153.2.3.1
weechat-python-3.2.1-bp153.2.3.1
weechat-ruby-3.2.1-bp153.2.3.1
weechat-spell-3.2.1-bp153.2.3.1
weechat-tcl-3.2.1-bp153.2.3.1

- openSUSE Backports SLE-15-SP3 (noarch):

weechat-lang-3.2.1-bp153.2.3.1

References:

  https://www.suse.com/security/cve/CVE-2021-40516.html
  https://bugzilla.suse.com/1190206