openSUSE-SU-2022:0083-1: moderate: Security update for weechat

openSUSE Security Update: Security update for weechat ______________________________________________________________________________ Announcement ID: openSUSE-SU-2022:0083-1 Rating: moderate References: #1190206 Cross-References: CVE-2021-40516 Affected Products: openSUSE Backports SLE-15-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for weechat fixes the following issues: update to 3.2.1: * CVE-2021-40516: relay: fix crash when decoding a malformed websocket frame (boo#1190206) update to 3.2 main changes: * use XDG directories by default (config, data, cache, runtime) * add support of IRC SASL mechanisms SCRAM-SHA-1, SCRAM-SHA-256 and SCRAM-SHA-512 * automatically load system certificates without giving a hardcoded path to the file with certificates * add options to customize commands executed on system signals received (SIGHUP, SIGQUIT, SIGTERM, SIGUSR1, SIGUSR2) * add bar item “tls_version” and buflist format * add signals “cursor_start” and “cursor_end” * add function crypto_hmac in API * add translated string in evaluation of expressions with “translate:xxx” * add info “weechat_daemon” * add Python stub for WeeChat API * add variables “${tg_shell_argc}” and “${tg_shell_argvN}” in command trigger evaluated strings * many bugs fixed. for all changes, please visit: https://weechat.org/files/changelog/ChangeLog-3.2.html update to 3.1 New features * core: add options weechat.look.hotlist_update_on_buffer_switch and weechat.look.read_marker_update_on_buffer_switch (issue #992, issue #993) * core: add option sec.crypt.passphrase_command to read passphrase from an external program on startup, remove option sec.crypt.passphrase_file (issue #141) * core: improve debug in command /eval: display more verbose debug with two “-d”, add indentation and colors * core: add options “setvar” and “delvar” in command /buffer, rename option “localvar” to “listvar” * core: add buffer local variable “completion_default_template” (evaluated) to override the value of option “weechat.completion.default_template” (issue #1600) * core: add option “recreate” in command /filter * core: add raw string in evaluation of expressions with “raw:xxx” (issue #1611) * core: add evaluation of conditions in evaluation of expressions with “eval_cond:xxx” (issue #1582) * api: add info_hashtable “secured_data” * irc: add info “irc_is_message_ignored” * irc: add server option “default_chantypes”, used when the server does not send them in message 005 (issue #1610) * trigger: add variable “${tg_trigger_name}” in command trigger evaluated strings (issue #1580) - Bug fixes * core: fix quoted line in cursor mode (issue #1602) * core: fix wrong size of the new window after vertical split (issue #1612) * core: do not remove quotes in arguments of command /eval as they can be part of the evaluated expression/condition (issue #1601) * core: display an error when the buffer is not found with command /command -buffer * buflist: add option buflist.look.use_items to speed up display of buflist (issue #1613) * irc: add bar item “irc_nick_prefix” * irc: fix separator between nick and host in bar item “irc_nick_host” * irc: fix completion of commands /halfop and /dehalfop - Documentation * do not build weechat-headless man page if headless binary is disabled (issue #1607) update to 3.0.1: * exec: fix search of command by identifier * spell: fix refresh of bar item “spell_suggest” when the input becomes empty (issue #1586) * spell: fix crash with IRC color codes in command line (issue #1589) update to 3.0 New features * api: add optional list of colors in infos “nick_color” and “nick_color_name” (issue #1565) * api: add argument “bytes” in function string_dyn_concat * api: add function string_color_code_size (issue #1547) * exec: add option “-oerr” to send stderr to buffer (now disabled by default) (issue #1566) * fset: add option fset.look.auto_refresh (issue #1553) * irc: add pointer to irc_nick in focus of bar item “buffer_nicklist” (issue #1535, issue #1538) * irc: allow to send text on buffers with commands /allchan, /allpv and /allserv * irc: evaluate command executed by commands /allchan, /allpv and /allserv (issue #1536) * script: add option script.scripts.download_enabled (issue #1548) * trigger: add variable “tg_argc” in data set by command trigger (issue #1576) * trigger: add variable “tg_trigger_name” in data set by all triggers (issue #1567, issue #1568) Bug fixes * core: set “notify_level” to 3 if there is a highlight in the line (issue #1529) * core: do not add line with highlight and tag “notify_none” to hotlist (issue #1529) * irc: remove SASL timeout message displayed by error after successful SASL authentication (issue #1515) * irc: send all channels in a single JOIN command when reconnecting to the server (issue #1551) * script: do not automatically download list of scripts on startup if the file is too old (issue #1548) * spell: properly skip WeeChat and IRC color codes when checking words in input (issue #1547) * trigger: fix recursive calls to triggers using regex (issue #1546) * trigger: add ${tg_tags} !!- ,notify_none, in conditions of default trigger “beep” (issue #1529) - Tests * core: add tests on GUI line functions - Build * core: disable debug by default in autotools build * tests: fix compilation with CppUTest ��� 4.0 - new .desktop file from weechat sources - update to 2.9 - New features * core: add bar option “color_bg_inactive”: color for window bars in inactive window (issue #732) * core: add Alacritty title escape sequence support (issue #1517) * core: display notify level for current buffer with command /buffer notify (issue #1505) * core: count only visible nicks in bar item “buffer_nicklist_count”, add bar items “buffer_nicklist_count_groups” and “buffer_nicklist_count_all” (issue #1506) * core: set default size for input bar to 0 (automatic) (issue #1498) * core: add default key Alt+Enter to insert a newline (issue #1498) * core: add flag “input_multiline” in buffer (issue #984, issue #1063) * core: add a scalable WeeChat logo (SVG) (issue #1454, issue #1456) * core: add base 16/32/64 encoding/decoding in evaluation of expressions with “base_encode:base,xxx” and “base_decode:base,xxx” * core: add case sensitive wildcard matching comparison operator (==* and !!*) and case sensitive/insensitive include comparison operators (==-, !!-, =-, !-) in evaluation of expressions * core: add default key Alt+Shift+N to toggle nicklist bar * core: add command line option “–stdout” in weechat-headless binary to log to stdout rather than ~/.weechat/weechat.log (issue #1475, issue #1477) * core: reload configuration files on SIGHUP (issue #1476) * api: add pointer “_bar_window” in hashtable sent to hook focus callback (issue #1450) * api: add info_hashtable “focus_info” (issue #1245, issue #1257) * api: rename function hook_completion_get_string to completion_get_string and hook_completion_list_add to completion_list_add * api: add functions completion_new, completion_search and completion_free * api: add hdata “completion_word” * buflist: add default key Alt+Shift+B to toggle buflist * buflist: add options enable/disable/toggle in command /buflist * buflist: evaluate option buflist.look.sort so that sort can be customized for each of the three buflist bar items (issue #1465) * irc: add support of UTF8MAPPING (issue #1528) * irc: display account messages in buffers (issue #1250) * python: add WeeChat sharedir python directory to PYTHONPATH (issue #1537) * relay: increase default limits for IRC backlog options * relay: add command “handshake” in weechat relay protocol and nonce to prevent replay attacks, add options relay.network.password_hash_algo, relay.network.password_hash_iterations, relay.network.nonce_size (issue #1474) * relay: add command “completion” in weechat relay protocol to perform a completion on a string at a given position (issue #1484) * relay: add option relay.network.auth_timeout * relay: update default colors for client status * relay: add status “waiting_auth” in irc and weechat protocols (issue #1358) * trigger: evaluate arguments of command when the trigger is created (issue #1472) - Bug fixes * core: fix command /window scroll_beyond_end when buffer has fewer lines than chat height (issue #1509) * core: force buffer property “time_for_each_line” to 0 for buffers with free content (issue #1485) * core: don���t collapse consecutive newlines in lines displayed before the first buffer is created * core: don���t remove consecutive newlines when pasting text (issue #1500) * core: don���t collapse consecutive newlines in bar content (issue #1500) * core: fix WEECHAT_SHAREDIR with CMake build (issue #1461) * core: fix memory leak in calculation of expression on FreeBSD (issue #1469) * core: fix resize of a bar when its size is 0 (automatic) (issue #1470) * api: fix use of pointer after free in function key_unbind * api: replace plugin and buffer name by buffer pointer in argument “modifier_data” sent to weechat_print modifier callback (issue #42) * buflist: add “window” pointer in bar item evaluation only if it���s not NULL (if bar type is “window”) * exec: fix use of same task id for different tasks (issue #1491) * fifo: fix errors when writing in the FIFO pipe (issue #713) * guile: enable again /guile eval (issue #1514) * irc: use new default chantypes “#&” when the server does not send it * irc: add support of optional server in info “irc_is_nick”, fix check of nick using UTF8MAPPING isupport value (issue #1528) * irc: fix add of ignore with flags in regex, display full ignore mask in list of ignores (issue #1518) * irc: do not remove spaces at the end of users messages received (issue #1513) * irc: fix realname delimiter color in WHO/WHOX response (issue #1497) * irc: reuse a buffer with wrong type “channel” when a private message is received (issue #869) * python: fix crash when invalid UTF-8 string is in a WeeChat hashtable converted to a Python dict (issue #1463) * relay: add missing field “notify_level” in message “_buffer_line_added” (issue #1529) * relay: fix slow send of data to clients when SSL is enabled * trigger: only return trigger���s return code when condition evaluates to true (issue #592) * trigger: fix truncated trigger command with commands /trigger input|output|recreate * trigger: do not hide values of options with /set command in cmd_pass trigger - Documentation * add includes directory * merge 53 auto-generated files into 11 files * fix broken literal blocks in Japanese docs with Firefox (issue #1466) - Tests * core: add CI with GitHub Actions, move codecov.io upload to GitHub Actions * core: switch to Ubuntu Bionic on Travis CI, use pylint3 to lint Python scripts * core: run tests on plugins only if the plugins are enabled and compiled * irc: add tests on IRC color and channel functions - Build * javascript: disable build by default and remove Debian packaging of JavaScript plugin (issue #360) * core: make GnuTLS a required dependency * core: fix build with CMake 3.17.0 * core: fix build with cygport on Cygwin Patch Instructions: To install this openSUSE Security Update use the SUSE recommended installation methods like YaST online_update or “zypper patch”. Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-83=1 Package List: - openSUSE Backports SLE-15-SP3 (aarch64 i586 ppc64le s390x x86_64): weechat-3.2.1-bp153.2.3.1 weechat-devel-3.2.1-bp153.2.3.1 weechat-lua-3.2.1-bp153.2.3.1 weechat-perl-3.2.1-bp153.2.3.1 weechat-python-3.2.1-bp153.2.3.1 weechat-ruby-3.2.1-bp153.2.3.1 weechat-spell-3.2.1-bp153.2.3.1 weechat-tcl-3.2.1-bp153.2.3.1 - openSUSE Backports SLE-15-SP3 (noarch): weechat-lang-3.2.1-bp153.2.3.1 References: https://www.suse.com/security/cve/CVE-2021-40516.html https://bugzilla.suse.com/1190206

More…