[ubuntu/hardy-security] pidgin_2.4.1-1ubuntu2.8_i386_translations.tar.gz, pidgin_2.4.1-1ubuntu2.8_ia64_translations.tar.gz, pidgin_2.4.1-1ubuntu2.8_sparc_translations.tar.gz (delayed), pidgin, pidgin_2.4.1-1ubuntu2.8_powerpc_translations.tar.gz, pidgin_2.4.1-1ubuntu2.8_lpia_translations.tar.gz, pidgin_2.4.1-1ubuntu2.8_hppa_translations.tar.gz, pidgin_2.4.1-1ubuntu2.8_amd64_translations.tar.gz 1:2.4.1-1ubuntu2.8 (Accepted)

Ubuntu Installer archive at ubuntu.com
Mon Jan 18 15:05:47 GMT 2010


pidgin (1:2.4.1-1ubuntu2.8) hardy-security; urgency=low

  * SECURITY UPDATE: denial of service via TOPIC message
    - debian/patches/87_security_CVE-2009-2703.patch: validate args in
      libpurple/protocols/irc/msgs.c.
    - CVE-2009-2703
  * SECURITY UPDATE: information disclosure via incorrect jabber TLS
    handling
    - debian/patches/88_security_CVE-2009-3026.patch: bail out if
      encryption is not available in libpurple/protocols/jabber/auth.c.
    - CVE-2009-3026
  * SECURITY UPDATE: denial of service via malformed SLP invite message
    - debian/patches/89_security_CVE-2009-3083.patch: validate branch,
      content_type and content in libpurple/protocols/msn/slp.c and
      libpurple/protocols/msnp9/slp.c.
    - CVE-2009-3083
  * SECURITY UPDATE: denial of service via crafted contact list data
    - debian/patches/90_security_CVE-2009-3615.patch: validate contact
      list structure in libpurple/protocols/oscar/oscar.c.
    - CVE-2009-3615
  * SECURITY UPDATE: denial of service via specially formulated long
    filename (LP: #245769)
    - previous 72_SECURITY_CVE-2008-2955.patch patch was incomplete
    - debian/patches/91_security_CVE-2008-2955-2.patch: change
      src/protocols/msnp9/[slplink.c,slpcall.*] to make sure xfer structure
      still exists before putting dest_fp in it.
    - CVE-2008-2955
  * SECURITY UPDATE: arbitrary code execution via crafted MSN message
    - previous 83_security_CVE-2009-1376.patch patch was incomplete
    - debian/patches/92_security_CVE-2009-1376-2.patch: switch offset
      variable to guint64 in libpurple/protocols/msnp9/slplink.c.
    - CVE-2009-1376
  * Fix connection issue with MSN (LP: #494002)
    - debian/patches/93_msn_protocol8.patch: use protocol v8 in
      libpurple/protocols/msnp9/session.c, as it seems v9 isn't supported
      by msn anymore.

Date: Fri, 15 Jan 2010 12:56:44 -0500
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Core Developers <ubuntu-devel at lists.ubuntu.com>
https://launchpad.net/ubuntu/hardy/+source/pidgin/1:2.4.1-1ubuntu2.8
-------------- next part --------------
Format: 1.7
Date: Fri, 15 Jan 2010 12:56:44 -0500
Source: pidgin
Binary: libpurple0 pidgin pidgin-data pidgin-dev pidgin-dbg finch finch-dev libpurple-dev libpurple-bin gaim
Architecture: source
Version: 1:2.4.1-1ubuntu2.8
Distribution: hardy-security
Urgency: low
Maintainer: Ubuntu Core Developers <ubuntu-devel at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description: 
 finch      - text-based multi-protocol instant messaging client
 finch-dev  - text-based multi-protocol instant messaging client - development
 gaim       - transitional package to Pidgin
 libpurple-bin - multi-protocol instant messaging library - extra utilities
 libpurple-dev - multi-protocol instant messaging library - development files
 libpurple0 - multi-protocol instant messaging library
 pidgin     - graphical multi-protocol instant messaging client for X
 pidgin-data - multi-protocol instant messaging client - data files
 pidgin-dbg - Debugging symbols for Pidgin
 pidgin-dev - multi-protocol instant messaging client - development files
Launchpad-Bugs-Fixed: 245769 494002
Changes: 
 pidgin (1:2.4.1-1ubuntu2.8) hardy-security; urgency=low
 .
   * SECURITY UPDATE: denial of service via TOPIC message
     - debian/patches/87_security_CVE-2009-2703.patch: validate args in
       libpurple/protocols/irc/msgs.c.
     - CVE-2009-2703
   * SECURITY UPDATE: information disclosure via incorrect jabber TLS
     handling
     - debian/patches/88_security_CVE-2009-3026.patch: bail out if
       encryption is not available in libpurple/protocols/jabber/auth.c.
     - CVE-2009-3026
   * SECURITY UPDATE: denial of service via malformed SLP invite message
     - debian/patches/89_security_CVE-2009-3083.patch: validate branch,
       content_type and content in libpurple/protocols/msn/slp.c and
       libpurple/protocols/msnp9/slp.c.
     - CVE-2009-3083
   * SECURITY UPDATE: denial of service via crafted contact list data
     - debian/patches/90_security_CVE-2009-3615.patch: validate contact
       list structure in libpurple/protocols/oscar/oscar.c.
     - CVE-2009-3615
   * SECURITY UPDATE: denial of service via specially formulated long
     filename (LP: #245769)
     - previous 72_SECURITY_CVE-2008-2955.patch patch was incomplete
     - debian/patches/91_security_CVE-2008-2955-2.patch: change
       src/protocols/msnp9/[slplink.c,slpcall.*] to make sure xfer structure
       still exists before putting dest_fp in it.
     - CVE-2008-2955
   * SECURITY UPDATE: arbitrary code execution via crafted MSN message
     - previous 83_security_CVE-2009-1376.patch patch was incomplete
     - debian/patches/92_security_CVE-2009-1376-2.patch: switch offset
       variable to guint64 in libpurple/protocols/msnp9/slplink.c.
     - CVE-2009-1376
   * Fix connection issue with MSN (LP: #494002)
     - debian/patches/93_msn_protocol8.patch: use protocol v8 in
       libpurple/protocols/msnp9/session.c, as it seems v9 isn't supported
       by msn anymore.
Files: 
 45ccb8c6d8abc66534202310a6953d8f 1540 net optional pidgin_2.4.1-1ubuntu2.8.dsc
 377565d6f9785cd8a299214f30b36a1f 141994 net optional pidgin_2.4.1-1ubuntu2.8.diff.gz
Original-Maintainer: Robert McQueen <robot101 at debian.org>


More information about the Hardy-changes mailing list