Debian: DSA-2859-1: pidgin security update

    Date10 Feb 2014
    CategoryDebian
    25
    Posted ByLinuxSecurity Advisories
    Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client: CVE-2013-6477
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-2859-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    http://www.debian.org/security/                        Moritz Muehlenhoff
    February 10, 2014                      http://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : pidgin
    Vulnerability  : several
    CVE ID         : CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 
                     CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 
                     CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020
    
    Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol
    instant messaging client:
    
    CVE-2013-6477
    
        Jaime Breva Ribes discovered that a remote XMPP user can trigger a 
        crash by sending a message with a timestamp in the distant future.
    
    CVE-2013-6478
    
        Pidgin could be crashed through overly wide tooltip windows.
    
    CVE-2013-6479
    
        Jacob Appelbaum discovered that a malicious server or a "man in the 
        middle" could send a malformed HTTP header resulting in denial of
        service.
    
    CVE-2013-6481
    
        Daniel Atallah discovered that Pidgin could be crashed through 
        malformed Yahoo! P2P messages.
    
    CVE-2013-6482
    
        Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin
        could be crashed through malformed MSN messages.
    
    CVE-2013-6483
    
        Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin
        could be crashed through malformed XMPP messages.
    
    CVE-2013-6484
    
        It was discovered that incorrect error handling when reading the 
        response from a STUN server could result in a crash.
    
    CVE-2013-6485
    
        Matt Jones discovered a buffer overflow in the parsing of malformed
        HTTP responses.
    
    CVE-2013-6487
    
        Yves Younan and Ryan Pentney discovered a buffer overflow when parsing
        Gadu-Gadu messages.
    
    CVE-2013-6489
    
        Yves Younan and Pawel Janic discovered an integer overflow when parsing
        MXit emoticons.
    
    CVE-2013-6490
    
        Yves Younan discovered a buffer overflow when parsing SIMPLE headers.
    
    CVE-2014-0020
    
        Daniel Atallah discovered that Pidgin could be crashed via malformed
        IRC arguments.
    
    For the oldstable distribution (squeeze), no direct backport is provided.
    A fixed packages will be provided through backports.debian.org shortly
    
    For the stable distribution (wheezy), these problems have been fixed in
    version 2.10.9-1~deb7u1.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 2.10.9-1.
    
    We recommend that you upgrade your pidgin packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.