What Are You Looking For?

Sign Up
Date:         Tue, 16 Dec 2008 13:31:40 -0600
Reply-To:     Troy Dawson 
Sender:       Security Errata for Scientific Linux
              
From:         Troy Dawson 
Subject:      Security ERRATA for pidgin on SL4.x, SL5.x i386/x86_64
Comments: To: "scientific-linux-errata@fnal.gov"
          

Synopsis:	Moderate: pidgin security and bug fix update
Issue date:	2008-12-15
CVE Names:	CVE-2008-2955 CVE-2008-2957 CVE-2008-3532

A denial-of-service flaw was found in Pidgin's MSN protocol handler. If a
remote user was able to send, and the Pidgin user accepted, a
carefully-crafted file request, it could result in Pidgin crashing.
(CVE-2008-2955)

A denial-of-service flaw was found in Pidgin's Universal Plug and Play
(UPnP) request handling. A malicious UPnP server could send a request to
Pidgin, causing it to download an excessive amount of data, consuming all
available memory or disk space. (CVE-2008-2957)

A flaw was found in the way Pidgin handled SSL certificates. The NSS SSL
implementation in Pidgin did not properly verify the authenticity of SSL
certificates. This could have resulted in users unknowingly connecting to a
malicious SSL service. (CVE-2008-3532)

In addition, this update upgrades pidgin from version 2.3.1 to version
2.5.2, with many additional stability and functionality fixes from the
Pidgin Project.

Note: the Secure Internet Live Conferencing (SILC) chat network protocol
has recently changed, affecting all versions of pidgin shipped with Red Hat
Enterprise Linux.

Pidgin cannot currently connect to the latest version of the SILC server
(1.1.14): it fails to properly exchange keys during initial login. This
update does not correct this. Red Hat Bugzilla #474212 (linked to in the
References section) has more information.

Note: after the errata packages are installed, Pidgin must be restarted for
the update to take effect.

SL 4.x

     SRPMS:
pidgin-2.5.2-6.el4.src.rpm
     i386:
finch-2.5.2-6.el4.i386.rpm
finch-devel-2.5.2-6.el4.i386.rpm
libpurple-2.5.2-6.el4.i386.rpm
libpurple-devel-2.5.2-6.el4.i386.rpm
libpurple-perl-2.5.2-6.el4.i386.rpm
libpurple-tcl-2.5.2-6.el4.i386.rpm
pidgin-2.5.2-6.el4.i386.rpm
pidgin-devel-2.5.2-6.el4.i386.rpm
pidgin-perl-2.5.2-6.el4.i386.rpm
     x86_64:
finch-2.5.2-6.el4.x86_64.rpm
finch-devel-2.5.2-6.el4.x86_64.rpm
libpurple-2.5.2-6.el4.x86_64.rpm
libpurple-devel-2.5.2-6.el4.x86_64.rpm
libpurple-perl-2.5.2-6.el4.x86_64.rpm
libpurple-tcl-2.5.2-6.el4.x86_64.rpm
pidgin-2.5.2-6.el4.x86_64.rpm
pidgin-devel-2.5.2-6.el4.x86_64.rpm
pidgin-perl-2.5.2-6.el4.x86_64.rpm

SL 5.x

     SRPMS:
pidgin-2.5.2-6.el5.src.rpm
     i386:
finch-2.5.2-6.el5.i386.rpm
finch-devel-2.5.2-6.el5.i386.rpm
libpurple-2.5.2-6.el5.i386.rpm
libpurple-devel-2.5.2-6.el5.i386.rpm
libpurple-perl-2.5.2-6.el5.i386.rpm
libpurple-tcl-2.5.2-6.el5.i386.rpm
pidgin-2.5.2-6.el5.i386.rpm
pidgin-devel-2.5.2-6.el5.i386.rpm
pidgin-docs-2.5.2-6.el5.i386.rpm
pidgin-perl-2.5.2-6.el5.i386.rpm
     x86_64:
finch-2.5.2-6.el5.i386.rpm
finch-2.5.2-6.el5.x86_64.rpm
finch-devel-2.5.2-6.el5.i386.rpm
finch-devel-2.5.2-6.el5.x86_64.rpm
libpurple-2.5.2-6.el5.i386.rpm
libpurple-2.5.2-6.el5.x86_64.rpm
libpurple-devel-2.5.2-6.el5.i386.rpm
libpurple-devel-2.5.2-6.el5.x86_64.rpm
libpurple-perl-2.5.2-6.el5.x86_64.rpm
libpurple-tcl-2.5.2-6.el5.x86_64.rpm
pidgin-2.5.2-6.el5.i386.rpm
pidgin-2.5.2-6.el5.x86_64.rpm
pidgin-devel-2.5.2-6.el5.i386.rpm
pidgin-devel-2.5.2-6.el5.x86_64.rpm
pidgin-docs-2.5.2-6.el5.x86_64.rpm
pidgin-perl-2.5.2-6.el5.x86_64.rpm

-Connie Sieh
-Troy Dawson

SciLinux: CVE-2008-2955 pidgin SL4.x, SL5.x i386/x86_64

Moderate: pidgin security and bug fix update

Summary

Date:         Tue, 16 Dec 2008 13:31:40 -0600Reply-To:     Troy Dawson Sender:       Security Errata for Scientific Linux              From:         Troy Dawson Subject:      Security ERRATA for pidgin on SL4.x, SL5.x i386/x86_64Comments: To: "scientific-linux-errata@fnal.gov"          Synopsis:	Moderate: pidgin security and bug fix updateIssue date:	2008-12-15CVE Names:	CVE-2008-2955 CVE-2008-2957 CVE-2008-3532A denial-of-service flaw was found in Pidgin's MSN protocol handler. If aremote user was able to send, and the Pidgin user accepted, acarefully-crafted file request, it could result in Pidgin crashing.(CVE-2008-2955)A denial-of-service flaw was found in Pidgin's Universal Plug and Play(UPnP) request handling. A malicious UPnP server could send a request toPidgin, causing it to download an excessive amount of data, consuming allavailable memory or disk space. (CVE-2008-2957)A flaw was found in the way Pidgin handled SSL certificates. The NSS SSLimplementation in Pidgin did not properly verify the authenticity of SSLcertificates. This could have resulted in users unknowingly connecting to amalicious SSL service. (CVE-2008-3532)In addition, this update upgrades pidgin from version 2.3.1 to version2.5.2, with many additional stability and functionality fixes from thePidgin Project.Note: the Secure Internet Live Conferencing (SILC) chat network protocolhas recently changed, affecting all versions of pidgin shipped with Red HatEnterprise Linux.Pidgin cannot currently connect to the latest version of the SILC server(1.1.14): it fails to properly exchange keys during initial login. Thisupdate does not correct this. Red Hat Bugzilla #474212 (linked to in theReferences section) has more information.Note: after the errata packages are installed, Pidgin must be restarted forthe update to take effect.SL 4.x     SRPMS:pidgin-2.5.2-6.el4.src.rpm     i386:finch-2.5.2-6.el4.i386.rpmfinch-devel-2.5.2-6.el4.i386.rpmlibpurple-2.5.2-6.el4.i386.rpmlibpurple-devel-2.5.2-6.el4.i386.rpmlibpurple-perl-2.5.2-6.el4.i386.rpmlibpurple-tcl-2.5.2-6.el4.i386.rpmpidgin-2.5.2-6.el4.i386.rpmpidgin-devel-2.5.2-6.el4.i386.rpmpidgin-perl-2.5.2-6.el4.i386.rpm     x86_64:finch-2.5.2-6.el4.x86_64.rpmfinch-devel-2.5.2-6.el4.x86_64.rpmlibpurple-2.5.2-6.el4.x86_64.rpmlibpurple-devel-2.5.2-6.el4.x86_64.rpmlibpurple-perl-2.5.2-6.el4.x86_64.rpmlibpurple-tcl-2.5.2-6.el4.x86_64.rpmpidgin-2.5.2-6.el4.x86_64.rpmpidgin-devel-2.5.2-6.el4.x86_64.rpmpidgin-perl-2.5.2-6.el4.x86_64.rpmSL 5.x     SRPMS:pidgin-2.5.2-6.el5.src.rpm     i386:finch-2.5.2-6.el5.i386.rpmfinch-devel-2.5.2-6.el5.i386.rpmlibpurple-2.5.2-6.el5.i386.rpmlibpurple-devel-2.5.2-6.el5.i386.rpmlibpurple-perl-2.5.2-6.el5.i386.rpmlibpurple-tcl-2.5.2-6.el5.i386.rpmpidgin-2.5.2-6.el5.i386.rpmpidgin-devel-2.5.2-6.el5.i386.rpmpidgin-docs-2.5.2-6.el5.i386.rpmpidgin-perl-2.5.2-6.el5.i386.rpm     x86_64:finch-2.5.2-6.el5.i386.rpmfinch-2.5.2-6.el5.x86_64.rpmfinch-devel-2.5.2-6.el5.i386.rpmfinch-devel-2.5.2-6.el5.x86_64.rpmlibpurple-2.5.2-6.el5.i386.rpmlibpurple-2.5.2-6.el5.x86_64.rpmlibpurple-devel-2.5.2-6.el5.i386.rpmlibpurple-devel-2.5.2-6.el5.x86_64.rpmlibpurple-perl-2.5.2-6.el5.x86_64.rpmlibpurple-tcl-2.5.2-6.el5.x86_64.rpmpidgin-2.5.2-6.el5.i386.rpmpidgin-2.5.2-6.el5.x86_64.rpmpidgin-devel-2.5.2-6.el5.i386.rpmpidgin-devel-2.5.2-6.el5.x86_64.rpmpidgin-docs-2.5.2-6.el5.x86_64.rpmpidgin-perl-2.5.2-6.el5.x86_64.rpm-Connie Sieh-Troy Dawson



Security Fixes

Severity

Related News

Krasue RAT Malware Hides on Linux Servers Using Embedded Rootkits

Dec 7, 2023

Kali vs. ParrotOS: 2 Versatile Linux Distros for Security Pros

Dec 9, 2023

Kali Linux 2023.4 Released With New Hacking Tools

Dec 6, 2023

Severe Firefox, Thunderbird Bugs Could Lead to System Takeover

Dec 2, 2023

News

Advisories

HOWTOs

Features

Password Guessing as an Attack Vector
Using Open Source to Ensure Compliance & Data Integrity through Data Governance
Critical Linux Kernel Bugs Lead to DoS, Privilege Escalation - Patch Now!
Unlocking the Future of Authentication: Passkeys vs. Passwords
Empowering MSPs with Straightforward Linux Device Management

About Us

Powered By

Footer Logo