Stay Secure with the Latest Linux Advisories

security advisorycriticalFedora

Fedora 10: FEDORA-2009-10702 Critical: Pidgin Contact Request Crash

CVE-2009-3615. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2009-10702 2009-10-21 00:13:17 -------------------------------------------------------------------------------- Name : pidgin Product : Fedora 10 Version : 2.6.3 Release : 2.fc10 URL : http://pidgin.im/ Summary : A Gtk+ based multiprotocol instant messaging client Description : Pidgin allows you to talk to anyone using a variety of messaging protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu, ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and Zephyr. These protocols are implemented using a modular, easy to use design. To use a protocol, just add an account using the account editor. Pidgin supports many common features of other clients, as well as many unique features, such as perl scripting, TCL scripting and C plugins. Pidgin is not affiliated with or endorsed by America Online, Inc., Microsoft Corporation, Yahoo! Inc., or ICQ Inc. -------------------------------------------------------------------------------- Update Information: CVE-2009-3615 -------------------------------------------------------------------------------- ChangeLog: * Mon Oct 19 2009 Warren Togami 2.6.3-2 - Upstream backport: 3abad7606f4a2dfd1903df796f33924b12509a56 msn_servconn_disconnect-crash * Fri Oct 16 2009 Warren Togami 2.6.3-1 - 2.6.3 CVE-2009-3615 * Wed Sep 9 2009 Warren Togami 2.6.2-2 - Upstream backports: 97e003ed2bc2bafbb993693c9ae9c6d667731cc1 aim-buddy-status-grab 37aa00d044431100d37466517568640cb082680c yahoo-buddy-idle-time 40005b889ee276fbcd0a4e886a68d8a8cce45698 yahoo-status-change-away cb46b045aa6e927a3814d9053c2b1c0f08d6fa62 crash-validate-jid * Sun Sep 6 2009 Stu Tomlinson 2.6.2-1.1 - VV support needs to be explicitly disabled on F10 * Sun Sep 6 2009 Stu Tomlinson 2.6.2-1 - 2.6.2 Fixes a number of crashes - CVE-2009-2703, CVE-2009-3083, CVE-2009-3084, CVE-2009-3085 * Wed Aug 19 2009 WarrenTogami 2.6.1-1 - 2.6.1: Fix a crash when some users send you a link in a Yahoo IM * Tue Aug 18 2009 Warren Togami 2.6.0-1 - CVE-2009-2694 - Voice and Video support via farsight2 (Fedora 11+) - Numerous other bug fixes * Thu Aug 6 2009 Warren Togami 2.6.0-0.11.20090812 - new snapshot at the request of maiku * Thu Aug 6 2009 Warren Togami 2.6.0-0.10.20090806 - new snapshot - theoretically better sound quality in voice chat * Tue Aug 4 2009 Warren Togami 2.6.0-0.9.20090804 - new snapshot * Mon Jul 27 2009 Warren Togami 2.6.0-0.8.20090727 - new snapshot * Mon Jul 27 2009 Stu Tomlinson 2.6.0-0.6.20090721 - Prevent main libpurple & pidgin packages depending on perl (#513902) * Sun Jul 26 2009 Fedora Release Engineering - 2.6.0-0.5.20090721 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Wed Jul 22 2009 Warren Togami 2.6.0-0.4.20090721 - rebuild * Tue Jul 21 2009 Warren Togami 2.6.0-0.3.20090721 - prevent crash with no camera when closing vv window * Tue Jul 21 2009 Warren Togami 2.6.0-0.1.20090721 - 2.6.0 snapshot with voice and video support via farsight2 * Sat Jul 11 2009 Stu Tomlison 2.5.8-2 - Backport patch from upstream to enable NSS to recognize root CA certificates that use MD2 & MD4 algorithms in their signature, as used by some MSN and XMPP servers* Sun Jun 28 2009 Warren Togami 2.5.8-1 - 2.5.8 with several important bug fixes * Mon Jun 22 2009 Warren Togami 2.5.7-2 - glib2 compat with RHEL-4 * Sat Jun 20 2009 Warren Togami 2.5.7-1 - 2.5.7 with Yahoo Protocol 16 support * Wed May 20 2009 Stu Tomlinson 2.5.6-1 - 2.5.6 * Mon Apr 20 2009 Warren Togami 2.5.5-3 - F12+ removed krb4 * Tue Mar 3 2009 Stu Tomlinson 2.5.5-1 - 2.5.5 * Thu Feb 26 2009 Fedora Release Engineering - 2.5.4-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild * Tue Jan 27 2009 Warren Togami 2.5.4-2 - one_time_password plugin - Eliminate RPATH * Mon Jan 12 2009 Stu Tomlinson 2.5.4-1 - 2.5.4 * Fri Dec 26 2008 Warren Togami 2.5.3-1 - 2.5.3 * Sat Nov 222008 Warren Togami 2.5.2-6 - Automatically detect booleans to enable build features from dist tag - Unify RHEL4 and RHEL5 spec with Fedora to make both easier to maintain * Fri Nov 21 2008 Warren Togami 2.5.2-2 - Upstream backports: 100: sametime-redirect-null crash 101: NetworkManager-improvement 102: no-password-in-dialog-if-not-remembering 103: temporarily-remember-password-during-auto-reconnect 104: smilie-theme-change-crash 105: url_fetch_connect_cb-double-free crash 106: GtkIMHtmlSmileys-remove-crash 107: remove-dialog-from-open-dialog-list -------------------------------------------------------------------------------- References: [ 1 ] Bug #529357 - CVE-2009-3615 Pidgin: Invalid pointer dereference (crash) after receiving contacts from SIM IM client https://bugzilla.redhat.com/show_bug.cgi?id=529357 -------------------------------------------------------------------------------- This update can be installed with the "yum" update program. Use su -c 'yum update pidgin' at the command line. For more information, refer to "Managing Software with yum", available at . All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/security/ -------------------------------------------------------------------------------- _______________________________________________ Fedora-package-announce mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://lists.fedoraproject.org/archives/list/This email address is being protected from spambots. You need JavaScript enabled to view it./ . Upgrade for pidgin on Fedora resolves vulnerabilities linked to CVE-2009-3615, boosting messaging reliability.. Pidgin Client,Fedora Update,Messaging Software,Security Patch. . Severity: Critical. LinuxSecurity.com Team

Oct 20, 2009 •Critical Fedora