Explore top 10 tips to secure your open-source projects now. Read More
×
An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original . - -------------------------------------------------------------------------Debian LTS Advisory DLA-3043-1
New pidgin packages are available for Slackware 15.0 and -current to fix security issues. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [slackware-security] pidgin (SSA:2022-155-01) New pidgin packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: +--------------------------+ patches/packages/pidgin-2.14.10-i586-1_slack15.0.txz: Upgraded. This update fixes bugs and several security issues. For more information, see: https://www.pidgin.im/posts/2022-06-2.14.10-released/ (* Security fix *) +--------------------------+ Where to find the new packages: +-----------------------------+ Thanks to the friendly folks at the OSU Open Source Lab (https://osuosl.org/) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://www.slackware.com/ for additional mirror sites near you. Updated package for Slackware 15.0: ftp://ftp.slackware.com/pub/slackware/slackware-15.0/patches/packages/pidgin-2.14.10-i586-1_slack15.0.txz Updated package for Slackware x86_64 15.0: ftp://ftp.slackware.com/pub/slackware/slackware64-15.0/patches/packages/pidgin-2.14.10-x86_64-1_slack15.0.txz Updated package for Slackware -current: Updated package for Slackware x86_64 -current: MD5 signatures: +-------------+ Slackware 15.0 package: 6a797553b5d8eba378db8076d7654887 pidgin-2.14.10-i586-1_slack15.0.txz Slackware x86_64 15.0 package: d798eae96870df6395f108db74e5ee36 pidgin-2.14.10-x86_64-1_slack15.0.txz Slackware -current package: ba6816888f23f91bbe86dfd95ae4d23e xap/pidgin-2.14.10-i586-1.txz Slackware x86_64 -current package: c1d23c2dc2aad1300ec1ec63ce71f666 xap/pidgin-2.14.10-x86_64-1.txz Installation instructions: +------------------------+ Upgrade the package as root: # upgradepkg pidgin-2.14.10-i586-1_slack15.0.txz +-----+ . Recent updates for pidgin packages on Slackware tackle critical security vulnerabilities. Ensure your system is protected by following the upgradeguidelines!. Pidgin Packages, Slackware Security Update, PIDGIN Upgrade, Open Source Messaging. . Severity: Critical. LinuxSecurity.com Team
MITM vulnerability when DNSSEC wasn't used (CVE-2022-26491) References: - https://bugs.mageia.org/show_bug.cgi?id=30438 - https://lists.suse.com/pipermail/sle-security-updates/2022-May/011017.html . MGASA-2022-0208 - Updated pidgin packages fix security vulnerability Publication date: 28 May 2022 URL: https://advisories.mageia.org/MGASA-2022-0208.html Type: security Affected Mageia releases: 8 CVE: CVE-2022-26491 MITM vulnerability when DNSSEC wasn't used (CVE-2022-26491) References: - https://bugs.mageia.org/show_bug.cgi?id=30438 - https://lists.suse.com/pipermail/sle-security-updates/2022-May/011017.html - - https://lists.fedoraproject.org/archives/list/
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for pidgin ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1693-1 Rating: important References: #1199025 Cross-References: CVE-2022-26491 CVSS scores: CVE-2022-26491 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Desktop 15-SP4 SUSE Linux Enterprise High Performance Computing 15-SP4 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 SUSE Linux Enterprise Server 15-SP4 SUSE Linux Enterprise Server for SAP Applications 15-SP4 SUSE Linux Enterprise Workstation Extension 15-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for pidgin fixes the following issues: - CVE-2022-26491: Fixed MITM vulnerability when DNSSEC wasn't used (bsc#1199025). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 15-SP4: zypper in -t patch SUSE-SLE-Product-WE-15-SP4-2022-1693=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP4-2022-1693=1 Package List: - SUSE Linux Enterprise Workstation Extension 15-SP4 (x86_64): libpurple-2.14.8-150400.3.3.1 libpurple-client0-2.14.8-150400.3.3.1 libpurple-client0-debuginfo-2.14.8-150400.3.3.1 libpurple-debuginfo-2.14.8-150400.3.3.1 libpurple-devel-2.14.8-150400.3.3.1 libpurple-plugin-sametime-2.14.8-150400.3.3.1 libpurple-plugin-sametime-debuginfo-2.14.8-150400.3.3.1 libpurple0-2.14.8-150400.3.3.1 libpurple0-debuginfo-2.14.8-150400.3.3.1 pidgin-2.14.8-150400.3.3.1 pidgin-debuginfo-2.14.8-150400.3.3.1 pidgin-debugsource-2.14.8-150400.3.3.1 pidgin-devel-2.14.8-150400.3.3.1 - SUSE Linux Enterprise Workstation Extension 15-SP4 (noarch): libpurple-branding-upstream-2.14.8-150400.3.3.1 libpurple-lang-2.14.8-150400.3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (aarch64 ppc64le s390x): finch-2.14.8-150400.3.3.1 finch-debuginfo-2.14.8-150400.3.3.1 finch-devel-2.14.8-150400.3.3.1 libpurple-2.14.8-150400.3.3.1 libpurple-debuginfo-2.14.8-150400.3.3.1 libpurple-devel-2.14.8-150400.3.3.1 libpurple-plugin-sametime-2.14.8-150400.3.3.1 libpurple-plugin-sametime-debuginfo-2.14.8-150400.3.3.1 libpurple-tcl-2.14.8-150400.3.3.1 libpurple-tcl-debuginfo-2.14.8-150400.3.3.1 pidgin-2.14.8-150400.3.3.1 pidgin-debuginfo-2.14.8-150400.3.3.1 pidgin-debugsource-2.14.8-150400.3.3.1 pidgin-devel-2.14.8-150400.3.3.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP4 (noarch): libpurple-branding-upstream-2.14.8-150400.3.3.1 libpurple-lang-2.14.8-150400.3.3.1 References: https://www.suse.com/security/cve/CVE-2022-26491.html https://bugzilla.suse.com/1199025 . SUSE Security Advisory for Pidgin mitigates critical MITM flaw CVE-2022-26491 providing comprehensive update guidelines.. SUSE Security Update, Pidgin Patch, MITM Threat, Security Advisory, CVE-2022-26491. . Severity: Important. LinuxSecurity.com Team
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for pidgin ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1664-1 Rating: important References: #1199025 Cross-References: CVE-2022-26491 CVSS scores: CVE-2022-26491 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Desktop 12-SP5 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Linux Enterprise Software Development Kit 12-SP5 SUSE Linux Enterprise Workstation Extension 12-SP5 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for pidgin fixes the following issues: - CVE-2022-26491: Fixed MITM vulnerability when DNSSEC wasn't used (bsc#1199025). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Workstation Extension 12-SP5: zypper in -t patch SUSE-SLE-WE-12-SP5-2022-1664=1 - SUSE Linux Enterprise Software Development Kit 12-SP5: zypper in -t patch SUSE-SLE-SDK-12-SP5-2022-1664=1 Package List: - SUSE Linux Enterprise Workstation Extension 12-SP5 (noarch): libpurple-branding-upstream-2.12.0-3.6.1 libpurple-lang-2.12.0-3.6.1 - SUSE Linux Enterprise Workstation Extension 12-SP5 (x86_64): finch-2.12.0-3.6.1 finch-debuginfo-2.12.0-3.6.1 libpurple-2.12.0-3.6.1 libpurple-debuginfo-2.12.0-3.6.1 libpurple-plugin-sametime-2.12.0-3.6.1 libpurple-plugin-sametime-debuginfo-2.12.0-3.6.1 libpurple-tcl-2.12.0-3.6.1 libpurple-tcl-debuginfo-2.12.0-3.6.1 pidgin-2.12.0-3.6.1 pidgin-debuginfo-2.12.0-3.6.1 pidgin-debugsource-2.12.0-3.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (aarch64 ppc64le s390x x86_64): finch-devel-2.12.0-3.6.1 libpurple-2.12.0-3.6.1 libpurple-debuginfo-2.12.0-3.6.1 libpurple-devel-2.12.0-3.6.1 pidgin-debuginfo-2.12.0-3.6.1 pidgin-debugsource-2.12.0-3.6.1 pidgin-devel-2.12.0-3.6.1 - SUSE Linux Enterprise Software Development Kit 12-SP5 (noarch): libpurple-lang-2.12.0-3.6.1 References: https://www.suse.com/security/cve/CVE-2022-26491.html https://bugzilla.suse.com/1199025 . This release targets a significant flaw in Pidgin to bolster protection on SUSE platforms.. SUSE Security Update, Pidgin Update, MITM Security Fix, Open Source Security. . Severity: Important. LinuxSecurity.com Team
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for pidgin ______________________________________________________________________________ Announcement ID: SUSE-SU-2022:1665-1 Rating: important References: #1199025 Cross-References: CVE-2022-26491 CVSS scores: CVE-2022-26491 (SUSE): 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Affected Products: SUSE Linux Enterprise Desktop 15-SP3 SUSE Linux Enterprise High Performance Computing 15-SP3 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 SUSE Linux Enterprise Server 15-SP3 SUSE Linux Enterprise Server for SAP Applications 15-SP3 SUSE Linux Enterprise Workstation Extension 15-SP3 SUSE Manager Proxy 4.2 SUSE Manager Server 4.2 openSUSE Leap 15.3 openSUSE Leap 15.4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for pidgin fixes the following issues: - CVE-2022-26491: Fixed MITM vulnerability when DNSSEC wasn't used (bsc#1199025). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 15.4: zypper in -t patch openSUSE-SLE-15.4-2022-1665=1 - openSUSE Leap 15.3: zypper in -t patch openSUSE-SLE-15.3-2022-1665=1 - SUSE Linux Enterprise Workstation Extension 15-SP3: zypper in -t patch SUSE-SLE-Product-WE-15-SP3-2022-1665=1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3: zypper in -t patch SUSE-SLE-Module-Packagehub-Subpackages-15-SP3-2022-1665=1 Package List: - openSUSE Leap 15.4(aarch64 ppc64le s390x x86_64): finch-2.13.0-150200.12.6.1 finch-debuginfo-2.13.0-150200.12.6.1 finch-devel-2.13.0-150200.12.6.1 libpurple-2.13.0-150200.12.6.1 libpurple-debuginfo-2.13.0-150200.12.6.1 libpurple-devel-2.13.0-150200.12.6.1 libpurple-plugin-sametime-2.13.0-150200.12.6.1 libpurple-plugin-sametime-debuginfo-2.13.0-150200.12.6.1 libpurple-tcl-2.13.0-150200.12.6.1 libpurple-tcl-debuginfo-2.13.0-150200.12.6.1 pidgin-2.13.0-150200.12.6.1 pidgin-debuginfo-2.13.0-150200.12.6.1 pidgin-debugsource-2.13.0-150200.12.6.1 pidgin-devel-2.13.0-150200.12.6.1 - openSUSE Leap 15.4 (noarch): libpurple-branding-upstream-2.13.0-150200.12.6.1 libpurple-lang-2.13.0-150200.12.6.1 - openSUSE Leap 15.3 (aarch64 ppc64le s390x x86_64): finch-2.13.0-150200.12.6.1 finch-debuginfo-2.13.0-150200.12.6.1 finch-devel-2.13.0-150200.12.6.1 libpurple-2.13.0-150200.12.6.1 libpurple-debuginfo-2.13.0-150200.12.6.1 libpurple-devel-2.13.0-150200.12.6.1 libpurple-plugin-sametime-2.13.0-150200.12.6.1 libpurple-plugin-sametime-debuginfo-2.13.0-150200.12.6.1 libpurple-tcl-2.13.0-150200.12.6.1 libpurple-tcl-debuginfo-2.13.0-150200.12.6.1 pidgin-2.13.0-150200.12.6.1 pidgin-debuginfo-2.13.0-150200.12.6.1 pidgin-debugsource-2.13.0-150200.12.6.1 pidgin-devel-2.13.0-150200.12.6.1 - openSUSE Leap 15.3 (noarch): libpurple-branding-upstream-2.13.0-150200.12.6.1 libpurple-lang-2.13.0-150200.12.6.1 - SUSE Linux Enterprise Workstation Extension 15-SP3 (noarch): libpurple-branding-upstream-2.13.0-150200.12.6.1 libpurple-lang-2.13.0-150200.12.6.1 - SUSE Linux Enterprise Workstation Extension 15-SP3 (x86_64): libpurple-2.13.0-150200.12.6.1 libpurple-debuginfo-2.13.0-150200.12.6.1 libpurple-devel-2.13.0-150200.12.6.1 libpurple-plugin-sametime-2.13.0-150200.12.6.1 libpurple-plugin-sametime-debuginfo-2.13.0-150200.12.6.1 pidgin-2.13.0-150200.12.6.1 pidgin-debuginfo-2.13.0-150200.12.6.1 pidgin-debugsource-2.13.0-150200.12.6.1 pidgin-devel-2.13.0-150200.12.6.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (aarch64 ppc64le s390x): finch-2.13.0-150200.12.6.1 finch-debuginfo-2.13.0-150200.12.6.1 finch-devel-2.13.0-150200.12.6.1 libpurple-2.13.0-150200.12.6.1 libpurple-debuginfo-2.13.0-150200.12.6.1 libpurple-devel-2.13.0-150200.12.6.1 libpurple-plugin-sametime-2.13.0-150200.12.6.1 libpurple-plugin-sametime-debuginfo-2.13.0-150200.12.6.1 libpurple-tcl-2.13.0-150200.12.6.1 libpurple-tcl-debuginfo-2.13.0-150200.12.6.1 pidgin-2.13.0-150200.12.6.1 pidgin-debuginfo-2.13.0-150200.12.6.1 pidgin-debugsource-2.13.0-150200.12.6.1 pidgin-devel-2.13.0-150200.12.6.1 - SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (noarch): libpurple-branding-upstream-2.13.0-150200.12.6.1 libpurple-lang-2.13.0-150200.12.6.1 References: https://www.suse.com/security/cve/CVE-2022-26491.html https://bugzilla.suse.com/1199025 . Important security patch issued for Pidgin by SUSE to address an MITM vulnerability. Users are urged to update to ensure system safety.. SUSE Pidgin Update, Important Security Patch, Man In The Middle. . Severity: Important. LinuxSecurity.com Team
An update that fixes one vulnerability is now available. . SUSE Security Update: Security update for pidgin ______________________________________________________________________________ Announcement ID: SUSE-SU-2018:2235-1 Rating: moderate References: #1028835 Cross-References: CVE-2017-2640 Affected Products: SUSE Linux Enterprise Software Development Kit 11-SP4 SUSE Linux Enterprise Debuginfo 11-SP4 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: This update for pidgin fixes the following issues: The following security vulnerability was fixed: - CVE-2017-2640: Fixed an out of bound write in purple_markup_unescape_entity, which could be triggered by a server controlled by an attacker and could lead to crashes or, in some extreme cases, to remote code execution on the client side (bsc#1028835). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - SUSE Linux Enterprise Software Development Kit 11-SP4: zypper in -t patch sdksp4-pidgin-13717=1 - SUSE Linux Enterprise Debuginfo 11-SP4: zypper in -t patch dbgsp4-pidgin-13717=1 Package List: - SUSE Linux Enterprise Software Development Kit 11-SP4 (i586 ia64 ppc64 s390x x86_64): finch-2.6.6-0.30.3.1 finch-devel-2.6.6-0.30.3.1 libpurple-2.6.6-0.30.3.1 libpurple-devel-2.6.6-0.30.3.1 libpurple-lang-2.6.6-0.30.3.1 pidgin-2.6.6-0.30.3.1 pidgin-devel-2.6.6-0.30.3.1 - SUSE Linux Enterprise Debuginfo 11-SP4 (i586 ia64 ppc64 s390x x86_64): pidgin-debuginfo-2.6.6-0.30.3.1 pidgin-debugsource-2.6.6-0.30.3.1 References: https://www.suse.com/security/cve/CVE-2017-2640.html https://bugzilla.suse.com/1028835 . Updateto address a moderate vulnerability in Pidgin as highlighted in SUSE Security Update SUSE-SU-2018:2235-1, mitigating potential crash and remote exploit risks.. SUSE Linux, pidgin, security update, remote code execution, out of bounds. . LinuxSecurity.com Team
A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emoticons. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to crash Pidgin by sending a specially crafted emoticon. (CVE-2014-3695) * A denial of service flaw was found in the way Pidgin parsed Groupwise server messages. A malicious remote server or a man-in-the-middle attacke [More...]. Synopsis: Moderate: pidgin security, bug fix, and enhancement Advisory ID: SLSA-2017:1854-1 Issue Date: 2017-08-01 CVE Numbers: CVE-2014-3694 CVE-2014-3695 CVE-2014-3696 CVE-2014-3698 CVE-2017-2640 -- The following packages have been upgraded to a later upstream version: pidgin (2.10.11). Security Fix(es): * A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emoticons. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to crash Pidgin by sending a specially crafted emoticon. (CVE-2014-3695) * A denial of service flaw was found in the way Pidgin parsed Groupwise server messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to cause Pidgin to consume an excessive amount of memory, possibly leading to a crash, by sending a specially crafted message. (CVE-2014-3696) * An information disclosure flaw was discovered in the way Pidgin parsed XMPP messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to disclose a portion of memory belonging to the Pidgin process by sending a specially crafted XMPP message. (CVE-2014-3698) * An out-of-bounds write flaw was found in the way Pidgin processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process. (CVE-2017-2640) * It was found that Pidgin's SSL/TLS plug-ins had a flaw in the certificate validation functionality. Anattacker could use this flaw to create a fake certificate, that Pidgin would trust, which could be used to conduct man-in-the-middle attacks against Pidgin. (CVE-2014-3694) -- SL7 x86_64 libpurple-2.10.11-5.el7.i686.rpm libpurple-2.10.11-5.el7.x86_64.rpm pidgin-2.10.11-5.el7.x86_64.rpm pidgin-debuginfo-2.10.11-5.el7.i686.rpm pidgin-debuginfo-2.10.11-5.el7.x86_64.rpm finch-2.10.11-5.el7.i686.rpm finch-2.10.11-5.el7.x86_64.rpm finch-devel-2.10.11-5.el7.i686.rpm finch-devel-2.10.11-5.el7.x86_64.rpm libpurple-devel-2.10.11-5.el7.i686.rpm libpurple-devel-2.10.11-5.el7.x86_64.rpm libpurple-perl-2.10.11-5.el7.x86_64.rpm libpurple-tcl-2.10.11-5.el7.x86_64.rpm pidgin-devel-2.10.11-5.el7.i686.rpm pidgin-devel-2.10.11-5.el7.x86_64.rpm pidgin-perl-2.10.11-5.el7.x86_64.rpm - Scientific Linux Development Team . Pidgin's latest security advisory SLSA-2017:1854-1 introduces critical enhancements and bug fixes to boost security and performance, advising users to update. pidgin Security Fixes, SL7 Updates, Denial of Service Issues. . Severity: Important. LinuxSecurity.com Team
Get the latest Linux and open source security news straight to your inbox.