A new version of Pidgin has been released today, fixing security issues: https://developer.pidgin.im/wiki/ChangeLog Here are the corresponding security advisories: http://www.pidgin.im/news/security/?id=86 http://www.pidgin.im/news/security/?id=87 http://www.pidgin.im/news/security/?id=88 http://www.pidgin.im/news/security/?id=90 Note that I didn't include CVE-2014-3697 which only affects Windows. Freeze push has been requested for Cauldron. Oden has uploaded updated packages for Mageia 3 and Mageia 4. Advisory: ======================== Updated pidgin packages fix security vulnerabilities: In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it (CVE-2014-3694). In Pidgin before 2.10.10, a malicious server or man-in-the-middle could trigger a crash in libpurple by sending an emoticon with an overly large length value (CVE-2014-3695). In Pidgin before 2.10.10, a malicious server or man-in-the-middle could trigger a crash in libpurple by specifying that a large amount of memory should be allocated in many places in the UI (CVE-2014-3696). In Pidgin before 2.10.10, a malicious server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory (CVE-2014-3698). The pidgin package has been updated to version 2.10.10 which fixes these issues and other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3694 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3695 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3696 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3698 http://www.pidgin.im/news/security/?id=86 http://www.pidgin.im/news/security/?id=87 http://www.pidgin.im/news/security/?id=88 http://www.pidgin.im/news/security/?id=90 https://developer.pidgin.im/wiki/ChangeLog ======================== Updated packages in core/updates_testing: ======================== pidgin-2.10.10-1.mga3 pidgin-plugins-2.10.10-1.mga3 pidgin-perl-2.10.10-1.mga3 pidgin-tcl-2.10.10-1.mga3 pidgin-silc-2.10.10-1.mga3 libpurple-devel-2.10.10-1.mga3 libpurple0-2.10.10-1.mga3 libfinch0-2.10.10-1.mga3 finch-2.10.10-1.mga3 pidgin-bonjour-2.10.10-1.mga3 pidgin-meanwhile-2.10.10-1.mga3 pidgin-client-2.10.10-1.mga3 pidgin-i18n-2.10.10-1.mga3 pidgin-2.10.10-1.mga4 pidgin-plugins-2.10.10-1.mga4 pidgin-perl-2.10.10-1.mga4 pidgin-tcl-2.10.10-1.mga4 pidgin-silc-2.10.10-1.mga4 libpurple-devel-2.10.10-1.mga4 libpurple0-2.10.10-1.mga4 libfinch0-2.10.10-1.mga4 finch-2.10.10-1.mga4 pidgin-bonjour-2.10.10-1.mga4 pidgin-meanwhile-2.10.10-1.mga4 pidgin-client-2.10.10-1.mga4 pidgin-i18n-2.10.10-1.mga4 from SRPMS: pidgin-2.10.10-1.mga3.src.rpm pidgin-2.10.10-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
I'll start to test it all releases and arch.
CC: (none) => ozkyster
Update tested and validated sysadmin push this to updates.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA3TOO => MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok => MGA3TOO mga4-64-ok mga4-32-ok mga3-64-ok mga3-32-ok advisory
Debian has issued an advisory for this on October 23: https://www.debian.org/security/2014/dsa-3055
URL: (none) => http://lwn.net/Vulnerabilities/617972/
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0425.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Works OK on Mageia4 KDE 64 bits
CC: (none) => herman.viaene