X41 D-Sec GmbH has issued an advisory today (March 9): https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/ Updated packages uploaded for Mageia 5 and Cauldron. libotr5 is used by pidgin-otr. Advisory: ======================== Updated libotr packages fix security vulnerability: A remote attacker may crash or execute arbitrary code in libotr before 4.1.1 by sending large OTR messages. While processing specially crafted messages, attacker controlled data on the heap is written out of bounds (CVE-2016-2851). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2851 https://www.x41-dsec.de/lab/advisories/x41-2016-001-libotr/ ======================== Updated packages in core/updates_testing: ======================== libotr5-4.1.1-1.mga5 libotr-devel-4.1.1-1.mga5 libotr-utils-4.1.1-1.mga5 from libotr-4.1.1-1.mga5.src.rpm
This should be tested with the pidgin-otr update in Bug 17933.
Blocks: (none) => 17933
Debian has issued an advisory for this on March 9: https://www.debian.org/security/2016/dsa-3512
URL: (none) => http://lwn.net/Vulnerabilities/679616/
x86_64 Mate Had already installed pidgin and the pidgin-otr update. Installed the lib64otr packages from testing. Tried out pidgin and managed to create an account and join #mageia-qa but things don't look right. Registered as tarazed and gave a local alias of lcl (not knowing what that meant) and found myself listed as lcl rather than tarazed. The log showed the message I always get in irssi: "tarazed is not a registered nickname" even though I have registered it a dozen times. I lose patience with these systems. More serious is the message in the terminal: $ pidgin Couldn't create plugins dir So I have no idea if libotr is OK or not as far as normal running is concerned, as opposed to the security vulnerability.
CC: (none) => tarazed25
As far as I know, otr has nothing to do with IRC. It's for encrypted communications between two Pidgin clients.
So it is not being used a all when pidgin is used to access IRC. As I have no idea about pidgin to pidgin communication I shall have to drop this one. Any takers?
What's to have an idea about? You get two people using Pidgin to enable the OTR plugin and talk to each other.
Remember you are talking to a dunderheid here David. ;) And I don't know anybody else so I suppose it will have to be two nodes on the LAN. Be back after I figure out how to use pidgin. I may be gone some time.
No, it cannot be used locally and I failed anyway to create an account for myself. Definitely dropping this one.
I haven't used the OTR one, I had only used an older encryption plugin for Pidgin, but it worked with any protocol. So, if you didn't want a dependence on any external services, you could set up a local Jabber server and use that :o)
New ground again. Looked at jabber and found djabberd and ejabberd. Installed djabberd and set it running as a service. Cannot find any intelligible information about using the service to talk between local nodes. And how would the libotr plugin figure in all this. I am baffled. As I said, I am going to have to drop this one. Simply don't have a clue about instant messaging.
Well, if you got a Jabber server working, you're almost there. You can register an account on the Jabber server through the Pidgin client. If you enable the Pidgin OTR plugin (in Plugins), it should either give you a way to encrypt when you're talking to someone else who has it, or do it automatically. Either way it shouldn't be hard to figure out.
MGA5-32 on Acer D620 Xfce Tested in bug 17933
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Validating. Advisory todo.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: MGA5-32-OK => MGA5-32-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0117.html
Status: NEW => RESOLVEDResolution: (none) => FIXED