Mageia Bugzilla – Bug 20442
pidgin new security issue CVE-2017-2640
Last modified: 2017-03-16 20:20:48 CET
Pidgin 2.12.0 has been released on March 9, fixing a security issue:
It also fixed Freenode IRC authentication and a certificate validation error with Google that causes some users to not be able to connect (and others to not be able to stay connected).
Protocols for dead services have been removed, and some for upstream protocols that changed have been moved to third-party plugins. It would be nice if we could package the new Yahoo! plugin.
The package in Cauldron/v6 was already updated and I submitted an update to mga5 core/updates_testing.
Thanks! Any chance we can get that Yahoo! plugin packaged?
Updated pidgin packages fix security vulnerability:
A server controlled by an attacker can send an invalid XML that can trigger an
out-of-bound memory access. This might lead to a crash or, in some extreme
cases, to remote code execution in the client-side (CVE-2017-2640).
The pidgin package has been updated to version 2.12.0, which fixes this issue
and other bugs, including certificate validation for the Google Talk protocol.
It also removes protocol plugins for services that are no longer available or
supported. See the upstream ChangeLog for details.
Updated packages in core/updates_testing: