1. Forum
  2. Usenet
  3. LINUX.DEBIAN.ANNOUNCE.SEC

  • [SECURITY] [DSA 2859-1] pidgin security update

    From Moritz Muehlenhoff@1:229/2 to All on Mon Feb 10 18:40:06 2014
    From: [email protected]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    - ------------------------------------------------------------------------- Debian Security Advisory DSA-2859-1 [email protected] http://www.debian.org/security/ Moritz Muehlenhoff February 10, 2014 http://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package : pidgin
    Vulnerability : several
    CVE ID : CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481
    CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485
    CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020

    Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client:

    CVE-2013-6477

    Jaime Breva Ribes discovered that a remote XMPP user can trigger a
    crash by sending a message with a timestamp in the distant future.

    CVE-2013-6478

    Pidgin could be crashed through overly wide tooltip windows.

    CVE-2013-6479

    Jacob Appelbaum discovered that a malicious server or a "man in the
    middle" could send a malformed HTTP header resulting in denial of
    service.

    CVE-2013-6481

    Daniel Atallah discovered that Pidgin could be crashed through
    malformed Yahoo! P2P messages.

    CVE-2013-6482

    Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin
    could be crashed through malformed MSN messages.

    CVE-2013-6483

    Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin
    could be crashed through malformed XMPP messages.

    CVE-2013-6484

    It was discovered that incorrect error handling when reading the
    response from a STUN server could result in a crash.

    CVE-2013-6485

    Matt Jones discovered a buffer overflow in the parsing of malformed
    HTTP responses.

    CVE-2013-6487

    Yves Younan and Ryan Pentney discovered a buffer overflow when parsing
    Gadu-Gadu messages.

    CVE-2013-6489

    Yves Younan and Pawel Janic discovered an integer overflow when parsing
    MXit emoticons.

    CVE-2013-6490

    Yves Younan discovered a buffer overflow when parsing SIMPLE headers.

    CVE-2014-0020

    Daniel Atallah discovered that Pidgin could be crashed via malformed
    IRC arguments.

    For the oldstable distribution (squeeze), no direct backport is provided.
    A fixed packages will be provided through backports.debian.org shortly

    For the stable distribution (wheezy), these problems have been fixed in
    version 2.10.9-1~deb7u1.

    For the unstable distribution (sid), these problems have been fixed in
    version 2.10.9-1.

    We recommend that you upgrade your pidgin packages.

    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: http://www.debian.org/security/

    Mailing list: [email protected]
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1

    iEYEARECAAYFAlL5DAsACgkQXm3vHE4uylpHBACgi35NdKeWengFu5JzJ4NKkj0T w2MAni+6nXq2FQYjbUm+0k1QW5OrgtU+
    =wmw4
    -----END PGP SIGNATURE-----


    --
    To UNSUBSCRIBE, email to [email protected]
    with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]

    --- SoupGate-Win32 v1.05
    * Origin: you cannot sedate... all the things you hate (1:229/2)