lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20101113193728.F1CAB3275F0@morgana.loeki.tv>
Date: Sat, 13 Nov 2010 20:37:28 +0100 (CET)
From: Thijs Kinkhorst <thijs@...ian.org>
To: bugtraq@...urityfocus.com
Subject: [SECURITY] [DSA 2038-3] New pidgin packages fix regression

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2038-3                  security@...ian.org
http://www.debian.org/security/                          Thijs Kinkhorst
November 13, 2010                     http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : pidgin
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2010-0420 CVE-2010-0423
Debian Bug     : 566775 579601

The packages for Pidgin released as DSA 2038-2 had a regression, as they
unintentionally disabled the Silc, Simple, and Yahoo instant messaging
protocols. This update restore that functionality. For reference the
original advisory text below.

Several remote vulnerabilities have been discovered in Pidgin, a multi
protocol instant messaging client. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2010-0420

        Crafted nicknames in the XMPP protocol can crash Pidgin remotely.

CVE-2010-0423

        Remote contacts may send too many custom smilies, crashing Pidgin.

Since a few months, Microsoft's servers for MSN have changed the protocol,
making Pidgin non-functional for use with MSN. It is not feasible to port
these changes to the version of Pidgin in Debian Lenny. This update
formalises that situation by disabling the protocol in the client. Users
of the MSN protocol are advised to use the version of Pidgin in the
repositories of www.backports.org.

For the stable distribution (lenny), these problems have been fixed in
version 2.4.3-4lenny8.

For the unstable distribution (sid), these problems have been fixed in
version 2.6.6-1.

We recommend that you upgrade your pidgin package.


Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3.orig.tar.gz
    Size/MD5 checksum: 13123610 d0e0bd218fbc67df8b2eca2f21fcd427
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8.diff.gz
    Size/MD5 checksum:    72269 0119701838d8ad1cdeac7ce4c91bae65
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8.dsc
    Size/MD5 checksum:     1769 ad33ad23693b546e86e0912e88a4ea12

Architecture independent packages:

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple-dev_2.4.3-4lenny8_all.deb
    Size/MD5 checksum:   278150 84022a327404419ae540f3f3bc427e3b
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple-bin_2.4.3-4lenny8_all.deb
    Size/MD5 checksum:   133688 16372c01693c7744ff48f411aaaac5a2
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny8_all.deb
    Size/MD5 checksum:  7014900 c2c210652333d77e3573be4a8a699c9b
  http://security.debian.org/pool/updates/main/p/pidgin/finch-dev_2.4.3-4lenny8_all.deb
    Size/MD5 checksum:   159954 51bde77053b4ea6e14b1442bf1a1607d
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dev_2.4.3-4lenny8_all.deb
    Size/MD5 checksum:   194580 a7dde485b3f5d3e4893ceb2a22ee47aa

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_alpha.deb
    Size/MD5 checksum:  5315572 1cf0367c5e3881549bac1a4fe45aa5eb
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_alpha.deb
    Size/MD5 checksum:   371260 ba6898cf2c154319bffcc9cd6d4cd4a7
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_alpha.deb
    Size/MD5 checksum:   777478 228be5cdb1f26820e5f5348096f3c3ee
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_alpha.deb
    Size/MD5 checksum:  1719898 c04983751b915ceeef5a2d884edddcfd

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_amd64.deb
    Size/MD5 checksum:  1633712 927a05948c7ea50b4ff1515820495093
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_amd64.deb
    Size/MD5 checksum:   347692 4bea6a2d558defbfc9cf1bee25ec4a4d
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_amd64.deb
    Size/MD5 checksum:   727282 b148a28348d91d43e78b02798893bb6a
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_amd64.deb
    Size/MD5 checksum:  5428234 ab7cc975d13b3abd8faa2498896d8d44

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_arm.deb
    Size/MD5 checksum:  5118248 e2f34bded56a07650f91e119cd739c7b
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_arm.deb
    Size/MD5 checksum:   315658 18a22ae56dab911aa7c8667db51afbc4
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_arm.deb
    Size/MD5 checksum:   655810 200950fcc1f558d92e50fda7f494ea0b
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_arm.deb
    Size/MD5 checksum:  1422998 1e4c635bdba06539a081b1c6f422b1d2

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_armel.deb
    Size/MD5 checksum:  1430694 4c96fa5a80593ddf0c3e4f998173bdcf
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_armel.deb
    Size/MD5 checksum:   667108 330bd6dcb19da7bb1ce21013f035ae32
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_armel.deb
    Size/MD5 checksum:  5152254 6b61008ee4337db73612d4943ed756e6
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_armel.deb
    Size/MD5 checksum:   319130 56c3e97232ceb5fed1688dff1c6b07f2

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_hppa.deb
    Size/MD5 checksum:  5249334 f9380ac4d099646026092869254f36af
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_hppa.deb
    Size/MD5 checksum:   360850 31898206d949ddd8a0645e756700e5e6
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_hppa.deb
    Size/MD5 checksum:   752928 5668adccc2caf428e04b35adad06753a
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_hppa.deb
    Size/MD5 checksum:  1741168 32a16b666040fd28dad3a50cb2508edd

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_i386.deb
    Size/MD5 checksum:  5142098 46afbb8656ef35617b90e5272ff4fb0f
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_i386.deb
    Size/MD5 checksum:   326492 8ffe29c959a8494c2421a0aa2f4f4d32
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_i386.deb
    Size/MD5 checksum:   679860 9588d20c33677a0acfffce3a98c97280
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_i386.deb
    Size/MD5 checksum:  1506712 e324dae1d982241abb5537b719a4831a

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_ia64.deb
    Size/MD5 checksum:  5000868 ae42b44a76ecb3558c5a2e5db5f19e2a
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_ia64.deb
    Size/MD5 checksum:  2087484 b7bc9718fd1ef427eb763a34c34b900b
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_ia64.deb
    Size/MD5 checksum:   435108 aa579727d0272a8fb8968bfa6e4062a7
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_ia64.deb
    Size/MD5 checksum:   948900 9f829afda7629eeca4f38bb043f20676

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_mips.deb
    Size/MD5 checksum:  1304070 c57c7afa0b340b070bc2f54f340549a3
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_mips.deb
    Size/MD5 checksum:   320686 c3a2186b1f6037b7fd66bdef4e47e26b
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_mips.deb
    Size/MD5 checksum:   656496 8b848d690917eab703a60698a3be2e1f
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_mips.deb
    Size/MD5 checksum:  5409338 e7fbcb9776703eb244a79fcb363adbbd

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_mipsel.deb
    Size/MD5 checksum:  1291760 7fb32d3297f440c73e964081860e460e
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_mipsel.deb
    Size/MD5 checksum:   318700 e5baa0a06a8900638e3088b9879b1923
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_mipsel.deb
    Size/MD5 checksum:  5306128 762422060524ce5019abe682005dd273
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_mipsel.deb
    Size/MD5 checksum:   651552 892ac43fc97903793d60239843524bc7

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_powerpc.deb
    Size/MD5 checksum:  1682748 37529f1ef367a5e984aa027c5f270d8b
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_powerpc.deb
    Size/MD5 checksum:   757670 9a9aef7b7215ba897e731e0dc1c2e645
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_powerpc.deb
    Size/MD5 checksum:   362828 f2482932f44d26f9878d1943e24fbb6a
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_powerpc.deb
    Size/MD5 checksum:  5360552 12cef47bcab4db9af3071cb31ce1c4f9

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_s390.deb
    Size/MD5 checksum:  5331892 1de914be4947ec1f1d4e9f029f350480
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_s390.deb
    Size/MD5 checksum:   360378 e9bb6c133cb59909e1418fae60245352
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_s390.deb
    Size/MD5 checksum:   719338 795beea30a9d2d289ebbd9e2ffc0f286
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_s390.deb
    Size/MD5 checksum:  1562530 186ca2624c320ef40cfcf309bd6bcf32

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_sparc.deb
    Size/MD5 checksum:   683482 7e54e2b074c6d6ad4a1fb28a070009f2
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_sparc.deb
    Size/MD5 checksum:  4921794 c712395d28b865aab3ede218504c7ae4
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_sparc.deb
    Size/MD5 checksum:   329552 591579e595077a26fc6616302723bfe7
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_sparc.deb
    Size/MD5 checksum:  1513948 68603d70bc41cb6f300a85ad9b0454df


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJM3uYeAAoJEOxfUAG2iX57Td8H/18wfLFH2TALauLI6KWRChGt
OW3gVYr0TgNUDj2NfJHW8bjns5xVrQvySgaQJPHu+4Xp5/5BanIreBT/cThVmC8q
U1urgfwImqun01/rIx/EJTTd+7Buw4AtboQqGoXA1NkhVHdtsRjeR8wTl9cT6/W0
fY8c3NTvShLdPEOYvqA5gaPxR62QPMjT50oTtzkwGNCKcsVMCMiPbeEcHdkA2ihf
0QbOV8MRUCXNFPG5cg270k9kLm6vrwMNLPoyHTCfZZfZ28FrRYG5TjHHYg3Dblo7
q8j/CMkjJI83/rbBfD1AeP9z1YdmxP1+IGlnjI2Zv907bIm1Enp5bE2+fxPchP0=
=ND5l
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ