lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NUUjo-0005Cy-PO@titan.mandriva.com>
Date: Tue, 12 Jan 2010 01:36:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:001 ] pidgin


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:001
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pidgin
 Date    : January 11, 2010
 Affected: 2008.0, 2009.1, Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Security vulnerabilities has been identified and fixed in pidgin:
 
 The OSCAR protocol plugin in libpurple in Pidgin before 2.6.3 and Adium
 before 1.3.7 allows remote attackers to cause a denial of service
 (application crash) via crafted contact-list data for (1) ICQ and
 possibly (2) AIM, as demonstrated by the SIM IM client (CVE-2009-3615).
 
 Directory traversal vulnerability in slp.c in the MSN protocol
 plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
 remote attackers to read arbitrary files via a .. (dot dot) in an
 application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
 a related issue to CVE-2004-0122.  NOTE: it could be argued that
 this is resultant from a vulnerability in which an emoticon download
 request is processed even without a preceding text/x-mms-emoticon
 message that announced availability of the emoticon (CVE-2010-0013).
 
 Packages for 2008.0 are provided for Corporate Desktop 2008.0
 customers.
 
 This update provides pidgin 2.6.5, which is not vulnerable to these
 issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3615
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
 http://pidgin.im/news/security/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2008.0:
 2c06bb10b976371e7300df80f21c9533  2008.0/i586/finch-2.6.5-0.1mdv2008.0.i586.rpm
 eec4d32bc466fe61620058eef2811c59  2008.0/i586/libfinch0-2.6.5-0.1mdv2008.0.i586.rpm
 c2e83523eef01b27c13030674f1821a6  2008.0/i586/libpurple0-2.6.5-0.1mdv2008.0.i586.rpm
 c048d2e19a00b62bc0c191ebd5fa0be6  2008.0/i586/libpurple-devel-2.6.5-0.1mdv2008.0.i586.rpm
 dfad05993ac7cf897035fa9f89cb356f  2008.0/i586/pidgin-2.6.5-0.1mdv2008.0.i586.rpm
 4f8f5bbdaa24841787dc908bbd69b6c2  2008.0/i586/pidgin-bonjour-2.6.5-0.1mdv2008.0.i586.rpm
 9069609e14ecedac948eada332204cba  2008.0/i586/pidgin-client-2.6.5-0.1mdv2008.0.i586.rpm
 f4bba9135a059cc4e17cef81e4e67f4c  2008.0/i586/pidgin-gevolution-2.6.5-0.1mdv2008.0.i586.rpm
 ac1fb16b6cb7aee737c8257cc08d10fd  2008.0/i586/pidgin-i18n-2.6.5-0.1mdv2008.0.i586.rpm
 4d27f7e644d0a046bfaaa9f8e2730b1b  2008.0/i586/pidgin-meanwhile-2.6.5-0.1mdv2008.0.i586.rpm
 ae1a27acc73fb0afdfcef69000164fff  2008.0/i586/pidgin-mono-2.6.5-0.1mdv2008.0.i586.rpm
 d9e9cc8eea7b6d610c259387e1c0d793  2008.0/i586/pidgin-perl-2.6.5-0.1mdv2008.0.i586.rpm
 1439d48d97f903914d4d1bce8c1b7a20  2008.0/i586/pidgin-plugins-2.6.5-0.1mdv2008.0.i586.rpm
 8cae43bfd645f923ba49f6ec2e09f6ad  2008.0/i586/pidgin-silc-2.6.5-0.1mdv2008.0.i586.rpm
 096a02afcc29a8d1baa34a670e2de632  2008.0/i586/pidgin-tcl-2.6.5-0.1mdv2008.0.i586.rpm 
 5aac126cfe57e39c1b4eba9e2152d0be  2008.0/SRPMS/pidgin-2.6.5-0.1mdv2008.0.src.rpm

 Mandriva Linux 2008.0/X86_64:
 734f3c61defb540185b139769bab2d85  2008.0/x86_64/finch-2.6.5-0.1mdv2008.0.x86_64.rpm
 2592d99b6a0dc93e761cf204d8669f3f  2008.0/x86_64/lib64finch0-2.6.5-0.1mdv2008.0.x86_64.rpm
 2df77ea5193e8e235fe56ba020a9c411  2008.0/x86_64/lib64purple0-2.6.5-0.1mdv2008.0.x86_64.rpm
 07476c00358bf692c911507376c1c61f  2008.0/x86_64/lib64purple-devel-2.6.5-0.1mdv2008.0.x86_64.rpm
 71f2517d99316e3f31963941d9c36c06  2008.0/x86_64/pidgin-2.6.5-0.1mdv2008.0.x86_64.rpm
 bd1217b2dc4587cfd38e0b8b2781bde7  2008.0/x86_64/pidgin-bonjour-2.6.5-0.1mdv2008.0.x86_64.rpm
 5b2ef2c3a2f84c241f43f151d6713f37  2008.0/x86_64/pidgin-client-2.6.5-0.1mdv2008.0.x86_64.rpm
 ec0e2975982a45eee3e37ecf07c356b5  2008.0/x86_64/pidgin-gevolution-2.6.5-0.1mdv2008.0.x86_64.rpm
 d724e5fde2c4495883463a1d508e87c8  2008.0/x86_64/pidgin-i18n-2.6.5-0.1mdv2008.0.x86_64.rpm
 8d2c6a64e63d24a2da8a130b967f048a  2008.0/x86_64/pidgin-meanwhile-2.6.5-0.1mdv2008.0.x86_64.rpm
 2aa347dceb072b18bbd6e2665c19b7b5  2008.0/x86_64/pidgin-mono-2.6.5-0.1mdv2008.0.x86_64.rpm
 aa0c7bc1e0909f2a1c0a3a890e590263  2008.0/x86_64/pidgin-perl-2.6.5-0.1mdv2008.0.x86_64.rpm
 f3c4f803f7d765da7dddc900fc2a8272  2008.0/x86_64/pidgin-plugins-2.6.5-0.1mdv2008.0.x86_64.rpm
 9bacb42d819da7afa3ddc5cac0efb367  2008.0/x86_64/pidgin-silc-2.6.5-0.1mdv2008.0.x86_64.rpm
 9caaf8618d807e9fd894cd4786a5792d  2008.0/x86_64/pidgin-tcl-2.6.5-0.1mdv2008.0.x86_64.rpm 
 5aac126cfe57e39c1b4eba9e2152d0be  2008.0/SRPMS/pidgin-2.6.5-0.1mdv2008.0.src.rpm

 Mandriva Linux 2009.1:
 269680b8627e14ab28ad538ec1794fc6  2009.1/i586/finch-2.6.5-0.1mdv2009.1.i586.rpm
 3e8698694d5815efdb7087c83d798c91  2009.1/i586/libfinch0-2.6.5-0.1mdv2009.1.i586.rpm
 647f99c4af50ce8048dce0501d5f40f1  2009.1/i586/libpurple0-2.6.5-0.1mdv2009.1.i586.rpm
 24ed864184fe49d6c20619d56dd4e3cd  2009.1/i586/libpurple-devel-2.6.5-0.1mdv2009.1.i586.rpm
 53c906b4480baaa17d4e238b1086206e  2009.1/i586/pidgin-2.6.5-0.1mdv2009.1.i586.rpm
 ae1844987b0eb15307aabf6cc3da34a0  2009.1/i586/pidgin-bonjour-2.6.5-0.1mdv2009.1.i586.rpm
 aae4869422c8dc493e081007a6f58371  2009.1/i586/pidgin-client-2.6.5-0.1mdv2009.1.i586.rpm
 66a6b80410df0defb9485dc0bb27fb34  2009.1/i586/pidgin-gevolution-2.6.5-0.1mdv2009.1.i586.rpm
 9b4f7905b504f711e67b26813dba9d0f  2009.1/i586/pidgin-i18n-2.6.5-0.1mdv2009.1.i586.rpm
 72c819c5fde5e1f0bf0b0ffef243c1a8  2009.1/i586/pidgin-meanwhile-2.6.5-0.1mdv2009.1.i586.rpm
 b1955f1ec6703f48e2b38ac7d9c729e8  2009.1/i586/pidgin-mono-2.6.5-0.1mdv2009.1.i586.rpm
 09a3f76e8e1fc2a6779b4faab8a94cfd  2009.1/i586/pidgin-perl-2.6.5-0.1mdv2009.1.i586.rpm
 42f2cff9243dd87d2408f33b4d73271a  2009.1/i586/pidgin-plugins-2.6.5-0.1mdv2009.1.i586.rpm
 e3c679e80c9775621ea766dc9c6149d9  2009.1/i586/pidgin-silc-2.6.5-0.1mdv2009.1.i586.rpm
 bfb8442e6b20082a70181aed3d1c783b  2009.1/i586/pidgin-tcl-2.6.5-0.1mdv2009.1.i586.rpm 
 fe01a680e95e685c145395daa0c74d6f  2009.1/SRPMS/pidgin-2.6.5-0.1mdv2009.1.src.rpm

 Mandriva Linux 2009.1/X86_64:
 bcb40187a5240d7a9a36f7a32b18d0ab  2009.1/x86_64/finch-2.6.5-0.1mdv2009.1.x86_64.rpm
 303b977f8ba5f161b179b656338dc782  2009.1/x86_64/lib64finch0-2.6.5-0.1mdv2009.1.x86_64.rpm
 25353cfeb50a9900c0a65cc9472ac560  2009.1/x86_64/lib64purple0-2.6.5-0.1mdv2009.1.x86_64.rpm
 865bad4d662e745bbe33aa1e564d23c4  2009.1/x86_64/lib64purple-devel-2.6.5-0.1mdv2009.1.x86_64.rpm
 da00b2139642b94b27c5710e88fe4892  2009.1/x86_64/pidgin-2.6.5-0.1mdv2009.1.x86_64.rpm
 8e9972a9c5830ab95f4a09705a63edbd  2009.1/x86_64/pidgin-bonjour-2.6.5-0.1mdv2009.1.x86_64.rpm
 3ac48c05904cc941e066fc526d6a0194  2009.1/x86_64/pidgin-client-2.6.5-0.1mdv2009.1.x86_64.rpm
 7cfc8df430f206518e7e20bafd74ff34  2009.1/x86_64/pidgin-gevolution-2.6.5-0.1mdv2009.1.x86_64.rpm
 8b17dc9cde60ddea83fa160626b52b1f  2009.1/x86_64/pidgin-i18n-2.6.5-0.1mdv2009.1.x86_64.rpm
 c01072c3982576a6a039234dbed521f9  2009.1/x86_64/pidgin-meanwhile-2.6.5-0.1mdv2009.1.x86_64.rpm
 361edaf5081b515632511f25cb559c32  2009.1/x86_64/pidgin-mono-2.6.5-0.1mdv2009.1.x86_64.rpm
 82d8bec4c950438f2e8a528dffa12680  2009.1/x86_64/pidgin-perl-2.6.5-0.1mdv2009.1.x86_64.rpm
 471f5e692b146f8468e57e37a3c32e79  2009.1/x86_64/pidgin-plugins-2.6.5-0.1mdv2009.1.x86_64.rpm
 3df1f0b5635450e109475b0c788dc076  2009.1/x86_64/pidgin-silc-2.6.5-0.1mdv2009.1.x86_64.rpm
 d1a235325d92b8d197d24689e9bc8c91  2009.1/x86_64/pidgin-tcl-2.6.5-0.1mdv2009.1.x86_64.rpm 
 fe01a680e95e685c145395daa0c74d6f  2009.1/SRPMS/pidgin-2.6.5-0.1mdv2009.1.src.rpm

 Mandriva Enterprise Server 5:
 bda586297f58b893e9169c3633c42f19  mes5/i586/finch-2.6.5-0.1mdvmes5.i586.rpm
 7a0b2fbd75e3aab0bc575019aaf3884e  mes5/i586/libfinch0-2.6.5-0.1mdvmes5.i586.rpm
 d79904ede6e7f2504d69c508d355be26  mes5/i586/libpurple0-2.6.5-0.1mdvmes5.i586.rpm
 017b02bdae1fbc09535c5e69d8331ac0  mes5/i586/libpurple-devel-2.6.5-0.1mdvmes5.i586.rpm
 2e49866970ecd0fb77fcfe935f2ab687  mes5/i586/pidgin-2.6.5-0.1mdvmes5.i586.rpm
 c2053b02a640fcb18a67a87fb135b918  mes5/i586/pidgin-bonjour-2.6.5-0.1mdvmes5.i586.rpm
 cfacfe3b1132029f8338760168c36493  mes5/i586/pidgin-client-2.6.5-0.1mdvmes5.i586.rpm
 f7e79cf79d7d5eb8d21239e444ed44af  mes5/i586/pidgin-gevolution-2.6.5-0.1mdvmes5.i586.rpm
 6eb973f74a1b04e3f0b7c5f2291b09fc  mes5/i586/pidgin-i18n-2.6.5-0.1mdvmes5.i586.rpm
 ca8c9b034028bdfc840bbe5a6eb26d06  mes5/i586/pidgin-meanwhile-2.6.5-0.1mdvmes5.i586.rpm
 6e6208113b5475f7b85f2bb29704800d  mes5/i586/pidgin-mono-2.6.5-0.1mdvmes5.i586.rpm
 08b7a161b9c0a51a2499484db4e1fe79  mes5/i586/pidgin-perl-2.6.5-0.1mdvmes5.i586.rpm
 0244133ee014473952027563d11d6add  mes5/i586/pidgin-plugins-2.6.5-0.1mdvmes5.i586.rpm
 80f4a562dfa690d2e8f0a8c5311e120e  mes5/i586/pidgin-silc-2.6.5-0.1mdvmes5.i586.rpm
 83b3232cf6c66d92dabb774c0def6614  mes5/i586/pidgin-tcl-2.6.5-0.1mdvmes5.i586.rpm 
 9ce0bda8ac562159dc716138c241a100  mes5/SRPMS/pidgin-2.6.5-0.1mdvmes5.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 f6e4c01ec1f48943b9e89ce2c953c4e1  mes5/x86_64/finch-2.6.5-0.1mdvmes5.x86_64.rpm
 49eb1dc9677e41b7307400ab7ca2ee27  mes5/x86_64/lib64finch0-2.6.5-0.1mdvmes5.x86_64.rpm
 18321beef2d26e1593b33f8ebb5ec1ae  mes5/x86_64/lib64purple0-2.6.5-0.1mdvmes5.x86_64.rpm
 c8b713e36ca72076f2a5b5eaf33ad135  mes5/x86_64/lib64purple-devel-2.6.5-0.1mdvmes5.x86_64.rpm
 2c6f8d365eb937484d511655c5aa7aa3  mes5/x86_64/pidgin-2.6.5-0.1mdvmes5.x86_64.rpm
 8cf704c47329f08e6b537e227d0c9940  mes5/x86_64/pidgin-bonjour-2.6.5-0.1mdvmes5.x86_64.rpm
 ce206f00542b4107b5beb35a98bde3f1  mes5/x86_64/pidgin-client-2.6.5-0.1mdvmes5.x86_64.rpm
 b872c17b1593e47f3507a16489e99133  mes5/x86_64/pidgin-gevolution-2.6.5-0.1mdvmes5.x86_64.rpm
 152a57c69c14a94a77c4d8a3f7171eca  mes5/x86_64/pidgin-i18n-2.6.5-0.1mdvmes5.x86_64.rpm
 d84d73937497757ff25a7b930b33e71f  mes5/x86_64/pidgin-meanwhile-2.6.5-0.1mdvmes5.x86_64.rpm
 4fcc66ad7165b1478a1f9eb1b9ed983b  mes5/x86_64/pidgin-mono-2.6.5-0.1mdvmes5.x86_64.rpm
 8fec99559e791f5f60eb54cafce66c61  mes5/x86_64/pidgin-perl-2.6.5-0.1mdvmes5.x86_64.rpm
 d5e01fb2c9062c0e5994543bc36f9b0e  mes5/x86_64/pidgin-plugins-2.6.5-0.1mdvmes5.x86_64.rpm
 35d7b9c4fdb6a48730992b7a7f6bb533  mes5/x86_64/pidgin-silc-2.6.5-0.1mdvmes5.x86_64.rpm
 663736889037e7c6ffe8c31ac0e53e70  mes5/x86_64/pidgin-tcl-2.6.5-0.1mdvmes5.x86_64.rpm 
 9ce0bda8ac562159dc716138c241a100  mes5/SRPMS/pidgin-2.6.5-0.1mdvmes5.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLS5dWmqjQ0CJFipgRAuqOAJ9ZWf6gqrDNe0RfHMH2YbI3sKR7RwCcDVeC
TnSrShrUf1HCLIkglWLyznA=
=g4Z0
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ