lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1NUVHg-0005Fh-Js@titan.mandriva.com>
Date: Tue, 12 Jan 2010 02:11:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2010:002 ] pidgin


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2010:002
 http://www.mandriva.com/security/
 _______________________________________________________________________

 Package : pidgin
 Date    : January 11, 2010
 Affected: 2010.0
 _______________________________________________________________________

 Problem Description:

 A security vulnerability has been identified and fixed in pidgin:
 
 Directory traversal vulnerability in slp.c in the MSN protocol
 plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
 remote attackers to read arbitrary files via a .. (dot dot) in an
 application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
 a related issue to CVE-2004-0122.  NOTE: it could be argued that
 this is resultant from a vulnerability in which an emoticon download
 request is processed even without a preceding text/x-mms-emoticon
 message that announced availability of the emoticon (CVE-2010-0013).
 
 This update provides pidgin 2.6.5, which is not vulnerable to this
 issue.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013
 http://pidgin.im/news/security/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Linux 2010.0:
 0b141dc591a1677affc824e714c0bfa5  2010.0/i586/finch-2.6.5-0.1mdv2010.0.i586.rpm
 3d851548d89644efdfb701ba90c468da  2010.0/i586/libfinch0-2.6.5-0.1mdv2010.0.i586.rpm
 91a4b9783856ae2565c2cd3a9b27ebb6  2010.0/i586/libpurple0-2.6.5-0.1mdv2010.0.i586.rpm
 a0c9e1a42b96b117822968b581869513  2010.0/i586/libpurple-devel-2.6.5-0.1mdv2010.0.i586.rpm
 ec2f185f4aaf4a83fdd95d1ee5023c4c  2010.0/i586/pidgin-2.6.5-0.1mdv2010.0.i586.rpm
 aefdd5492a98e1823ba0c7286b3558b9  2010.0/i586/pidgin-bonjour-2.6.5-0.1mdv2010.0.i586.rpm
 92599926774c68178a399e8e6b680029  2010.0/i586/pidgin-client-2.6.5-0.1mdv2010.0.i586.rpm
 1d213714f4d9da85fd0bac7e793aa0d5  2010.0/i586/pidgin-gevolution-2.6.5-0.1mdv2010.0.i586.rpm
 a1e458dcd2c10987934208d9a18cd2b5  2010.0/i586/pidgin-i18n-2.6.5-0.1mdv2010.0.i586.rpm
 afc26ed9b344e3d4317fd7e32b88fa88  2010.0/i586/pidgin-meanwhile-2.6.5-0.1mdv2010.0.i586.rpm
 3233cfec46020dbff5ef6f6fa4a4025e  2010.0/i586/pidgin-mono-2.6.5-0.1mdv2010.0.i586.rpm
 48a5641b1104620aba0e2cbfa65a101f  2010.0/i586/pidgin-perl-2.6.5-0.1mdv2010.0.i586.rpm
 44461abfbd8bc983a1e440a331ddc823  2010.0/i586/pidgin-plugins-2.6.5-0.1mdv2010.0.i586.rpm
 80e0cedd0d60fe626dc5253db502e1bd  2010.0/i586/pidgin-silc-2.6.5-0.1mdv2010.0.i586.rpm
 531a6537d9bf005ee54aece14aa48eb6  2010.0/i586/pidgin-tcl-2.6.5-0.1mdv2010.0.i586.rpm 
 83d0f2b5bb31e313c53c4d40ca8fe1da  2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm

 Mandriva Linux 2010.0/X86_64:
 e27d2817c814cf90bad7e205081402a2  2010.0/x86_64/finch-2.6.5-0.1mdv2010.0.x86_64.rpm
 611f230ca512ad0db64acc14ef06e148  2010.0/x86_64/lib64finch0-2.6.5-0.1mdv2010.0.x86_64.rpm
 8ae845e339ca97ebdd7f302eac3e5899  2010.0/x86_64/lib64purple0-2.6.5-0.1mdv2010.0.x86_64.rpm
 525a83c8cb39f1b8a5c54d1ee91d5e49  2010.0/x86_64/lib64purple-devel-2.6.5-0.1mdv2010.0.x86_64.rpm
 2ef31af24eb8a4c2706e67f941ad9fa3  2010.0/x86_64/pidgin-2.6.5-0.1mdv2010.0.x86_64.rpm
 f8d2d37e7e9f070ec94339c2a3b6b8f0  2010.0/x86_64/pidgin-bonjour-2.6.5-0.1mdv2010.0.x86_64.rpm
 45038a16defd0813f381fea1b184697a  2010.0/x86_64/pidgin-client-2.6.5-0.1mdv2010.0.x86_64.rpm
 9f48d1a4af0d24195610a0392f721acb  2010.0/x86_64/pidgin-gevolution-2.6.5-0.1mdv2010.0.x86_64.rpm
 6c7d1fcb4f0ba1a1b32d04ecaf51ce59  2010.0/x86_64/pidgin-i18n-2.6.5-0.1mdv2010.0.x86_64.rpm
 7efbc4ca6f8028476e6a842238d5e19c  2010.0/x86_64/pidgin-meanwhile-2.6.5-0.1mdv2010.0.x86_64.rpm
 58f135d340961f21b7b7a37931c7bf1d  2010.0/x86_64/pidgin-mono-2.6.5-0.1mdv2010.0.x86_64.rpm
 798c84ae196fdedbeddb8d71374ce063  2010.0/x86_64/pidgin-perl-2.6.5-0.1mdv2010.0.x86_64.rpm
 507b908bb81dc61cd633fccea1023314  2010.0/x86_64/pidgin-plugins-2.6.5-0.1mdv2010.0.x86_64.rpm
 48518b319bc1c5a5a452be9ceb522763  2010.0/x86_64/pidgin-silc-2.6.5-0.1mdv2010.0.x86_64.rpm
 b38b6ee90af7cee2298ba8f191b7fcc6  2010.0/x86_64/pidgin-tcl-2.6.5-0.1mdv2010.0.x86_64.rpm 
 83d0f2b5bb31e313c53c4d40ca8fe1da  2010.0/SRPMS/pidgin-2.6.5-0.1mdv2010.0.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/security/advisories

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFLS6HImqjQ0CJFipgRAtFeAKDDgB5ajBW96Sv5YBFoCprgN7m57gCbBWjf
aW7W6V/HuduwIHmOC3pXQhA=
=uVD5
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ