lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20100418154722.C49D73267BD@morgana.loeki.tv>
Date: Sun, 18 Apr 2010 17:47:22 +0200 (CEST)
From: Thijs Kinkhorst <thijs@...ian.org>
To: debian-security-announce@...ts.debian.org
Subject: [SECURITY] [DSA 2038-1] New pidgin packages fix
	denial of service

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
Debian Security Advisory DSA-2038-1                  security@...ian.org
http://www.debian.org/security/                          Thijs Kinkhorst
April 18, 2010                        http://www.debian.org/security/faq
- ------------------------------------------------------------------------

Package        : pidgin
Vulnerability  : several
Problem type   : remote
Debian-specific: no
CVE Id(s)      : CVE-2010-0420 CVE-2010-0423
Debian Bug     : 566775

Several remote vulnerabilities have been discovered in Pidgin, a multi
protocol instant messaging client. The Common Vulnerabilities and
Exposures project identifies the following problems:

CVE-2010-0420

	Crafted nicknames in the XMPP protocol can crash Pidgin remotely.

CVE-2010-0423

	Remote contacts may send too many custom smilies, crashing Pidgin.

Since a few months, Microsoft's servers for MSN have changed the protocol,
making Pidgin non-functional for use with MSN. It is not feasible to port
these changes to the version of Pidgin in Debian Lenny. This update
formalises that situation by disabling the protocol in the client. Users
of the MSN protocol are advised to use the version of Pidgin in the
repositories of www.backports.org.

For the stable distribution (lenny), these problems have been fixed in
version 2.4.3-4lenny6.

For the unstable distribution (sid), these problems have been fixed in
version 2.6.6-1.

We recommend that you upgrade your pidgin package.

Upgrade instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- --------------------------------

Source archives:

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3.orig.tar.gz
    Size/MD5 checksum: 13123610 d0e0bd218fbc67df8b2eca2f21fcd427
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6.dsc
    Size/MD5 checksum:     1784 f640f8119ef901c7be009232c6dfee05
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6.diff.gz
    Size/MD5 checksum:    72144 85217de41bcd069748eb441886cdfab9

Architecture independent packages:

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny6_all.deb
    Size/MD5 checksum:  7019074 1c79c0da4c115e2699d577b957c4e541
  http://security.debian.org/pool/updates/main/p/pidgin/finch-dev_2.4.3-4lenny6_all.deb
    Size/MD5 checksum:   159726 c657bace836fb1d4f3c04c57bdcd7e19
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple-bin_2.4.3-4lenny6_all.deb
    Size/MD5 checksum:   133894 49e2b54dcad5a2b40705478118da2d72
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple-dev_2.4.3-4lenny6_all.deb
    Size/MD5 checksum:   277220 9517eadf780382575efcd57ba9dc308b
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dev_2.4.3-4lenny6_all.deb
    Size/MD5 checksum:   193802 b05666d23964d0d28646dc49a85de940

alpha architecture (DEC Alpha)

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_alpha.deb
    Size/MD5 checksum:  1477324 c6c9e6753f98159748b9e0116bb40df3
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_alpha.deb
    Size/MD5 checksum:   776550 1334935aee6756fdc1b6e1702cabe0b3
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_alpha.deb
    Size/MD5 checksum:   369734 f54c236b4aa7e94d33da983f042bd82b
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_alpha.deb
    Size/MD5 checksum:  4952616 ac34a66c4b19a7dd23b1fa0240c07f97

amd64 architecture (AMD x86_64 (AMD64))

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_amd64.deb
    Size/MD5 checksum:   727918 e6447c0efc4f5c490bc806f00840b075
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_amd64.deb
    Size/MD5 checksum:  1406192 68711767e43c6a0722b8b4d5ed59843a
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_amd64.deb
    Size/MD5 checksum:  5067988 c430e8ff4e8b13830c71da4f6948a4f6
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_amd64.deb
    Size/MD5 checksum:   348062 042092eae5df409b1b39ae96a6a5b856

arm architecture (ARM)

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_arm.deb
    Size/MD5 checksum:  1217972 2b2879660723d31097c9a535e14c177d
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_arm.deb
    Size/MD5 checksum:   657362 27313370246e22f31b6439981062dda7
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_arm.deb
    Size/MD5 checksum:   316578 36a170a849ca166bcfe9b457f85b9cdb
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_arm.deb
    Size/MD5 checksum:  4799502 e4689175bb1d17cb942ed50c7d091315

armel architecture (ARM EABI)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_armel.deb
    Size/MD5 checksum:   668088 714b556255126c810659f203ffb93db1
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_armel.deb
    Size/MD5 checksum:  1221012 bbcb58abd9f04c1ba2df16bfce74e29c
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_armel.deb
    Size/MD5 checksum:   319790 b7c9ae4c8cfe107744523c44926375a4
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_armel.deb
    Size/MD5 checksum:  4821838 ca27cf7101ca23de2ab36cd0c21360d0

hppa architecture (HP PA RISC)

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_hppa.deb
    Size/MD5 checksum:  1495046 d445e1cb5e3500fc9970b1099ba14227
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_hppa.deb
    Size/MD5 checksum:   754250 64d22a1f7c7b9c920360f325749ab0fe
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_hppa.deb
    Size/MD5 checksum:   361568 d77edf95828aec4d0347f548e0b0a108
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_hppa.deb
    Size/MD5 checksum:  4906668 1208501055cffef75023543a72c956ce

i386 architecture (Intel ia32)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_i386.deb
    Size/MD5 checksum:  4809696 f6df7ed8178ad450886c4d19284e1c04
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_i386.deb
    Size/MD5 checksum:   326412 fb3dff6c0627b67e9710630906c770a9
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_i386.deb
    Size/MD5 checksum:  1290792 b0eaca04079ad13798d350ec18ad41b5
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_i386.deb
    Size/MD5 checksum:   679712 d946170d5d259c120f909285c48294fb

ia64 architecture (Intel ia64)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_ia64.deb
    Size/MD5 checksum:  4669414 5273183a49a9b6e334963816871d6ce0
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_ia64.deb
    Size/MD5 checksum:   434978 e4750a60b59c31a868dd0ebda33c96f2
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_ia64.deb
    Size/MD5 checksum:   948754 2b9ce7e253458ce9f7511ba26ece0b90
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_ia64.deb
    Size/MD5 checksum:  1789606 a2e654bacaaaef9fece43aaa2e33b420

mips architecture (MIPS (Big Endian))

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_mips.deb
    Size/MD5 checksum:   654450 edbc24d8f35a894a3d301a751d2d8977
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_mips.deb
    Size/MD5 checksum:  1096044 d88283ec19ea5d867e7d28325744d8fb
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_mips.deb
    Size/MD5 checksum:   318672 ed52e8ecafb8e410eab3194914b4014d
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_mips.deb
    Size/MD5 checksum:  5054324 9ddbd413029130c610512f25aa230553

mipsel architecture (MIPS (Little Endian))

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_mipsel.deb
    Size/MD5 checksum:   651410 89e26238fc91f1f75376d29a009cd751
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_mipsel.deb
    Size/MD5 checksum:   318572 4992c5f4f4bce500db6b3792295ad0c2
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_mipsel.deb
    Size/MD5 checksum:  4963322 2d397b0c64352a1a1e94534c0d0cf4de
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_mipsel.deb
    Size/MD5 checksum:  1086788 afb54d1620a692cb6273dbb9e3a67908

powerpc architecture (PowerPC)

  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_powerpc.deb
    Size/MD5 checksum:  5014910 acaaacb4532ae1176e628b23aaae74fe
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_powerpc.deb
    Size/MD5 checksum:   362722 2824883e0fb35a6b758d89188d0be39d
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_powerpc.deb
    Size/MD5 checksum:   755056 890358f5bc3215a5ab59609d8bd0c1d1
  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_powerpc.deb
    Size/MD5 checksum:  1445264 d5961438dc2a8c4798e815009792fab5

s390 architecture (IBM S/390)

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_s390.deb
    Size/MD5 checksum:  1326506 9a6b8060e2710587d17477c4b976922a
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_s390.deb
    Size/MD5 checksum:   717976 970f51fbc28082cc53af9ddc1bb183c1
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_s390.deb
    Size/MD5 checksum:   359214 3eca65b1913b2db015f7d5c75157e5c6
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_s390.deb
    Size/MD5 checksum:  4977082 e7bfcd7d662c5c41d860baabddac9c37

sparc architecture (Sun SPARC/UltraSPARC)

  http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny6_sparc.deb
    Size/MD5 checksum:  1302702 f550e43bfd0aa9bf89d6768eb2bf3966
  http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny6_sparc.deb
    Size/MD5 checksum:   329408 54fdcf6f005a936007201e8ef5a49e4c
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny6_sparc.deb
    Size/MD5 checksum:  4611594 b6124b51dd98dba2e1194295fc46002e
  http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny6_sparc.deb
    Size/MD5 checksum:   683284 f744d4b6e674fff37a0e00c1656db64e


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@...ts.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJLyykYAAoJECIIoQCMVaAcNicH/RNCxVsf9xTEQsOLyW+ktOY4
tUWY3kGqQfuHF9jds9jQzT97qstepzkn8dFOAetcxUbTP4CenV3bhRoaARpwaUnO
n9Rbziiz6e6zhPED/EpdaBQ4ADjkYiT0/0NL4DTKqFuuGetI9HQ6IInqwQfqB2O2
n+4gyqM3756NMTWfXC6N/uOd33cMnji5tRwk5J8cGCCvky+lYFSIOjaZ6Jff6GJF
b1P6vo6F1FU9jBkKIwuRIVGyEE82neyqZODkU47OsbYvPeKdz/qCoKswhg+3u6/n
24JpDbZFpMyFf8Ypta5ttyfa6fkxX1ZToK9hrNDAYDOI05tT4lBGwmNOHZ8t/XA=
=iYzY
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ