[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1UG6Xo-0005yZ-OY@titan.mandriva.com>
Date: Thu, 14 Mar 2013 12:42:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2013:025 ] pidgin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2013:025
http://www.mandriva.com/en/support/security/
_______________________________________________________________________
Package : pidgin
Date : March 14, 2013
Affected: Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been discovered and corrected in pidgin:
The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might
allow remote attackers to create or overwrite files via a crafted
(1) mxit or (2) mxit/imagestrips pathname (CVE-2013-0271).
Buffer overflow in http.c in the MXit protocol plugin in libpurple
in Pidgin before 2.10.7 allows remote servers to execute arbitrary
code via a long HTTP header (CVE-2013-0272).
sametime.c in the Sametime protocol plugin in libpurple in Pidgin
before 2.10.7 does not properly terminate long user IDs, which allows
remote servers to cause a denial of service (application crash)
via a crafted packet (CVE-2013-0273).
upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate
long strings in UPnP responses, which allows remote attackers to
cause a denial of service (application crash) by leveraging access
to the local network (CVE-2013-0274).
This update provides pidgin 2.10.7, which is not vulnerable to
these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0272
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0273
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0274
http://www.pidgin.im/news/security/
_______________________________________________________________________
Updated Packages:
Mandriva Enterprise Server 5:
4eb267f970ddb2ad4d62321c269d4a9b mes5/i586/finch-2.10.7-0.1mdvmes5.2.i586.rpm
e21539113c76768f5d2e0a0a4a9f6cbc mes5/i586/libfinch0-2.10.7-0.1mdvmes5.2.i586.rpm
19fcd2343bc5a28cfac82570047dabc8 mes5/i586/libpurple0-2.10.7-0.1mdvmes5.2.i586.rpm
1d1ec13029069d2e5670ecd9e5c2c084 mes5/i586/libpurple-devel-2.10.7-0.1mdvmes5.2.i586.rpm
24f8bc13c74be1366165f8c04d4b67ac mes5/i586/pidgin-2.10.7-0.1mdvmes5.2.i586.rpm
fe6749ec8865e5cc96b16ddce0606e25 mes5/i586/pidgin-bonjour-2.10.7-0.1mdvmes5.2.i586.rpm
76f84decf6d5834037ccf6b9ed4c68d9 mes5/i586/pidgin-client-2.10.7-0.1mdvmes5.2.i586.rpm
41f63fd40174df1160a63ef44d881c3c mes5/i586/pidgin-gevolution-2.10.7-0.1mdvmes5.2.i586.rpm
936c150819cd7e8ac19e5f2d02bb684d mes5/i586/pidgin-i18n-2.10.7-0.1mdvmes5.2.i586.rpm
7c1d22d3777f7c49f7d49b09a1d43811 mes5/i586/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.i586.rpm
ca57564f29f191f3bae55c9ce6255234 mes5/i586/pidgin-perl-2.10.7-0.1mdvmes5.2.i586.rpm
1882da3624a8dc8e27a51f3c867dbc88 mes5/i586/pidgin-plugins-2.10.7-0.1mdvmes5.2.i586.rpm
37ee0fe3a08d109f069de07f8a218f27 mes5/i586/pidgin-silc-2.10.7-0.1mdvmes5.2.i586.rpm
4d8bbdce9ce0e3b1ec663f4df384c70b mes5/i586/pidgin-tcl-2.10.7-0.1mdvmes5.2.i586.rpm
d8390c286670e49deee241267eb5070e mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
00fb4dc53fd8cbf056d493ca75231d1c mes5/x86_64/finch-2.10.7-0.1mdvmes5.2.x86_64.rpm
f0a81cae3067ba8fa47f603af718e1bd mes5/x86_64/lib64finch0-2.10.7-0.1mdvmes5.2.x86_64.rpm
d50e2f1821a4912639b20fa678d4538b mes5/x86_64/lib64purple0-2.10.7-0.1mdvmes5.2.x86_64.rpm
5a73a3d942a97d581a5b89bfcc550be3 mes5/x86_64/lib64purple-devel-2.10.7-0.1mdvmes5.2.x86_64.rpm
337ca23774f09a1f6e60d02ba1bdef3f mes5/x86_64/pidgin-2.10.7-0.1mdvmes5.2.x86_64.rpm
49d7a34e3af48fbf49d59a8dad1ca3fb mes5/x86_64/pidgin-bonjour-2.10.7-0.1mdvmes5.2.x86_64.rpm
53099ab83b0f4351d3668e2f84e6d2fa mes5/x86_64/pidgin-client-2.10.7-0.1mdvmes5.2.x86_64.rpm
31dc403c7863624346efaaa46027b3d1 mes5/x86_64/pidgin-gevolution-2.10.7-0.1mdvmes5.2.x86_64.rpm
1ae8ab836a6caffa77b99fe6e5de31ae mes5/x86_64/pidgin-i18n-2.10.7-0.1mdvmes5.2.x86_64.rpm
beea935bc761483e50e5ec60bfeaa2a5 mes5/x86_64/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.x86_64.rpm
8d6abe0c106b5f9d24917cdad13ef668 mes5/x86_64/pidgin-perl-2.10.7-0.1mdvmes5.2.x86_64.rpm
616204b1f131bf39fd77758765052286 mes5/x86_64/pidgin-plugins-2.10.7-0.1mdvmes5.2.x86_64.rpm
60ef462c8b8f28b4280169a6bac8d22f mes5/x86_64/pidgin-silc-2.10.7-0.1mdvmes5.2.x86_64.rpm
78026cbae2cfdb327d64ed6b6b3fcc51 mes5/x86_64/pidgin-tcl-2.10.7-0.1mdvmes5.2.x86_64.rpm
d8390c286670e49deee241267eb5070e mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/en/support/security/advisories/
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFRQYu3mqjQ0CJFipgRAr58AKDQLYGYW+NZgX602GRUgztcWcdlQQCeOwkZ
4zmmI8O7HUx/x0D8R4nidvU=
=Dsq6
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists