lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <E1UG6Xo-0005yZ-OY@titan.mandriva.com>
Date: Thu, 14 Mar 2013 12:42:00 +0100
From: security@...driva.com
To: full-disclosure@...ts.grok.org.uk
Subject: [ MDVSA-2013:025 ] pidgin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2013:025
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : pidgin
 Date    : March 14, 2013
 Affected: Enterprise Server 5.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been discovered and corrected in pidgin:
 
 The MXit protocol plugin in libpurple in Pidgin before 2.10.7 might
 allow remote attackers to create or overwrite files via a crafted
 (1) mxit or (2) mxit/imagestrips pathname (CVE-2013-0271).
 
 Buffer overflow in http.c in the MXit protocol plugin in libpurple
 in Pidgin before 2.10.7 allows remote servers to execute arbitrary
 code via a long HTTP header (CVE-2013-0272).
 
 sametime.c in the Sametime protocol plugin in libpurple in Pidgin
 before 2.10.7 does not properly terminate long user IDs, which allows
 remote servers to cause a denial of service (application crash)
 via a crafted packet (CVE-2013-0273).
 
 upnp.c in libpurple in Pidgin before 2.10.7 does not properly terminate
 long strings in UPnP responses, which allows remote attackers to
 cause a denial of service (application crash) by leveraging access
 to the local network (CVE-2013-0274).
 
 This update provides pidgin 2.10.7, which is not vulnerable to
 these issues.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0271
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0272
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0273
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0274
 http://www.pidgin.im/news/security/
 _______________________________________________________________________

 Updated Packages:

 Mandriva Enterprise Server 5:
 4eb267f970ddb2ad4d62321c269d4a9b  mes5/i586/finch-2.10.7-0.1mdvmes5.2.i586.rpm
 e21539113c76768f5d2e0a0a4a9f6cbc  mes5/i586/libfinch0-2.10.7-0.1mdvmes5.2.i586.rpm
 19fcd2343bc5a28cfac82570047dabc8  mes5/i586/libpurple0-2.10.7-0.1mdvmes5.2.i586.rpm
 1d1ec13029069d2e5670ecd9e5c2c084  mes5/i586/libpurple-devel-2.10.7-0.1mdvmes5.2.i586.rpm
 24f8bc13c74be1366165f8c04d4b67ac  mes5/i586/pidgin-2.10.7-0.1mdvmes5.2.i586.rpm
 fe6749ec8865e5cc96b16ddce0606e25  mes5/i586/pidgin-bonjour-2.10.7-0.1mdvmes5.2.i586.rpm
 76f84decf6d5834037ccf6b9ed4c68d9  mes5/i586/pidgin-client-2.10.7-0.1mdvmes5.2.i586.rpm
 41f63fd40174df1160a63ef44d881c3c  mes5/i586/pidgin-gevolution-2.10.7-0.1mdvmes5.2.i586.rpm
 936c150819cd7e8ac19e5f2d02bb684d  mes5/i586/pidgin-i18n-2.10.7-0.1mdvmes5.2.i586.rpm
 7c1d22d3777f7c49f7d49b09a1d43811  mes5/i586/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.i586.rpm
 ca57564f29f191f3bae55c9ce6255234  mes5/i586/pidgin-perl-2.10.7-0.1mdvmes5.2.i586.rpm
 1882da3624a8dc8e27a51f3c867dbc88  mes5/i586/pidgin-plugins-2.10.7-0.1mdvmes5.2.i586.rpm
 37ee0fe3a08d109f069de07f8a218f27  mes5/i586/pidgin-silc-2.10.7-0.1mdvmes5.2.i586.rpm
 4d8bbdce9ce0e3b1ec663f4df384c70b  mes5/i586/pidgin-tcl-2.10.7-0.1mdvmes5.2.i586.rpm 
 d8390c286670e49deee241267eb5070e  mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm

 Mandriva Enterprise Server 5/X86_64:
 00fb4dc53fd8cbf056d493ca75231d1c  mes5/x86_64/finch-2.10.7-0.1mdvmes5.2.x86_64.rpm
 f0a81cae3067ba8fa47f603af718e1bd  mes5/x86_64/lib64finch0-2.10.7-0.1mdvmes5.2.x86_64.rpm
 d50e2f1821a4912639b20fa678d4538b  mes5/x86_64/lib64purple0-2.10.7-0.1mdvmes5.2.x86_64.rpm
 5a73a3d942a97d581a5b89bfcc550be3  mes5/x86_64/lib64purple-devel-2.10.7-0.1mdvmes5.2.x86_64.rpm
 337ca23774f09a1f6e60d02ba1bdef3f  mes5/x86_64/pidgin-2.10.7-0.1mdvmes5.2.x86_64.rpm
 49d7a34e3af48fbf49d59a8dad1ca3fb  mes5/x86_64/pidgin-bonjour-2.10.7-0.1mdvmes5.2.x86_64.rpm
 53099ab83b0f4351d3668e2f84e6d2fa  mes5/x86_64/pidgin-client-2.10.7-0.1mdvmes5.2.x86_64.rpm
 31dc403c7863624346efaaa46027b3d1  mes5/x86_64/pidgin-gevolution-2.10.7-0.1mdvmes5.2.x86_64.rpm
 1ae8ab836a6caffa77b99fe6e5de31ae  mes5/x86_64/pidgin-i18n-2.10.7-0.1mdvmes5.2.x86_64.rpm
 beea935bc761483e50e5ec60bfeaa2a5  mes5/x86_64/pidgin-meanwhile-2.10.7-0.1mdvmes5.2.x86_64.rpm
 8d6abe0c106b5f9d24917cdad13ef668  mes5/x86_64/pidgin-perl-2.10.7-0.1mdvmes5.2.x86_64.rpm
 616204b1f131bf39fd77758765052286  mes5/x86_64/pidgin-plugins-2.10.7-0.1mdvmes5.2.x86_64.rpm
 60ef462c8b8f28b4280169a6bac8d22f  mes5/x86_64/pidgin-silc-2.10.7-0.1mdvmes5.2.x86_64.rpm
 78026cbae2cfdb327d64ed6b6b3fcc51  mes5/x86_64/pidgin-tcl-2.10.7-0.1mdvmes5.2.x86_64.rpm 
 d8390c286670e49deee241267eb5070e  mes5/SRPMS/pidgin-2.10.7-0.1mdvmes5.2.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iD8DBQFRQYu3mqjQ0CJFipgRAr58AKDQLYGYW+NZgX602GRUgztcWcdlQQCeOwkZ
4zmmI8O7HUx/x0D8R4nidvU=
=Dsq6
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ