www: 01edda7c: Document the CVE; whoever updates the we...

darkrain42 at pidgin.im darkrain42 at pidgin.im
Sun Jan 10 02:21:29 EST 2010


-----------------------------------------------------------------
Revision: 01edda7c78cf6ba9ffd2b4d9ed7874ee285dd4f8
Ancestor: ca1fb7b0ad88db5e08f2dad7c3ad0f73fa4bd55d
Author: darkrain42 at pidgin.im
Date: 2010-01-10T07:16:04
Branch: im.pidgin.www
URL: http://d.pidgin.im/viewmtn/revision/info/01edda7c78cf6ba9ffd2b4d9ed7874ee285dd4f8

Modified files:
        htdocs/news/security/index.php

ChangeLog: 

Document the CVE; whoever updates the website, please review this (and
check that I didn't introduce any syntax errors).

-------------- next part --------------
============================================================
--- htdocs/news/security/index.php	4c50c759796aef2d9f35d99c0a7f2e436d4136cf
+++ htdocs/news/security/index.php	f0f26225e8df0acf6cbe1d426a5c021397d0d90d
@@ -443,6 +443,17 @@ $vulnerabilities = array(
 		"fixrevisions" => "781682333aea0c801d280c3507ee25552a60bfc0",
 		"fixedversion" => "2.6.3",
 		"discoveredby" => "nightwing666 in <a href=\"http://developer.pidgin.im/ticket/10481\">ticket #10481</a>"
+	),
+	array(
+		"title"        => "MSN file download vulnerability",
+		"date"         => "2010-01-08",
+		"cve"          => "CVE-2010-0013",
+		"summary"      => "A remote user can download arbitrary files from a libpurple-based client",
+		"description"  => "The MSN protocol plugin extracts the filename of a custom emoticon from an incoming request and uploads that file without correlating the filename to a valid custom emoticon.",
+		"fix"          => "Validate the custom emoticon requested is valid before uploading its file data.",
+		"fixrevisions" => "c64a1adc8bda2b4aeaae1f273541afbc4f71b810",
+		"fixedversion" => "2.6.5",
+		"discoveredby" => "Fabian Yamaguchi"
 	)
 );
 /*	Template for the unfortunate future


More information about the Commits mailing list