www: 4288de09: Add the newest vulnerability and fix a g...

rekkanoryo at pidgin.im rekkanoryo at pidgin.im
Thu May 13 01:16:26 EDT 2010

Revision: 4288de09be2a049c02709c0e256ed83b2db3f747
Ancestor: 9709f263e8aca75664bf16ee7296da91839b0925
Author: rekkanoryo at pidgin.im
Date: 2010-05-12T05:28:36
Branch: im.pidgin.www
URL: http://d.pidgin.im/viewmtn/revision/info/4288de09be2a049c02709c0e256ed83b2db3f747

Modified files:
        htdocs/ChangeLog htdocs/news/security/index.php


Add the newest vulnerability and fix a grammatical error I spotted.  This could
receive further revision.

-------------- next part --------------
--- htdocs/ChangeLog	bf2b5122dac511cdd2af177e27a6f90abbdb8942
+++ htdocs/ChangeLog	34b32dc84d678e17f564c6d04e76fcb0bafba2fe
@@ -1,5 +1,123 @@ Pidgin and Finch: The Pimpin' Penguin IM
 Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
+version 2.7.0 (05/12/2010):
+	General:
+	* Changed GTK+ minimum version requirement to 2.10.0.
+	* Changed GLib minimum version requirement to 2.12.0.
+	* Using the --disable-nls argument to configure now works properly.
+	  You will no longer be forced to have intltool to configure and build.
+	* Fix two related crashes in the GnuTLS and NSS plugins when they
+	  suffer internal errors immediately upon attempting to establish
+	  an SSL connection.
+	* Fix NSS to work when reinitialized after being used.  (Thanks to
+	  Ludovico Cavedon for the testcase)
+	* Added support for PURPLE_GNUTLS_PRIORITIES environment variable.
+	  This can be used to specify GnuTLS priorities on a per-host basis.
+	  The format is "host=priority;host2=priority;...".  The default
+	  priority can be overridden by using "*" as the host.  See the
+	  GnuTLS manual for documentation on the format of the priority
+	  strings.
+	* Fix autoconf detection of Python.  (Brad Smith)
+	* Fix a crash when a Windows proxy (from IE) does not have a port.
+	  (Marten Klencke)
+	Pidgin:
+	* Moved the "Debugging Information" section of the About box to a
+	  "Build Information" dialog accessible on the Help menu.
+	* Moved the Developer and Crazy Patch Writer information from the About
+	  box to a "Developer Information" dialog accessible on the Help menu.
+	* Moved the Translator information from the About box to a "Translator
+	  Information" dialog accessible on the Help menu.
+	* Use GtkStatusIcon for the docklet, providing better integration in
+	  notification area.
+	* Added UI for sending attentions (buzz, nudge) on supporting protocols.
+	* Make the search dialog unobtrusive in the conversation window (by
+	  making it look and behave like the search dialog in Firefox)
+	* The Recent Log Activity sort method for the Buddy List now
+	  distinguishes between no activity and a small amount of activity
+	  in the distant past.  (Greg McNew)
+	* Added a menu set mood globally for all mood-supporting accounts
+	  (currently XMPP and ICQ).
+	* Default binding of Ctrl+Shift+v to 'Paste as Plain Text' in
+	  conversation windows. This can be changed in .gtkrc-2.0. For example,
+	  Ctrl+v can be bound to 'Paste as Plain Text' by default.
+	* Plugins can now handle markup in buddy names by attaching to the
+	  "drawing-buddy" signal. (Daniele Ricci, Andrea Piccinelli)
+	* Be more accommodating when scaling down large images for use as
+	  buddy icons.
+	* The 'Message Timestamp Formats' plugin allows changing the timestamp
+	  format from the timestamps' context menu in conversation log.
+	* The 'Message Timestamp Formats' plugin allows forcing 12-hour
+	  timestamps.  (Jonathan Maltz)
+	* Fix pastes from Chrome (rich-text pastes and probably URLs
+	  having garbage appended to them).
+	* Show file transfer thumbnails for images on supporting protocols
+	  (currently only supported on MSN).
+	Bonjour:
+	* Added support for IPv6. (Thanks to T_X for testing)
+	Gadu-Gadu:
+	* Updated our bundled libgadu to 1.9.0-rc2 (many thanks to Krzysztof
+	  Klinikowski for the work and testing put in here!)
+	* Minimum requirement for external libgadu is now also 1.9.0-rc2.
+	AIM and ICQ:
+	* X-Status (Custom ICQ status icon) support.  Since most of the icons
+	  available reflect moods, this is labeled "Set Mood" on the
+	  Accounts->ICQ Account menu. (Andrew Ivanov, Tom?? Kebert,
+	  Yuriy Yevgrafov, and trac users bob007, salieff, and nops)
+	* Allow setting and displaying icons between 1x1 and 100x100 pixels for
+	  ICQ.  Previously only icons between 48x48 and 52x64 were allowed.
+	* When using the clientLogin authentication method, prompt for a
+	  password on reconnect when "Remember Password" is not checked and
+	  authentication fails due to an incorrect password.  (This is the same
+	  behavior as the legacy authentication method)
+	* Support sending and receiving HTML-formatted messages for ICQ.
+	* Use the proper URL for "View web profile" link for ICQ buddies.
+	  (Alexander Nartov)
+	MSN:
+	* Support for version 9 of the MSN protocol has been removed.  This
+	  version is no longer supported on the servers.
+	* Support file transfer thumbnails (previews) for images.
+	* Direct messages to a specific resource only upon receipt of a message
+	  with content (as opposed to a typing notification, etc).  (Thanks to
+	  rjoly for testing)
+	* Present a better error message when authentication fails while trying
+	  to connect to Facebook.  (David Reiss, Facebook)
+	* When sending data using in-band-bytestreams, interpret the block-size
+	  attribute as the size of the BASE64-encoded representation of the
+	  data.
+	* Validate the hash on incoming BoB data objects (for custom smileys
+	  etc.), cache based per JID when the CID is not a valid hash (as
+	  specified by the BoB XEP).
+	* Send whitespace keepalives if we haven't sent data in a while (2
+	  minutes).  This fixes an issue with Openfire disconnecting a
+	  libpurple-baesd client that has just been quiet for about 6
+	  minutes.
+	* Only support Google Talk's JID Domain Discovery extension
+	  (allowing a user to log in with "@gmail.com" or "@googlemail.com"
+	  interchangeably) for those two domains.  This change was made
+	  due to interoperability issues with some BOSH Connection Managers
+	  and namespaced attributes.
+	Yahoo/Yahoo JAPAN:
+	* Attempt to better handle transparent proxies interfering with
+	  HTTP-based login.
+	* Fix handling of P2P packets, thus fixing the loss of some messages.
+	* Retrieve the pager server address from Yahoo!'s servers directly.
+	* Removed the "Pager server" account option, as it is no longer needed.
+	* The authentication code is now less order-sensitive with the
+	  components of the server's response.
+	* The authentication process now acts more like the official client.
+	Finch:
+	* New action 'history-search', with default binding ctrl+r, to search
+	  the entered string in the input history.
 version 2.6.6 (02/18/2010):
 	* Fix 'make check' on OS X. (David Fang)
--- htdocs/news/security/index.php	ac2e6634141581a8954263fef79fe8df1ffa3a28
+++ htdocs/news/security/index.php	d52f0eb798a01132cf07e423c383b8777359f03b
@@ -471,7 +471,7 @@ $vulnerabilities = array(
 		"date"         => "2010-02-18",
 		"cve"          => "CVE-2010-0420",
 		"summary"      => "Certain nicknames in group chat rooms can trigger a crash in Finch",
-		"description"  => "In a user in a multi-user chat room has a nickname containing '<br>' then libpurple ends up having two users with username '\n' in the room, and Finch crashes in this situation.  We do not believe there is a possibility of remote code execution.",
+		"description"  => "If a user in a multi-user chat room has a nickname containing '<br>' then libpurple ends up having two users with username '\n' in the room, and Finch crashes in this situation.  We do not believe there is a possibility of remote code execution.",
 		"fix"          => "Correctly parse '<br>' so that it appears literally rather than as '\n'.",
 		"fixrevisions" => "0085c32abf29d034d30feef1ffb1d483e316a9a8,ab4716ed6857f669ceb0296e5480729aafba2e9f",
 		"fixedversion" => "2.6.6",
@@ -487,6 +487,17 @@ $vulnerabilities = array(
 		"fixrevisions" => "d1009efa4da45e8abd8279b454505554627c67c6",
 		"fixedversion" => "2.6.6",
 		"discoveredby" => "Antti Hayrynen"
+	),
+	array(
+		"title"        => "MSN emoticon denial of service",
+		"date"         => "2010-05-12",
+		"cve"          => "",
+		"summary"      => "Libpurple clients can crash due to malformed SLP message",
+		"description"  => "A vulnerability was discovered in libpurple's MSN protocol plugin that can cause a denial of service (crash) due to insufficient validation of certain SLP packets related to custom emoticons.  An attacker could use this vulnerability to remotely crash a client using libpurple for MSN.  It is not possible for this vulnerability to be exploited for code execution.",
+		"fix"          => "Validation has been added to the MSN plugin to prevent the crash.",
+		"fixrevisions" => "894460d22c434e73d60b71ec031611988e687c8b",
+		"fixedversion" => "2.7.0",
+		"discoveredby" => "Pierre Nogu?s of Meta Security"
 /*	Template for the unfortunate future

More information about the Commits mailing list