www: 4288de09: Add the newest vulnerability and fix a g...
rekkanoryo at pidgin.im
rekkanoryo at pidgin.im
Thu May 13 01:16:26 EDT 2010
Author: rekkanoryo at pidgin.im
Add the newest vulnerability and fix a grammatical error I spotted. This could
receive further revision.
-------------- next part --------------
--- htdocs/ChangeLog bf2b5122dac511cdd2af177e27a6f90abbdb8942
+++ htdocs/ChangeLog 34b32dc84d678e17f564c6d04e76fcb0bafba2fe
@@ -1,5 +1,123 @@ Pidgin and Finch: The Pimpin' Penguin IM
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
+version 2.7.0 (05/12/2010):
+ * Changed GTK+ minimum version requirement to 2.10.0.
+ * Changed GLib minimum version requirement to 2.12.0.
+ * Using the --disable-nls argument to configure now works properly.
+ You will no longer be forced to have intltool to configure and build.
+ * Fix two related crashes in the GnuTLS and NSS plugins when they
+ suffer internal errors immediately upon attempting to establish
+ an SSL connection.
+ * Fix NSS to work when reinitialized after being used. (Thanks to
+ Ludovico Cavedon for the testcase)
+ * Added support for PURPLE_GNUTLS_PRIORITIES environment variable.
+ This can be used to specify GnuTLS priorities on a per-host basis.
+ The format is "host=priority;host2=priority;...". The default
+ priority can be overridden by using "*" as the host. See the
+ GnuTLS manual for documentation on the format of the priority
+ * Fix autoconf detection of Python. (Brad Smith)
+ * Fix a crash when a Windows proxy (from IE) does not have a port.
+ (Marten Klencke)
+ * Moved the "Debugging Information" section of the About box to a
+ "Build Information" dialog accessible on the Help menu.
+ * Moved the Developer and Crazy Patch Writer information from the About
+ box to a "Developer Information" dialog accessible on the Help menu.
+ * Moved the Translator information from the About box to a "Translator
+ Information" dialog accessible on the Help menu.
+ * Use GtkStatusIcon for the docklet, providing better integration in
+ notification area.
+ * Added UI for sending attentions (buzz, nudge) on supporting protocols.
+ * Make the search dialog unobtrusive in the conversation window (by
+ making it look and behave like the search dialog in Firefox)
+ * The Recent Log Activity sort method for the Buddy List now
+ distinguishes between no activity and a small amount of activity
+ in the distant past. (Greg McNew)
+ * Added a menu set mood globally for all mood-supporting accounts
+ (currently XMPP and ICQ).
+ * Default binding of Ctrl+Shift+v to 'Paste as Plain Text' in
+ conversation windows. This can be changed in .gtkrc-2.0. For example,
+ Ctrl+v can be bound to 'Paste as Plain Text' by default.
+ * Plugins can now handle markup in buddy names by attaching to the
+ "drawing-buddy" signal. (Daniele Ricci, Andrea Piccinelli)
+ * Be more accommodating when scaling down large images for use as
+ buddy icons.
+ * The 'Message Timestamp Formats' plugin allows changing the timestamp
+ format from the timestamps' context menu in conversation log.
+ * The 'Message Timestamp Formats' plugin allows forcing 12-hour
+ timestamps. (Jonathan Maltz)
+ * Fix pastes from Chrome (rich-text pastes and probably URLs
+ having garbage appended to them).
+ * Show file transfer thumbnails for images on supporting protocols
+ (currently only supported on MSN).
+ * Added support for IPv6. (Thanks to T_X for testing)
+ * Updated our bundled libgadu to 1.9.0-rc2 (many thanks to Krzysztof
+ Klinikowski for the work and testing put in here!)
+ * Minimum requirement for external libgadu is now also 1.9.0-rc2.
+ AIM and ICQ:
+ * X-Status (Custom ICQ status icon) support. Since most of the icons
+ available reflect moods, this is labeled "Set Mood" on the
+ Accounts->ICQ Account menu. (Andrew Ivanov, Tom?? Kebert,
+ Yuriy Yevgrafov, and trac users bob007, salieff, and nops)
+ * Allow setting and displaying icons between 1x1 and 100x100 pixels for
+ ICQ. Previously only icons between 48x48 and 52x64 were allowed.
+ * When using the clientLogin authentication method, prompt for a
+ password on reconnect when "Remember Password" is not checked and
+ authentication fails due to an incorrect password. (This is the same
+ behavior as the legacy authentication method)
+ * Support sending and receiving HTML-formatted messages for ICQ.
+ * Use the proper URL for "View web profile" link for ICQ buddies.
+ (Alexander Nartov)
+ * Support for version 9 of the MSN protocol has been removed. This
+ version is no longer supported on the servers.
+ * Support file transfer thumbnails (previews) for images.
+ * Direct messages to a specific resource only upon receipt of a message
+ with content (as opposed to a typing notification, etc). (Thanks to
+ rjoly for testing)
+ * Present a better error message when authentication fails while trying
+ to connect to Facebook. (David Reiss, Facebook)
+ * When sending data using in-band-bytestreams, interpret the block-size
+ attribute as the size of the BASE64-encoded representation of the
+ * Validate the hash on incoming BoB data objects (for custom smileys
+ etc.), cache based per JID when the CID is not a valid hash (as
+ specified by the BoB XEP).
+ * Send whitespace keepalives if we haven't sent data in a while (2
+ minutes). This fixes an issue with Openfire disconnecting a
+ libpurple-baesd client that has just been quiet for about 6
+ * Only support Google Talk's JID Domain Discovery extension
+ (allowing a user to log in with "@gmail.com" or "@googlemail.com"
+ interchangeably) for those two domains. This change was made
+ due to interoperability issues with some BOSH Connection Managers
+ and namespaced attributes.
+ Yahoo/Yahoo JAPAN:
+ * Attempt to better handle transparent proxies interfering with
+ HTTP-based login.
+ * Fix handling of P2P packets, thus fixing the loss of some messages.
+ * Retrieve the pager server address from Yahoo!'s servers directly.
+ * Removed the "Pager server" account option, as it is no longer needed.
+ * The authentication code is now less order-sensitive with the
+ components of the server's response.
+ * The authentication process now acts more like the official client.
+ * New action 'history-search', with default binding ctrl+r, to search
+ the entered string in the input history.
version 2.6.6 (02/18/2010):
* Fix 'make check' on OS X. (David Fang)
--- htdocs/news/security/index.php ac2e6634141581a8954263fef79fe8df1ffa3a28
+++ htdocs/news/security/index.php d52f0eb798a01132cf07e423c383b8777359f03b
@@ -471,7 +471,7 @@ $vulnerabilities = array(
"date" => "2010-02-18",
"cve" => "CVE-2010-0420",
"summary" => "Certain nicknames in group chat rooms can trigger a crash in Finch",
- "description" => "In a user in a multi-user chat room has a nickname containing '<br>' then libpurple ends up having two users with username '\n' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution.",
+ "description" => "If a user in a multi-user chat room has a nickname containing '<br>' then libpurple ends up having two users with username '\n' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution.",
"fix" => "Correctly parse '<br>' so that it appears literally rather than as '\n'.",
"fixrevisions" => "0085c32abf29d034d30feef1ffb1d483e316a9a8,ab4716ed6857f669ceb0296e5480729aafba2e9f",
"fixedversion" => "2.6.6",
@@ -487,6 +487,17 @@ $vulnerabilities = array(
"fixrevisions" => "d1009efa4da45e8abd8279b454505554627c67c6",
"fixedversion" => "2.6.6",
"discoveredby" => "Antti Hayrynen"
+ "title" => "MSN emoticon denial of service",
+ "date" => "2010-05-12",
+ "cve" => "",
+ "summary" => "Libpurple clients can crash due to malformed SLP message",
+ "description" => "A vulnerability was discovered in libpurple's MSN protocol plugin that can cause a denial of service (crash) due to insufficient validation of certain SLP packets related to custom emoticons. An attacker could use this vulnerability to remotely crash a client using libpurple for MSN. It is not possible for this vulnerability to be exploited for code execution.",
+ "fix" => "Validation has been added to the MSN plugin to prevent the crash.",
+ "fixrevisions" => "894460d22c434e73d60b71ec031611988e687c8b",
+ "fixedversion" => "2.7.0",
+ "discoveredby" => "Pierre Nogu?s of Meta Security"
/* Template for the unfortunate future
More information about the Commits