www: 13d454d4: Update for 2.10.0

Sat Aug 20 13:05:56 EDT 2011

----------------------------------------------------------------------
Revision: 13d454d4b3effa1c6582a09f8640474670f6229c
Parent:   77f8cddb67dc36ebd878a6e17875898a32c880f1
Author:   markdoliner at pidgin.im
Date:     08/20/11 13:01:20
Branch:   im.pidgin.www
URL: http://d.pidgin.im/viewmtn/revision/info/13d454d4b3effa1c6582a09f8640474670f6229c

Changelog: 

Update for 2.10.0

Changes against parent 77f8cddb67dc36ebd878a6e17875898a32c880f1

  patched  htdocs/ChangeLog
  patched  htdocs/index.php
  patched  htdocs/news/security/index.php
  patched  inc/version.inc

-------------- next part --------------
============================================================

--- htdocs/index.php	b17e2f4df39ee513d3414b416d2c85392a976a45
+++ htdocs/index.php	9508c72de1b4b5a6c1b8cbf8f636c72b63fa0327
@@ -72,7 +72,7 @@ include($_SERVER['DOCUMENT_ROOT'] . "/..
 <!-- This will pull from somewhere else at some point -->
 <p class="more" id="lowblurb">
 <!-- Put little news blurbs here! -->
-Pidgin 2.9.0 contains an important security update (<a href="http://pidgin.im/news/security/?id=52">more info</a>).  Please upgrade!
+Pidgin 2.10.0 contains a few small security updates.  Please upgrade!
 </p>
 
 <?php /* Avoid outputting this stuff yet.
============================================================
--- inc/version.inc	145e504c0e1c59a6d5c66c5dbc26a6604e9f2135
+++ inc/version.inc	650ed800a48d2690a175c1471bf87ce2378937c8
@@ -1,7 +1,7 @@
 <?php
 
 // Current Pidgin Release
-$pidgin_version        = "2.9.0";
+$pidgin_version        = "2.10.0";
 
 // Current Windows Pidgin Release
 $pidgin_win32_version  = "2.9.0";
============================================================
--- htdocs/ChangeLog	47d547dc8285a41c435aebc440783392720fd1c4
+++ htdocs/ChangeLog	b26029e9f70252ca07092892b5cf02f3a6acee50
@@ -1,5 +1,69 @@ Pidgin and Finch: The Pimpin' Penguin IM
 Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
 
+version 2.10.0 (08/18/2011):
+	Pidgin:
+	* Make the max size of incoming smileys a pref instead of hardcoding it.
+	  (Quentin Brandon) (#5231)
+	* Added a plugin information dialog to show information for plugins
+	  that aren't otherwise visible in the plugins dialog.
+	* Fix building with GTK+ earlier than 2.14.0 (GTK+ 2.10 is still the
+	  minimum supported) (#14261)
+
+	libpurple:
+	* Fix a potential crash in the Log Reader plugin when reading QIP logs.
+	* Fix a large number of strcpy() and strcat() invocations to use
+	  strlcpy() and strlcat(), etc., forestalling an entire class of
+	  string buffer overrun bugs.
+	  (The Electronic Frontier Foundation, Dan Auerbach, Chris Palmer,
+	  Jacob Appelbaum)
+	* Change some filename manipulations in filectl.c to use MAXPATHLEN
+	  instead of arbitrary length constants.  (The Electronic Frontier
+	  Foundation, Dan Auerbach, Chris Palmer, Jacob Appelbaum)
+	* Fix endianness-related crash in NTLM authentication (Jon Goldberg)
+	  (#14163)
+
+	Gadu-Gadu:
+	* Fixed searching for buddies in public directory. (Tomasz Wasilczyk)
+	  (#5242)
+	* Better status message handling. (Tomasz Wasilczyk) (#14314)
+	* Merged two buddy blocking methods. (Tomasz Wasilczyk) (#5303)
+	* Fix building of the bundled libgadu library with older versions
+	  of GnuTLS. (patch plucked from upstream) (#14365)
+
+	ICQ:
+	* Fix crash selecting Tools->Set Mood when you're online with an
+	  ICQ account that is configured as an AIM account. (#14437)
+
+	IRC:
+	* Fix a crash when remote users have certain characters in their
+	  nicknames. (Discovered by Djego Ibanez) (#14341)
+	* Fix the handling of formatting following mIRC ^O (#14436)
+	* Fix crash when NAMES is empty. (James McLaughlin) (#14518)
+
+	MSN:
+	* Fix incorrect handling of HTTP 100 responses when using the HTTP
+	  connection method.  This can lead to a crash. (Discovered by Marius
+	  Wachtler)
+	* Fix seemingly random crashing. (#14307)
+	* Fix a crash when the account is disconnected at the time we are doing a
+	  SB request. (Hanzz, ported by shlomif) (#12431)
+
+	XMPP:
+	* Do not generate malformed XML ("</>") when setting an empty mood.
+	  (#14342)
+	* Fix the /join <room> behavior.  (Broken when adding support for
+	  <room>@<server>)  (#14205)
+
+	Yahoo!/Yahoo! JAPAN:
+	* Fix coming out of idle while in an unavailable state
+	* Fix logging into Yahoo! JAPAN.  (#14259)
+
+	Windows-Specific Changes:
+	* Open an explorer.exe window at the location of the file when clicking
+	  on a file link instead of executing the file, because executing a file
+	  can be potentially dangerous.  (Discovered by James Burton of
+	  Insomnia Security) (Fixed by Eion Robb)
+
 version 2.9.0 (06/23/2011):
 	Pidgin:
 	* Fix a potential remote denial-of-service bug related to displaying
============================================================
--- htdocs/news/security/index.php	e845053654c93ada19b3785a05d90bba825891e4
+++ htdocs/news/security/index.php	d2ced480168b73802f82b0ef0da058de1bcde5b2
@@ -563,6 +563,36 @@ $vulnerabilities = array(
 		"fixrevisions" => "e802003adbf0be4496de3de8ac03b47c1e471d00",
 		"fixedversion" => "2.9.0",
 		"discoveredby" => "Mark Doliner"
+	),
+	array(
+		"title"        => "Remote crash in IRC protocol plugin",
+		"date"         => "2011-08-20",
+		"cve"          => "",
+		"description"  => "Certain characters in the nicknames of IRC users can trigger a null pointer dereference in the IRC protocol plugin's handling of responses to WHO requests.  This can cause a crash on some operating systems.  Clients based on libpurple 2.8.0 through 2.9.0 are affected.",
+		"fix"          => "Change libpurple to validate the data it receives from the server before attempting to use it.",
+		"fixrevisions" => "5c2dba4a7e2e76b76e7f472b88953a4316706d43",
+		"fixedversion" => "2.10.0",
+		"discoveredby" => "Djego Ibanez, Lead QA at Gamistry"
+	),
+	array(
+		"title"        => "Remote crash in MSN protocol plugin",
+		"date"         => "2011-08-20",
+		"cve"          => "",
+		"description"  => "Incorrect handling of HTTP 100 responses in the MSN protocol plugin can cause the application to attempt to access memory that it does not have access to.  This only affects users who have turned on the HTTP connection method for their accounts (it's off by default).  This might only be triggerable by a malicious server and not a malicious peer.  We believe remote code execution is not possible.",
+		"fix"          => "Correctly take into account the size of HTTP 100 response when parsing server messages.",
+		"fixrevisions" => "16af0661899a978b4fedc1c165965b85009013d1",
+		"fixedversion" => "2.10.0",
+		"discoveredby" => "Marius Wachtler"
+	),
+	array(
+		"title"        => "Pidgin uses clickable links to untrusted executables",
+		"date"         => "2011-08-20",
+		"cve"          => "",
+		"description"  => "If a user clicks on a file:// URI in a received IM in Windows builds of Pidgin, Pidgin attempts to execute the file.  This can be dangerous if the file:// URI is a path on a network share.",
+		"fix"          => "Don't attempt to execute files when the user clicks a file:// URI.  Instead, open a file browser at the file's location.",
+		"fixrevisions" => "5749f9193063800d27bef75c2388f6f9cc2f7f37",
+		"fixedversion" => "2.10.0",
+		"discoveredby" => "James Burton, Insomnia Security"
 	)
 );
 /*	Template for the unfortunate future
