/www/pidgin: 4e64a2260176: Update web site for 2.10.10.
Mark Doliner
mark at kingant.net
Wed Oct 22 10:10:13 EDT 2014
Changeset: 4e64a226017699f03c4f3a18d955bb18da4c6164
Author: Mark Doliner <mark at kingant.net>
Date: 2014-10-22 07:10 -0700
Branch: default
URL: https://hg.pidgin.im/www/pidgin/rev/4e64a2260176
Description:
Update web site for 2.10.10.
diffstat:
htdocs/ChangeLog | 79 +++++++++++++++++++++++++++++++++++------
htdocs/index.php | 2 +-
htdocs/news/security/index.php | 50 ++++++++++++++++++++++++++
inc/version.inc | 4 +-
4 files changed, 120 insertions(+), 15 deletions(-)
diffs (260 lines):
diff --git a/htdocs/ChangeLog b/htdocs/ChangeLog
--- a/htdocs/ChangeLog
+++ b/htdocs/ChangeLog
@@ -1,5 +1,60 @@
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
+version 2.10.10 (10/22/14):
+ General:
+ * Check the basic constraints extension when validating SSL/TLS
+ certificates. This fixes a security hole that allowed a malicious
+ man-in-the-middle to impersonate an IM server or any other https
+ endpoint. This affected both the NSS and GnuTLS plugins. (Discovered
+ by an anonymous person and Jacob Appelbaum of the Tor Project, with
+ thanks to Moxie Marlinspike for first publishing about this type of
+ vulnerability. Thanks to Kai Engert for guidance and for some of the
+ NSS changes) (CVE-2014-3694)
+ * Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL.
+ (Elrond and Ashish Gupta) (#15909)
+
+ libpurple3 compatibility:
+ * Encrypted account passwords are preserved until the new one is set.
+ * Fix loading Google Talk and Facebook XMPP accounts.
+
+ Windows-Specific Changes:
+ * Don't allow overwriting arbitrary files on the file system when the
+ user installs a smiley theme via drag-and-drop. (Discovered by Yves
+ Younan of Cisco Talos) (CVE-2014-3697)
+ * Updates to dependencies:
+ * NSS 3.17.1 and NSPR 4.10.7
+
+ Finch:
+ * Fix build against Python 3. (Ed Catmur) (#15969)
+
+ Gadu-Gadu:
+ * Updated internal libgadu to version 1.12.0.
+
+ Groupwise:
+ * Fix potential remote crash parsing server message that indicates that
+ a large amount of memory should be allocated. (Discovered by Yves Younan
+ and Richard Johnson of Cisco Talos) (CVE-2014-3696)
+
+ IRC:
+ * Fix a possible leak of unencrypted data when using /me command
+ with OTR. (Thijs Alkemade) (#15750)
+
+ MXit:
+ * Fix potential remote crash parsing a malformed emoticon response.
+ (Discovered by Yves Younan and Richard Johnson of Cisco Talos)
+ (CVE-2014-3695)
+
+ XMPP:
+ * Fix potential information leak where a malicious XMPP server and
+ possibly even a malicious remote user could create a carefully crafted
+ XMPP message that causes libpurple to send an XMPP message containing
+ arbitrary memory. (Discovered and fixed by Thijs Alkemade and Paul
+ Aurich) (CVE-2014-3698)
+ * Fix Facebook XMPP roster quirks. (#15041, #15957)
+
+ Yahoo:
+ * Fix login when using the GnuTLS library for TLS connections. (#16172)
+
version 2.10.9 (2/2/2014):
XMPP:
* Fix problems logging into some servers including jabber.org and
@@ -126,7 +181,7 @@ version 2.10.8 (1/28/2014):
Plugins:
* Fix crash in contact availability plugin.
* Fix perl function Purple::Network::ip_atoi
- * Add Ubuntu Unity UI integration plugin.
+ * Add Unity integration plugin.
version 2.10.7 (02/13/2013):
Alien hatchery:
@@ -209,7 +264,7 @@ version 2.10.7 (02/13/2013):
this issue and suggesting solutions. (#15277)
* Updates to a number of dependencies, some of which have security
related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen
- for identifying the vulnerable libraries and to Dieter Verfaillie
+ for identifying the vulnerable libraries and to Dieter Verfaillie
for helping getting the libraries updated. (#14571, #15285, #15286)
* ATK 1.32.0-2
* Cyrus SASL 2.1.25
@@ -786,7 +841,7 @@ version 2.7.6 (11/21/2010):
* Added extended capabilities support (none implemented).
* Merged the work done on the Google SoC (major rewrite of SLP code)
* Reworked the data transfer architecture.
- (http://developer.pidgin.im/wiki/SlpArchitecture)
+ (https://developer.pidgin.im/wiki/SlpArchitecture)
* Lots of little changes.
* Don't process zero-length DC messages. (#12660)
* Fixed a bunch of memory leaks.
@@ -2187,7 +2242,7 @@ version 2.4.3 (07/01/2008):
* Various memory leak fixes
version 2.4.2 (05/17/2008):
- http://developer.pidgin.im/query?status=closed&milestone=2.4.2
+ https://developer.pidgin.im/query?status=closed&milestone=2.4.2
libpurple:
* In MySpaceIM, messages from spambots are discarded (Justin Williams)
* Strip mIRC formatting codes from quit and part messages.
@@ -2253,7 +2308,7 @@ version 2.4.2 (05/17/2008):
enabled).
version 2.4.1 (03/31/2008):
- http://developer.pidgin.im/query?status=closed&milestone=2.4.1
+ https://developer.pidgin.im/query?status=closed&milestone=2.4.1
libpurple:
* Treat AIM Unicode messages as UTF-16 rather than UCS-2; this
@@ -2289,7 +2344,7 @@ version 2.4.1 (03/31/2008):
on the right to show it.
version 2.4.0 (02/29/2008):
- http://developer.pidgin.im/query?status=closed&milestone=2.4.0
+ https://developer.pidgin.im/query?status=closed&milestone=2.4.0
libpurple:
* Added support for offline messages for AIM accounts (thanks to
@@ -2348,7 +2403,7 @@ version 2.4.0 (02/29/2008):
* Fixed a bug preventing finch working on x86_64
version 2.3.1 (12/7/2007):
- http://developer.pidgin.im/query?status=closed&milestone=2.3.1
+ https://developer.pidgin.im/query?status=closed&milestone=2.3.1
NOTE: Due to the way this release was made, it is possible that
bugs marked as fixed in 2.3.1 will not be fixed until the
next release.
@@ -2369,7 +2424,7 @@ version 2.3.1 (12/7/2007):
* Prevent autoaccept plugin overwriting existing files
version 2.3.0 (11/24/2007):
- http://developer.pidgin.im/query?status=closed&milestone=2.3.0
+ https://developer.pidgin.im/query?status=closed&milestone=2.3.0
NOTE: Some bugs marked fixed in 2.2.1, 2.2.2 or 2.2.3 may not
have been fixed until this release (2.3.0).
@@ -2442,7 +2497,7 @@ version 2.3.0 (11/24/2007):
* 'yank' operation for the entry boxes. The default binding is ctrl+y.
version 2.2.2 (10/23/2007):
- http://developer.pidgin.im/query?status=closed&milestone=2.2.2
+ https://developer.pidgin.im/query?status=closed&milestone=2.2.2
NOTE: Due to the way this release was made, it is possible that
bugs marked as fixed in 2.2.1 or 2.2.2 will not be fixed
until the next release.
@@ -2454,7 +2509,7 @@ version 2.2.2 (10/23/2007):
how this is done on other platforms.
version 2.2.1 (09/29/2007):
- http://developer.pidgin.im/query?status=closed&milestone=2.2.1
+ https://developer.pidgin.im/query?status=closed&milestone=2.2.1
NOTE: Due to the backporting that happened for the actual
release, it is possible bugs marked as fixed in 2.2.1
will not be fixed until 2.2.2.
@@ -2479,7 +2534,7 @@ version 2.2.1 (09/29/2007):
dialog.
version 2.2.0 (09/13/2007):
- http://developer.pidgin.im/query?status=closed&milestone=2.2.0
+ https://developer.pidgin.im/query?status=closed&milestone=2.2.0
libpurple:
* New protocol plugin: MySpaceIM (Jeff Connelly, Google Summer of
@@ -2857,7 +2912,7 @@ version 2.0.0 (5/3/2007):
Summer of Code)
* Updated Gadu-Gadu protocol support (Bartosz Oler, Google Summer of
Code). This requires the libgadu library. See
- http://pidgin.im/faq.php#libgadu for more information.
+ https://pidgin.im/faq.php#libgadu for more information.
* SIP/SIMPLE support (Thomas Butter, Google Summer of Code)
* Sametime protocol support
Requires the meanwhile library: http://meanwhile.sourceforge.net
diff --git a/htdocs/index.php b/htdocs/index.php
--- a/htdocs/index.php
+++ b/htdocs/index.php
@@ -114,7 +114,7 @@
<p class="more" id="lowblurb">
<!-- Put little news blurbs here! -->
-Pidgin 2.10.8 contains <a href="/news/security/">important security updates</a> and fixes an untrusted AIM SSL certificate. Pidgin 2.10.9 fixes logins to some XMPP servers. Please upgrade!
+Pidgin 2.10.10 contains <a href="/news/security/">important security updates</a>. Please upgrade!
</p>
</div>
diff --git a/htdocs/news/security/index.php b/htdocs/news/security/index.php
--- a/htdocs/news/security/index.php
+++ b/htdocs/news/security/index.php
@@ -893,6 +893,56 @@
"fixrevisions" => "a167504359e5,9f132a6855cd,5845d9fa7084,6b0e0566af20,4d9be297d399,7d0fb0c6d8d4",
"fixedversion" => "2.10.8",
"discoveredby" => "Daniel Atallah"
+ ),
+ array(
+ "title" => "Insufficient SSL certificate validation",
+ "date" => "2014-10-22",
+ "cve" => "CVE-2014-3694",
+ "description" => "Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it.",
+ "fix" => "Both bundled plugins were changed to check the Basic Constraints extension on all intermediate CA certificates.",
+ "fixrevisions" => "2e4475087f04",
+ "fixedversion" => "2.10.10",
+ "discoveredby" => "An anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability"
+ ),
+ array(
+ "title" => "Remote crash parsing malformed MXit emoticon",
+ "date" => "2014-10-22",
+ "cve" => "CVE-2014-3695",
+ "description" => "A malicious server or man-in-the-middle could trigger a crash in libpurple by sending an emoticon with an overly large length value.",
+ "fix" => "Verify that the length value is valid before attempting to read data from the buffer.",
+ "fixrevisions" => "6436e14bdb9d",
+ "fixedversion" => "2.10.10",
+ "discoveredby" => "Yves Younan and Richard Johnson of Cisco Talos"
+ ),
+ array(
+ "title" => "Remote crash parsing malformed Groupwise message",
+ "date" => "2014-10-22",
+ "cve" => "CVE-2014-3696",
+ "description" => "A malicious server or man-in-the-middle could trigger a crash in libpurple by specifying that a large amount of memory should be allocated in many places in the UI.",
+ "fix" => "Impose a maximum length when reading various types of messages.",
+ "fixrevisions" => "44fd89158777",
+ "fixedversion" => "2.10.10",
+ "discoveredby" => "Yves Younan and Richard Johnson of Cisco Talos"
+ ),
+ array(
+ "title" => "Malicious smiley themes could alter arbitrary files",
+ "date" => "2014-10-22",
+ "cve" => "CVE-2014-3697",
+ "description" => "A bug in the untar code on Windows could allow a malicious smiley theme to place a file anywhere on the file system, or alter an existing file when installing a smiley theme via drag and drop on Windows.",
+ "fix" => "Fix the untar code to ensure all paths are relative.",
+ "fixrevisions" => "68b8eb10977f",
+ "fixedversion" => "2.10.10",
+ "discoveredby" => "Yves Younan of Cisco Talos"
+ ),
+ array(
+ "title" => "Potential information leak from XMPP",
+ "date" => "2014-10-22",
+ "cve" => "CVE-2014-3698",
+ "description" => "A malicious server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory.",
+ "fix" => "Correctly determine the start and end position of buffers when performing stringprep.",
+ "fixrevisions" => "ea46ab68f0dc",
+ "fixedversion" => "2.10.10",
+ "discoveredby" => "Thijs Alkemade and Paul Aurich"
)
);
/* Template for the unfortunate future
diff --git a/inc/version.inc b/inc/version.inc
--- a/inc/version.inc
+++ b/inc/version.inc
@@ -1,10 +1,10 @@
<?php
// Current Pidgin Release
-$pidgin_version = "2.10.9";
+$pidgin_version = "2.10.10";
// Current Windows Pidgin Release
-$pidgin_win32_version = "2.10.9";
+$pidgin_win32_version = "2.10.10";
// Version of Pidgin in the Ubuntu PPA
$pidgin_ubuntu_version = "2.10.9";
More information about the Commits
mailing list