[Fwd: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727]

[Mark Doliner]

On Wed, Aug 12, 2009 at 7:31 PM, Paul Aurich<paul at darkrain42.org> wrote:
> I'm going to respond to this with something along the lines of the text
> below. Commends and feedback, please.
>
> "Thanks for the PoC code. We will have a patch and new release ready by the
> 18th.
>
> We've verified this issue in the code and believe it impacts all versions
> of Pidgin and Gaim starting with 0.79*.
>
> The default privacy settings allow any remote entity to contact an MSN
> user, so the attacker need not be in the victim's buddy list.  The attack
> is mitigated if a user sets the privacy settings for MSN accounts to "Allow
> only the users below " (which defaults to the list of people on the buddy
> list).
>
> We will be releasing Pidgin 2.5.9, which will contain a patch just for this
> exploit."

This looks fantastic to me.

> Do we still plan on releasing 2.5.9 with just the patch? Will we release
> 2.6.0 at the same time?

I think we should definitely release 2.6.0--aside from this change
everything is ready, right?  I don't have a strong opinion about
releasing 2.5.9, but I'm mildly in favor.

-Mark