[Fwd: Re: [Advisories] Libpurple security vulnerability CORE-2009-0727]
mark at kingant.net
Wed Aug 12 22:48:36 EDT 2009
On Wed, Aug 12, 2009 at 7:31 PM, Paul Aurich<paul at darkrain42.org> wrote:
> I'm going to respond to this with something along the lines of the text
> below. Commends and feedback, please.
> "Thanks for the PoC code. We will have a patch and new release ready by the
> We've verified this issue in the code and believe it impacts all versions
> of Pidgin and Gaim starting with 0.79*.
> The default privacy settings allow any remote entity to contact an MSN
> user, so the attacker need not be in the victim's buddy list. The attack
> is mitigated if a user sets the privacy settings for MSN accounts to "Allow
> only the users below " (which defaults to the list of people on the buddy
> We will be releasing Pidgin 2.5.9, which will contain a patch just for this
This looks fantastic to me.
> Do we still plan on releasing 2.5.9 with just the patch? Will we release
> 2.6.0 at the same time?
I think we should definitely release 2.6.0--aside from this change
everything is ready, right? I don't have a strong opinion about
releasing 2.5.9, but I'm mildly in favor.
More information about the Packagers