Pidgin 2.5.9, 2.6.0, 2.6.1

Stu Tomlinson stu at nosnilmot.com
Fri Aug 21 22:03:30 EDT 2009


On Wed, Aug 19, 2009 at 15:22, Warren Togami<wtogami at redhat.com> wrote:
> On 08/19/2009 10:08 AM, John Bailey wrote:
>>
>> Mark Doliner wrote:
>>> 2.6.1: This is 2.6.0 with an important security fix and some fixed
>>> compilation problems.  Please use this and never 2.6.0!
>>
>> For reference, the security issue was that a remote user could send a URL
>> over
>> Yahoo and crash a running Pidgin.  Neither Mark nor I could reproduce this
>> ourselves, but the user experiencing it was able to provide us a good
>> backtrace
>> and test the patch for us.  It was already public on our trac before Mark
>> fixed
>> the issue (http://developer.pidgin.im/ticket/9946).
>>
>
> 2.6.0 was already pushed to users.  To avoid confusion, we should assign a
> CVE to this new issue.  bressers is asking for a new CVE number.
>
> IRC discussion seemed to indicate that this did not effect 2.5.9, so it is
> limited to only 2.6.0 that needs fixing.

Is there any update on a CVE number for this issue?

I think we need one because this affects the default settings for
Yahoo! IM that allow anyone to send you an IM without prior
confirmation, and I think this is a DoS bug.

Regards,


Stu.



More information about the Packagers mailing list