2.7.0 test tarballs
John Bailey
rekkanoryo at rekkanoryo.org
Wed May 12 11:58:39 EDT 2010
On 05/12/2010 10:10 AM, John Bailey wrote:
> I'd prefer not having to recreate the tarballs since I've already tagged and
> committed the usual post-release stuff locally. I'm just sitting on the
> revisions until I make the release public.
For the record, I want to push these tarballs to the public *just before*
midnight tonight (US EDT), unless any of you come up with major issues that
require me to respin the tarballs.
Additionally, just for completeness, here is the text I will be publishing on
our security issues page that describes the problem:
summary:
Libpurple clients can crash due to malformed SLP message
full description:
A vulnerability was discovered in libpurple's MSN protocol plugin that can cause
a denial of service (crash) due to insufficient validation of certain SLP
packets related to custom emoticons. An attacker could use this vulnerability
to remotely crash a client using libpurple for MSN. It is not possible for this
vulnerability to be exploited for code execution. As a workaround, disabling
custom emoticons on MSN accounts will prevent the vulnerability.
fix:
Validation has been added to the MSN plugin to prevent the crash.
discovered by:
Pierre Noguès of Meta Security
John
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20100512/5cb97384/attachment.pgp>
More information about the Packagers
mailing list