Upcoming Pidgin security disclosures and 2.10.1

Jan Lieskovsky jlieskov at redhat.com
Sat Dec 10 15:49:57 EST 2011

Hello Mark,

On 12/10/2011 09:22 PM, Mark Doliner wrote:
> FYI we just pushed the fixes to our source repo, released Pidgin
> 2.10.1, and posted security advisory blurbs on http://pidgin.im/
> Tarballs:
> https://sourceforge.net/projects/pidgin/files/Pidgin/2.10.1/
> Advisory Blurbs:
> SILC crash - CVE-2011-3594 - http://pidgin.im/news/security/?id=56
> AIM/ICQ crash - CVE-2011-4601 - http://pidgin.im/news/security/?id=57
> XMPP crash - (no CVE yet) - http://pidgin.im/news/security/?id=58

Please use the CVE-2011-4602 identifier for the XMPP / Jabber Jingle
stanza multiple NULL ptr dereference flaws issue.

> On Fri, Dec 9, 2011 at 2:20 AM, Jan Lieskovsky<jlieskov at redhat.com>  wrote:
>> i) first CVE -- XMPP/Jingle issue. Going to be assigned by Red Hat,
>> iv) fourth CVE - SILC protocol channel messages UTF-8 deficiency. Going to
>> be assigned by Red Hat once confirmed.
> Jan and Huzaifa, we're still hoping you'll issue us a CVE for the XMPP
> issue, and, if you feel it's a good idea, a second CVE for the SILC
> issue.

Please use CVE-2011-4603 identifier for the SILC channel messages issue.

But when describing CVE-2011-4603, please, explicitly mention:
"A different vulnerability than CVE-2011-3594." as a last sentence
in the CVE-2011-4603 description (so there would be clear that there
are two issues).

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

> Thanks,
> Mark

More information about the Packagers mailing list