Upcoming Pidgin security disclosures and 2.10.1
Jan Lieskovsky
jlieskov at redhat.com
Sat Dec 10 15:49:57 EST 2011
Hello Mark,
On 12/10/2011 09:22 PM, Mark Doliner wrote:
> FYI we just pushed the fixes to our source repo, released Pidgin
> 2.10.1, and posted security advisory blurbs on http://pidgin.im/
>
> Tarballs:
> https://sourceforge.net/projects/pidgin/files/Pidgin/2.10.1/
>
> Advisory Blurbs:
> SILC crash - CVE-2011-3594 - http://pidgin.im/news/security/?id=56
> AIM/ICQ crash - CVE-2011-4601 - http://pidgin.im/news/security/?id=57
> XMPP crash - (no CVE yet) - http://pidgin.im/news/security/?id=58
Please use the CVE-2011-4602 identifier for the XMPP / Jabber Jingle
stanza multiple NULL ptr dereference flaws issue.
>
> On Fri, Dec 9, 2011 at 2:20 AM, Jan Lieskovsky<jlieskov at redhat.com> wrote:
>> i) first CVE -- XMPP/Jingle issue. Going to be assigned by Red Hat,
>> iv) fourth CVE - SILC protocol channel messages UTF-8 deficiency. Going to
>> be assigned by Red Hat once confirmed.
>
> Jan and Huzaifa, we're still hoping you'll issue us a CVE for the XMPP
> issue, and, if you feel it's a good idea, a second CVE for the SILC
> issue.
Please use CVE-2011-4603 identifier for the SILC channel messages issue.
But when describing CVE-2011-4603, please, explicitly mention:
"A different vulnerability than CVE-2011-3594." as a last sentence
in the CVE-2011-4603 description (so there would be clear that there
are two issues).
Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
>
> Thanks,
> Mark
More information about the Packagers
mailing list