Pidgin 2.8.0: MSN, No QQ...
Paul Aurich
darkrain42 at pidgin.im
Thu May 12 00:44:45 EDT 2011
Hi folks!
2.8.0 is nearing release, and we have two notes for you.
1) We've removed the QQ plugin. It didn't work, hasn't for a while, and
there hasn't been any significant activity from the developers. Another
plugin [1] exists, which seems promising (based on the thread on the Pidgin
development list, it at least works). We don't currently have a stub
plugin to notify users about the removal, but we will probably add one (if
not in this release, then for 2.8.1).
2) We have a remote crashing (NULL deref) bug in the MSN protocol plugin,
for which we probably need a CVE#. Our resident MSN expert, Elliott,
believes it's not exploitable by another user, although a malicious entity
MITMing a Pidgin user could crash Pidgin. I've attached the proposed patch
from Mark Doliner.
Prerelease tarballs will be provided, but I think a reasonable target for
release is Sunday or Monday. Please consider the security issue embargoed
until release.
Thanks!
~Paul
[1] https://code.google.com/p/libqq-pidgin/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: msn-httpconn-null-deref.patch
Type: text/x-patch
Size: 1259 bytes
Desc: not available
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110511/d36bb7bf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/cgi-bin/mailman/private/packagers/attachments/20110511/d36bb7bf/attachment.pgp>
More information about the Packagers
mailing list