security review and patches for libpurple

Jacob Appelbaum jacob at
Mon Jul 18 13:10:46 EDT 2011

On 07/18/2011 12:52 PM, Evan Schoenberg wrote:
> On Jul 18, 2011, at 11:14 AM, Ethan Blanton <elb at> wrote:
>> Jacob Appelbaum spake unto us the following wisdom:
>>>> With that in mind, I'd like to ask again if there are any
>>>> objections to my committing these patches to ipp without
>>>> embargo or a coordinated release.  If not, I will land them
>>>> some time tomorrow.  If anyone even simply thinks we should
>>>> wait a few days or get additional input before landing them,
>>>> that's fine, too.
>>> I would really strongly encourage you to co-ordinate with the
>>> Adium folks. It seems to me that they're behind on libpurple
>>> updates and any new security releases that don't go into Adium
>>> may cause Mac OS X users major trouble.
>> I appreciate that input.  There are several Adium developers on
>> the security at contact list, so they are in the loop on
>> this
> I apologize; I mixed up security threads. I was referring to the IRC
> whois issue.
> Integration of the larger patch set, which is being applied only
> against im.pidgin.pidgin as I understand it, will be a somewhat more
> complicated issue but we will work to make it happen in coordination
> based on timing for Pidgin's release as it's discussed here.

Is there any chance that Adium will simply move to the newest release of
libpurple soon? The newest libpurple also has a new proxy type
"Tor/Privacy" that is a security fix for users who use Tor with Adium. I
know many Adium (myself included) users who would like this fix/enhancement.

All the best,

More information about the security mailing list