Potential security issue: Yahoo authorisation requests with invalid encoding

Mark Doliner mark at kingant.net
Tue Feb 5 02:43:24 EST 2013

I've been looking at this a bit, and I think it's going to take some
work.  Our string handling in Yahoo is pretty inconsistent, and I
think we'll want to do some testing with Windows clients to make sure
we're behaving sanely.  I think that will take time.

I'd like to go ahead and do a Pidgin release nowish with the fixes for
the two MXit problems, and with working SSL CA certs, and we can do
another release once we're confident we have a patch for this issue.

Does that sound ok to people?

More information about the security mailing list