Jabber OOB Transfer security issue

Daniel Atallah daniel.atallah at gmail.com
Thu Sep 19 21:31:07 EDT 2013


On Thu, Sep 19, 2013 at 8:23 PM, Matt Jones <matt at volvent.org> wrote:

> Thanks a lot.
>
> Just wondering if CVE's will be organised for the ones which are
> security related fixes?
>

We generally request CVEs for issues causing arbitrary code execution and
remote crashes that don't require the user to initiate or accept an
interaction.

Without looking at the code more than the snippet attached, it looks this
particular issue is only triggered after a user has accepted a file
transfer, unless it can be used to cause arbitrary code execution (I
haven't looked at it closely enough to tell if that's the case or not), it
probably wouldn't get a CVE.


>
> Also, when is the next release scheduled?
>

There isn't currently a scheduled date although there are enough things at
this point that we probably should do that at some point soon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/cgi-bin/mailman/private/security/attachments/20130919/64281a6e/attachment.html>


More information about the security mailing list