PGP key for vulnerability reports
Rich Johnson (richjoh)
richjoh at cisco.com
Wed Jan 22 15:39:21 EST 2014
Great, thanks for the update Mark. Did we manage to get credit merged so everyone shows up on the combined CVE? They're all a similar class of vulnerability but in different components so it seems a little unusual to merge them. I'm fine with that decision, I just want to make sure my guys get credited appropriately.
Cheers,
Rich Johnson
-----Original Message-----
From: Mark Doliner [mailto:mark at kingant.net]
Sent: Wednesday, January 22, 2014 3:18 AM
To: Richard Johnson
Cc: Rich Johnson (richjoh); Pidgin Security; Yves Younan; VRT-vulndev (vrt-vulndev at sourcefire.com)
Subject: Re: PGP key for vulnerability reports
Hi again. Just wanted to share some info. The embargo date is set:
Tuesday 2013-01-28 at 07:00 PST, 10:00 EST, 15:00 UTC.
We'll be releasing Pidgin 2.10.8 at that time. And we have two CVEs for the bugs you found.
CVE-2013-6486
- Pidgin uses clickable links to untrusted executables
CVE-2013-6487
Used for three similar but different issues:
- Buffer overflow in Gadu-Gadu HTTP parsing
- Buffer overflow in MXit emoticon parsing
- Buffer overflow in SIMPLE header parsing
More information about the security
mailing list