Getting Pidgin 2.10.10 out the door

Daniel Atallah daniel.atallah at gmail.com
Wed Oct 8 20:38:01 EDT 2014


On Fri, Oct 3, 2014 at 11:05 AM, Daniel Atallah <daniel.atallah at gmail.com>
wrote:

> We've been sitting on some vulnerabilities for quite a long time - it's
> time for a release.
>
> Here are the things that are committed and I think need CVEs for:
>
> * VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
> Service Vulnerability:
> * VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
> Service Vulnerabilities:
> * VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
> Vulnerability:
>
> Outstanding stuff:
>
> * SSL certificate chain validation issues
> * "libpurple gadu-gadu issues" thread
>
> What else is outstanding?
> Are there additional bugs we need to fix or patches we should apply?
>
>
> How about targeting 10/15 for the release? Can we get the outstanding
> stuff done by then?
>
> -D
>

Assuming that the GG stuff isn't a problem we need to deal with for this
(that's the impression I've gotten based on the discussions here, please
correct me if I'm wrong), should we go ahead with 10/15?

Would it be better to wait another week?

I'd like to get a target date to communicate back to Richard Johnson - his
request isn't unreasonable :)

Thanks,
-D
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141008/aa8a358c/attachment.html>


More information about the security mailing list