Getting Pidgin 2.10.10 out the door

Daniel Atallah daniel.atallah at
Wed Oct 8 20:38:01 EDT 2014

On Fri, Oct 3, 2014 at 11:05 AM, Daniel Atallah <daniel.atallah at>

> We've been sitting on some vulnerabilities for quite a long time - it's
> time for a release.
> Here are the things that are committed and I think need CVEs for:
> * VRT-2014-0203 - Pidgin libpurple Mxit Emoticon ASN Length Denial of
> Service Vulnerability:
> * VRT-2014-0205 - Pidgin libpurple Novell Protocol Multiple Denial of
> Service Vulnerabilities:
> * VRT-2014-0205 - Pidgin Theme/Smiley Untar Arbitrary File Write
> Vulnerability:
> Outstanding stuff:
> * SSL certificate chain validation issues
> * "libpurple gadu-gadu issues" thread
> What else is outstanding?
> Are there additional bugs we need to fix or patches we should apply?
> How about targeting 10/15 for the release? Can we get the outstanding
> stuff done by then?
> -D

Assuming that the GG stuff isn't a problem we need to deal with for this
(that's the impression I've gotten based on the discussions here, please
correct me if I'm wrong), should we go ahead with 10/15?

Would it be better to wait another week?

I'd like to get a target date to communicate back to Richard Johnson - his
request isn't unreasonable :)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the security mailing list