Request for CVEs for Pidgin

Tomas Hoger thoger at
Fri Oct 17 11:07:38 EDT 2014

On Tue, 14 Oct 2014 12:39:24 -0400 Daniel Atallah wrote:

> On Tue, Oct 14, 2014 at 4:13 AM, Huzaifa Sidhpurwala
> <huzaifas at> wrote:
> > CVE-2014-3694 pidgin: Insufficient SSL certificate validation
> > CVE-2014-3695 pidgin: Remote crash parsing malformed MXit emoticon
> > CVE-2014-3696 pidgin: Remote crash parsing malformed Groupwise message.
> > CVE-2014-3697 pidgin: Malicious smiley themes could alter arbitrary files
> > CVE-2014-3698 pidgin: Potential information leak from XMPP
> I'm not sure how feasible it is to change the credits for some of
> these at this point, but we've had a request from the folks who
> discovered CVE-2014-3695, CVE-2014-3696, CVE-2014-3697 that
> references to "Sourcefire VRT" be updated to "Cisco Talos" due to the
> acquisition by Cisco and recent renaming of the VRT team.

Acknowledgments are not about to the CVE assignments Huzaifa did in any
way.  They aren't part of Mitre CVE descriptions either.  So to use the
requested format, the best way is to ensure Pidgin upstream advisories
use it.  From there, they are likely to be re-used by other downstreams
packaging Pidgin.

As what Mark posted to the packages list already uses updated acks, the
only real risk is that someone who got the initial notification via the
post to security@ uses the old acks.

Tomas Hoger / Red Hat Product Security

More information about the security mailing list