Request for CVEs for Pidgin
Daniel Atallah
datallah at pidgin.im
Fri Oct 17 12:11:11 EDT 2014
On Fri, Oct 17, 2014 at 11:07 AM, Tomas Hoger <thoger at redhat.com> wrote:
> On Tue, 14 Oct 2014 12:39:24 -0400 Daniel Atallah wrote:
>
> > On Tue, Oct 14, 2014 at 4:13 AM, Huzaifa Sidhpurwala
> > <huzaifas at redhat.com> wrote:
> >
> > > CVE-2014-3694 pidgin: Insufficient SSL certificate validation
> > > CVE-2014-3695 pidgin: Remote crash parsing malformed MXit emoticon
> > > CVE-2014-3696 pidgin: Remote crash parsing malformed Groupwise message.
> > > CVE-2014-3697 pidgin: Malicious smiley themes could alter arbitrary
> files
> > > CVE-2014-3698 pidgin: Potential information leak from XMPP
> >
> > I'm not sure how feasible it is to change the credits for some of
> > these at this point, but we've had a request from the folks who
> > discovered CVE-2014-3695, CVE-2014-3696, CVE-2014-3697 that
> > references to "Sourcefire VRT" be updated to "Cisco Talos" due to the
> > acquisition by Cisco and recent renaming of the VRT team.
>
> Acknowledgments are not about to the CVE assignments Huzaifa did in any
> way. They aren't part of Mitre CVE descriptions either. So to use the
> requested format, the best way is to ensure Pidgin upstream advisories
> use it. From there, they are likely to be re-used by other downstreams
> packaging Pidgin.
>
> As what Mark posted to the packages list already uses updated acks, the
> only real risk is that someone who got the initial notification via the
> post to security@ uses the old acks.
Thanks for the clarification about how that works.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20141017/7a958ec5/attachment.html>
More information about the security
mailing list