Talos Security Advisory for Pidgin

Regina Wilson -T (regiwils - ETTAIN GROUP INC at Cisco) regiwils at cisco.com
Mon Jun 6 13:57:24 EDT 2016


Hello Ethan,

As we are approaching the 60 day mark next week (Jun 14th), I wanted to follow up with you on any new developments.  Do you have a date/timeline for the disclosure release?

Kind Regards,

Regina Wilson
Project Coordinator, Open Source and Threat Intelligence
regiwils at cisco.com




> On May 10, 2016, at 9:58 AM, Ethan Blanton <elb at pidgin.im> wrote:
> 
> Regina Wilson -T (regiwils - ETTAIN GROUP INC at Cisco) spake unto us the following wisdom:
>> I am following up to see if you have any updates or new developments.
>> From our last communication, I’ve noted you will perform a coordinated
>> release with a number of vendors that distribute Pidgin or lib purple
>> library.  How is that coming along? Do you have a projected timeline?
> 
> Our mxit maintainer (Cc'd) has developed patches for issues 118, 120,
> 123, 128, 133, 134, 137, 139, 141, 142, and 143.  Issue 122 (user
> authentication hijack vulnerability) is a fundamental problem with the
> mxit protocol, and Pidgin/libpurple cannot fix it.  The remaining
> issues (119, 135, 136, 138, and 140) have been reviewed and are
> pending fixes.
> 
> We are hoping to make the 60 day window (which as I recall started
> April 14); past experience indicates that we will require about two to
> three weeks for vendor coordination. We have one other
> security-related issue that will be coordinated in this same release
> at the moment, for which a complete fix is not yet ready.  As soon as
> we have a coordinated release date, we will notify you.  Please feel
> free to ping for more information, we appreciate your keeping in touch
> on these issues.
> 
> Ethan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160606/d69f0eab/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: talos_sig[4].png
Type: image/png
Size: 8573 bytes
Desc: not available
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160606/d69f0eab/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160606/d69f0eab/attachment.sig>


More information about the security mailing list