Talos Security Advisory for Pidgin

Ethan Blanton elb at pidgin.im
Tue May 10 09:58:28 EDT 2016


Regina Wilson -T (regiwils - ETTAIN GROUP INC at Cisco) spake unto us the following wisdom:
> I am following up to see if you have any updates or new developments. 
> From our last communication, I’ve noted you will perform a coordinated
> release with a number of vendors that distribute Pidgin or lib purple
> library.  How is that coming along? Do you have a projected timeline?

Our mxit maintainer (Cc'd) has developed patches for issues 118, 120,
123, 128, 133, 134, 137, 139, 141, 142, and 143.  Issue 122 (user
authentication hijack vulnerability) is a fundamental problem with the
mxit protocol, and Pidgin/libpurple cannot fix it.  The remaining
issues (119, 135, 136, 138, and 140) have been reviewed and are
pending fixes.

We are hoping to make the 60 day window (which as I recall started
April 14); past experience indicates that we will require about two to
three weeks for vendor coordination. We have one other
security-related issue that will be coordinated in this same release
at the moment, for which a complete fix is not yet ready.  As soon as
we have a coordinated release date, we will notify you.  Please feel
free to ping for more information, we appreciate your keeping in touch
on these issues.

Ethan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: Digital signature
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20160510/5c36ef49/attachment.sig>


More information about the security mailing list