desktop-packages team mailing list archive

Thread
Date

[Bug 1465052] [NEW] pidgin 1.2.11 backport required

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1465052@xxxxxxxxxxxxxxxxxx>
Date: Sun, 14 Jun 2015 20:45:31 -0000
Reply-to: Bug 1465052 <1465052@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

You have been subscribed to a public bug:

bug #1402424 (a gaping security/information leak hole in Vivid's Pidgin)
has been marked as closed, despite the fact that an updated version has
not been released for Vivid, per the original bug report.

https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1402424

Apparently releasing a security fixed version for a non-released
distribution (wily)  is "good enough"

This needs backporting from Wily asap.

These are the unfixed, publically disclosed vulnerabilties in the
distributed version:

https://pidgin.im/news/security/

	CVE Name	Date	Fixed In
Potential information leak from XMPP	CVE-2014-3698	2014-10-22	2.10.10
Malicious smiley themes could alter arbitrary files	CVE-2014-3697	2014-10-22	2.10.10
Remote crash parsing malformed Groupwise message	CVE-2014-3696	2014-10-22	2.10.10
Remote crash parsing malformed MXit emoticon	CVE-2014-3695	2014-10-22	2.10.10
Insufficient SSL certificate validation	CVE-2014-3694	2014-10-22	2.10.10

** Affects: pidgin (Ubuntu)
     Importance: Undecided
         Status: Invalid

-- 
pidgin 1.2.11 backport required
https://bugs.launchpad.net/bugs/1465052
You received this bug notification because you are a member of Desktop Packages, which is subscribed to pidgin in Ubuntu.