desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #123428
[Bug 1465052] Re: pidgin 1.2.11 backport required
These CVEs have either been fixed or are not applicable:
Here are links to all the CVE tracking information:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3694.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3695.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3696.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3697.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3698.html
Here's a link to the Ubuntu Security Notice that was published:
http://www.ubuntu.com/usn/usn-2390-1
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3694
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3695
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3696
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3697
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3698
** Project changed: vivid-backports => pidgin (Ubuntu)
** Changed in: pidgin (Ubuntu)
Status: New => Invalid
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pidgin in Ubuntu.
https://bugs.launchpad.net/bugs/1465052
Title:
pidgin 1.2.11 backport required
Status in pidgin package in Ubuntu:
Invalid
Bug description:
bug #1402424 (a gaping security/information leak hole in Vivid's
Pidgin) has been marked as closed, despite the fact that an updated
version has not been released for Vivid, per the original bug report.
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1402424
Apparently releasing a security fixed version for a non-released
distribution (wily) is "good enough"
This needs backporting from Wily asap.
These are the unfixed, publically disclosed vulnerabilties in the
distributed version:
https://pidgin.im/news/security/
CVE Name Date Fixed In
Potential information leak from XMPP CVE-2014-3698 2014-10-22 2.10.10
Malicious smiley themes could alter arbitrary files CVE-2014-3697 2014-10-22 2.10.10
Remote crash parsing malformed Groupwise message CVE-2014-3696 2014-10-22 2.10.10
Remote crash parsing malformed MXit emoticon CVE-2014-3695 2014-10-22 2.10.10
Insufficient SSL certificate validation CVE-2014-3694 2014-10-22 2.10.10
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1465052/+subscriptions