← Back to team overview

desktop-packages team mailing list archive

  1. desktop-packages team
  2. Mailing list archive
  3. Message #123428

[Bug 1465052] Re: pidgin 1.2.11 backport required

  Thread PreviousDate PreviousThread Next 
These CVEs have either been fixed or are not applicable:

Here are links to all the CVE tracking information:
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3694.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3695.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3696.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3697.html
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-3698.html

Here's a link to the Ubuntu Security Notice that was published:
http://www.ubuntu.com/usn/usn-2390-1

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3694

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3695

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3696

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3697

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3698

** Project changed: vivid-backports => pidgin (Ubuntu)

** Changed in: pidgin (Ubuntu)
       Status: New => Invalid

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pidgin in Ubuntu.
https://bugs.launchpad.net/bugs/1465052

Title:
  pidgin 1.2.11 backport required

Status in pidgin package in Ubuntu:
  Invalid

Bug description:
  bug #1402424 (a gaping security/information leak hole in Vivid's
  Pidgin) has been marked as closed, despite the fact that an updated
  version has not been released for Vivid, per the original bug report.

  https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1402424

  Apparently releasing a security fixed version for a non-released
  distribution (wily)  is "good enough"

  This needs backporting from Wily asap.

  These are the unfixed, publically disclosed vulnerabilties in the
  distributed version:

  https://pidgin.im/news/security/

  	CVE Name	Date	Fixed In
  Potential information leak from XMPP	CVE-2014-3698	2014-10-22	2.10.10
  Malicious smiley themes could alter arbitrary files	CVE-2014-3697	2014-10-22	2.10.10
  Remote crash parsing malformed Groupwise message	CVE-2014-3696	2014-10-22	2.10.10
  Remote crash parsing malformed MXit emoticon	CVE-2014-3695	2014-10-22	2.10.10
  Insufficient SSL certificate validation	CVE-2014-3694	2014-10-22	2.10.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1465052/+subscriptions
  Thread PreviousDate PreviousThread Next