CentOS ProjectCESA-2009:1453finch, libpurple, pidgin security update
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.045 Low
EPSS
Percentile
92.4%
CentOS Errata and Security Advisory CESA-2009:1453
Pidgin is an instant messaging program which can log in to multiple
accounts on multiple instant messaging networks simultaneously. Info/Query
(IQ) is an Extensible Messaging and Presence Protocol (XMPP) specific
request-response mechanism.
A NULL pointer dereference flaw was found in the way the Pidgin XMPP
protocol plug-in processes IQ error responses when trying to fetch a custom
smiley. A remote client could send a specially-crafted IQ error response
that would crash Pidgin. (CVE-2009-3085)
A NULL pointer dereference flaw was found in the way the Pidgin IRC
protocol plug-in handles IRC topics. A malicious IRC server could send a
specially-crafted IRC TOPIC message, which once received by Pidgin, would
lead to a denial of service (Pidgin crash). (CVE-2009-2703)
It was discovered that, when connecting to certain, very old Jabber servers
via XMPP, Pidgin may ignore the βRequire SSL/TLSβ setting. In these
situations, a non-encrypted connection is established rather than the
connection failing, causing the user to believe they are using an encrypted
connection when they are not, leading to sensitive information disclosure
(session sniffing). (CVE-2009-3026)
A NULL pointer dereference flaw was found in the way the Pidgin MSN
protocol plug-in handles improper MSNSLP invitations. A remote attacker
could send a specially-crafted MSNSLP invitation request, which once
accepted by a valid Pidgin user, would lead to a denial of service (Pidgin
crash). (CVE-2009-3083)
These packages upgrade Pidgin to version 2.6.2. Refer to the Pidgin release
notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog
All Pidgin users should upgrade to these updated packages, which correct
these issues. Pidgin must be restarted for this update to take effect.
Merged security bulletin from advisories:
https://lists.centos.org/pipermail/centos-announce/2009-October/078431.html
https://lists.centos.org/pipermail/centos-announce/2009-October/078432.html
https://lists.centos.org/pipermail/centos-announce/2009-September/078331.html
https://lists.centos.org/pipermail/centos-announce/2009-September/078332.html
Affected packages:
finch
finch-devel
libpurple
libpurple-devel
libpurple-perl
libpurple-tcl
pidgin
pidgin-devel
pidgin-perl
Upstream details at:
https://access.redhat.com/errata/RHSA-2009:1453
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| CentOS | 4 | i386 | finch | <Β 2.6.2-2.el4 | finch-2.6.2-2.el4.i386.rpm |
| CentOS | 4 | i386 | finch-devel | <Β 2.6.2-2.el4 | finch-devel-2.6.2-2.el4.i386.rpm |
| CentOS | 4 | i386 | libpurple | <Β 2.6.2-2.el4 | libpurple-2.6.2-2.el4.i386.rpm |
| CentOS | 4 | i386 | libpurple-devel | <Β 2.6.2-2.el4 | libpurple-devel-2.6.2-2.el4.i386.rpm |
| CentOS | 4 | i386 | libpurple-perl | <Β 2.6.2-2.el4 | libpurple-perl-2.6.2-2.el4.i386.rpm |
| CentOS | 4 | i386 | libpurple-tcl | <Β 2.6.2-2.el4 | libpurple-tcl-2.6.2-2.el4.i386.rpm |
| CentOS | 4 | i386 | pidgin | <Β 2.6.2-2.el4 | pidgin-2.6.2-2.el4.i386.rpm |
| CentOS | 4 | i386 | pidgin-devel | <Β 2.6.2-2.el4 | pidgin-devel-2.6.2-2.el4.i386.rpm |
| CentOS | 4 | i386 | pidgin-perl | <Β 2.6.2-2.el4 | pidgin-perl-2.6.2-2.el4.i386.rpm |
| CentOS | 4 | i386 | finch | <Β 2.6.2-2.el4 | finch-2.6.2-2.el4.i386.rpm |
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.045 Low
EPSS
Percentile
92.4%