[Backports-security-announce] Security Update for pidgin

Type debian
Reporter Debian
Modified 2010-01-29T07:16:12


Jan Wagner uploaded a new package for pidgin which fixed the following security problem:

CVE-2010-0013[1] and Debian Bug #563206[2]

It was discovered that Pidgin did not properly handle custom smiley requests in the MSN protocol handler. A remote attacker could send a specially crafted filename in a custom smiley request and obtain arbitrary files via directory traversal.

For the lenny distribution the problem has been fixed soon in version 2.4.3-4lenny5.

For the sid distribution the problem has been fixed in version 2.6.5-2.

Upgrade instructions

If you don't use pinning (see [1]) you have to update nagios3 manually via "apt-get -t etch-backports install nagios". [1] <http://backports.org/dokuwiki/doku.php?id=instructions>

We recommend to pin the backports repository to 200 so that new versions of installed backports will be installed automatically:

Package: * Pin: release a=lenny-backports Pin-Priority: 200

[1] http://security-tracker.debian.org/tracker/CVE-2010-0013 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563206