ID FEDORA_2009-7370.NASL Type nessus Reporter Tenable Modified 2016-05-20T00:00:00
Description
Several important bug fixes: - More fixes for Yahoo protocol 16 - MSN, MySpace, XMPP - CVE-2009-1889
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory 2009-7370.
#
include("compat.inc");
if (description)
{
script_id(39610);
script_version ("$Revision: 1.16 $");
script_cvs_date("$Date: 2016/05/20 13:54:17 $");
script_cve_id("CVE-2009-1889");
script_bugtraq_id(35530);
script_xref(name:"FEDORA", value:"2009-7370");
script_name(english:"Fedora 10 : pidgin-2.5.8-1.fc10 (2009-7370)");
script_summary(english:"Checks rpm output for the updated package.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Fedora host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"Several important bug fixes: - More fixes for Yahoo protocol 16 - MSN,
MySpace, XMPP - CVE-2009-1889
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.redhat.com/show_bug.cgi?id=508738"
);
# https://lists.fedoraproject.org/pipermail/package-announce/2009-July/026105.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?53538681"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected pidgin package."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_cwe_id(399);
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:pidgin");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10");
script_set_attribute(attribute:"patch_publication_date", value:"2009/07/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2009/07/06");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.");
script_family(english:"Fedora Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
flag = 0;
if (rpm_check(release:"FC10", reference:"pidgin-2.5.8-1.fc10")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "pidgin");
}
{"id": "FEDORA_2009-7370.NASL", "bulletinFamily": "scanner", "title": "Fedora 10 : pidgin-2.5.8-1.fc10 (2009-7370)", "description": "Several important bug fixes: - More fixes for Yahoo protocol 16 - MSN, MySpace, XMPP - CVE-2009-1889\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-07-06T00:00:00", "modified": "2016-05-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39610", "reporter": "Tenable", "references": ["http://www.nessus.org/u?53538681", "https://bugzilla.redhat.com/show_bug.cgi?id=508738"], "cvelist": ["CVE-2009-1889"], "type": "nessus", "lastseen": "2017-10-29T13:36:19", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2009-1889"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "Several important bug fixes: - More fixes for Yahoo protocol 16 - MSN, MySpace, XMPP - CVE-2009-1889\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 1, "enchantments": {}, "hash": "4e3f22e474db4bccb3fc97f16591fd79e30f663b2126b060933c8d710aaabd44", "hashmap": [{"hash": "30f8a3cd16450f4fae9f6381156dd10d", "key": "modified"}, {"hash": "e50b1e391f09aaa638a27ae069222946", "key": "published"}, {"hash": "0b6b7be4a5e209f8ccda52cb38d058ae", "key": "description"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "92cfdcb25ec2f6092316e90e7e550d18", "key": "sourceData"}, {"hash": "3589c92fd117b5a6ac4ada6dd5539817", "key": "references"}, {"hash": "3b528c0ee5fc21a13c9d5702888829f5", "key": "pluginID"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "37b02e13470ff26423ac7bbd235c213d", "key": "href"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "ab3b922e29386b2ccfd734b919f52439", "key": "title"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "ece91f4c6375cd0db40fc92df53fad3f", "key": "cvelist"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=39610", "id": "FEDORA_2009-7370.NASL", "lastseen": "2016-09-26T17:24:03", "modified": "2016-05-20T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.2", "pluginID": "39610", "published": "2009-07-06T00:00:00", "references": ["http://www.nessus.org/u?53538681", "https://bugzilla.redhat.com/show_bug.cgi?id=508738"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-7370.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(39610);\n script_version (\"$Revision: 1.16 $\");\n script_cvs_date(\"$Date: 2016/05/20 13:54:17 $\");\n\n script_cve_id(\"CVE-2009-1889\");\n script_bugtraq_id(35530);\n script_xref(name:\"FEDORA\", value:\"2009-7370\");\n\n script_name(english:\"Fedora 10 : pidgin-2.5.8-1.fc10 (2009-7370)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several important bug fixes: - More fixes for Yahoo protocol 16 - MSN,\nMySpace, XMPP - CVE-2009-1889\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=508738\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-July/026105.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?53538681\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected pidgin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"pidgin-2.5.8-1.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pidgin\");\n}\n", "title": "Fedora 10 : pidgin-2.5.8-1.fc10 (2009-7370)", "type": "nessus", "viewCount": 0}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:24:03"}], "edition": 2, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "784773318457c2d31508c164de7fa407"}, {"key": "cvelist", "hash": "ece91f4c6375cd0db40fc92df53fad3f"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "0b6b7be4a5e209f8ccda52cb38d058ae"}, {"key": "href", "hash": "37b02e13470ff26423ac7bbd235c213d"}, {"key": "modified", "hash": "30f8a3cd16450f4fae9f6381156dd10d"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "3b528c0ee5fc21a13c9d5702888829f5"}, {"key": "published", "hash": "e50b1e391f09aaa638a27ae069222946"}, {"key": "references", "hash": "3589c92fd117b5a6ac4ada6dd5539817"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "92cfdcb25ec2f6092316e90e7e550d18"}, {"key": "title", "hash": "ab3b922e29386b2ccfd734b919f52439"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "f67357441fda251301fbf182b8034f784faa577e483631692cf155fcdd64ee4b", "viewCount": 0, "enchantments": {"vulnersScore": 2.1}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2009-7370.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(39610);\n script_version (\"$Revision: 1.16 $\");\n script_cvs_date(\"$Date: 2016/05/20 13:54:17 $\");\n\n script_cve_id(\"CVE-2009-1889\");\n script_bugtraq_id(35530);\n script_xref(name:\"FEDORA\", value:\"2009-7370\");\n\n script_name(english:\"Fedora 10 : pidgin-2.5.8-1.fc10 (2009-7370)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several important bug fixes: - More fixes for Yahoo protocol 16 - MSN,\nMySpace, XMPP - CVE-2009-1889\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=508738\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2009-July/026105.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?53538681\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected pidgin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_cwe_id(399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/07/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/07/06\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^10([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 10.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC10\", reference:\"pidgin-2.5.8-1.fc10\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pidgin\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "39610", "cpe": ["cpe:/o:fedoraproject:fedora:10", "p-cpe:/a:fedoraproject:fedora:pidgin"]}
{"result": {"cve": [{"id": "CVE-2009-1889", "type": "cve", "title": "CVE-2009-1889", "description": "The OSCAR protocol implementation in Pidgin before 2.5.8 misinterprets the ICQWebMessage message type as the ICQSMS message type, which allows remote attackers to cause a denial of service (application crash) via a crafted ICQ web message that triggers allocation of a large amount of memory.", "published": "2009-07-01T09:00:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1889", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-09-29T14:26:38"}], "nessus": [{"id": "REDHAT-RHSA-2009-1139.NASL", "type": "nessus", "title": "RHEL 4 / 5 : pidgin (RHSA-2009:1139)", "description": "Updated pidgin packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for CommunicAtion in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems.\n\nA denial of service flaw was found in the Pidgin OSCAR protocol implementation. If a remote ICQ user sent a web message to a local Pidgin user using this protocol, it would cause excessive memory usage, leading to a denial of service (Pidgin crash). (CVE-2009-1889)\n\nThese updated packages also fix the following bug :\n\n* the Yahoo! Messenger Protocol changed, making it incompatible (and unusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin 2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which resolves this issue.\n\nNote: These packages upgrade Pidgin to version 2.5.8. Refer to the Pidgin release notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users should upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.", "published": "2009-07-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39598", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-10-29T13:33:10"}, {"id": "CENTOS_RHSA-2009-1139.NASL", "type": "nessus", "title": "CentOS 5 : pidgin (CESA-2009:1139)", "description": "Updated pidgin packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for CommunicAtion in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems.\n\nA denial of service flaw was found in the Pidgin OSCAR protocol implementation. If a remote ICQ user sent a web message to a local Pidgin user using this protocol, it would cause excessive memory usage, leading to a denial of service (Pidgin crash). (CVE-2009-1889)\n\nThese updated packages also fix the following bug :\n\n* the Yahoo! Messenger Protocol changed, making it incompatible (and unusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin 2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which resolves this issue.\n\nNote: These packages upgrade Pidgin to version 2.5.8. Refer to the Pidgin release notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users should upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.", "published": "2010-01-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=43766", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-10-29T13:41:27"}, {"id": "ORACLELINUX_ELSA-2009-1139.NASL", "type": "nessus", "title": "Oracle Linux 4 : pidgin (ELSA-2009-1139)", "description": "From Red Hat Security Advisory 2009:1139 :\n\nUpdated pidgin packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for CommunicAtion in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems.\n\nA denial of service flaw was found in the Pidgin OSCAR protocol implementation. If a remote ICQ user sent a web message to a local Pidgin user using this protocol, it would cause excessive memory usage, leading to a denial of service (Pidgin crash). (CVE-2009-1889)\n\nThese updated packages also fix the following bug :\n\n* the Yahoo! Messenger Protocol changed, making it incompatible (and unusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin 2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which resolves this issue.\n\nNote: These packages upgrade Pidgin to version 2.5.8. Refer to the Pidgin release notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users should upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=67888", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-10-29T13:40:21"}, {"id": "FEDORA_2009-7359.NASL", "type": "nessus", "title": "Fedora 11 : pidgin-2.5.8-1.fc11 (2009-7359)", "description": "Several important bug fixes: - More fixes for Yahoo protocol 16 - MSN, MySpace, XMPP - CVE-2009-1889\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39608", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-10-29T13:43:53"}, {"id": "FEDORA_2009-7415.NASL", "type": "nessus", "title": "Fedora 9 : pidgin-2.5.8-1.fc9 (2009-7415)", "description": "Several important bug fixes: - More fixes for Yahoo protocol 16 - MSN, MySpace, XMPP - CVE-2009-1889\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39612", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-10-29T13:42:19"}, {"id": "UBUNTU_USN-796-1.NASL", "type": "nessus", "title": "Ubuntu 8.04 LTS / 8.10 / 9.04 : pidgin vulnerability (USN-796-1)", "description": "Yuriy Kaminskiy discovered that Pidgin did not properly handle certain messages in the ICQ protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2009-07-07T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=39619", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-10-29T13:41:14"}, {"id": "SL_20090702_PIDGIN_ON_SL4_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : pidgin on SL4.x, SL5.x i386/x86_64", "description": "A denial of service flaw was found in the Pidgin OSCAR protocol implementation. If a remote ICQ user sent a web message to a local Pidgin user using this protocol, it would cause excessive memory usage, leading to a denial of service (Pidgin crash). (CVE-2009-1889)\n\nThese updated packages also fix the following bug :\n\n - the Yahoo! Messenger Protocol changed, making it incompatible (and unusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin 2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which resolves this issue.\n\nNote: These packages upgrade Pidgin to version 2.5.8.\n\nPidgin must be restarted for this update to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60612", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-10-29T13:41:27"}, {"id": "SUSE_GAIM-6350.NASL", "type": "nessus", "title": "SuSE 10 Security Update : gaim (ZYPP Patch Number 6350)", "description": "- malformed responses to file transfers could cause a buffer overflow in pidgin. (CVE-2009-1373)\n\n - the fix against integer overflows in the msn protocol handling was incomplete. (CVE-2009-1376)\n\n - certain ICQ message types could crash pidgin.\n (CVE-2009-1889)", "published": "2011-01-27T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=51744", "cvelist": ["CVE-2009-1376", "CVE-2009-1889", "CVE-2009-1373"], "lastseen": "2017-10-29T13:40:59"}, {"id": "SUSE_FINCH-6351.NASL", "type": "nessus", "title": "openSUSE 10 Security Update : finch (finch-6351)", "description": "Several bugfixes were done for the Instant Messenger Pidgin :\n\n - Malformed responses to file transfers could cause a buffer overflow in pidgin (CVE-2009-1373) and specially crafted packets could crash it (CVE-2009-1375).\n\n - The fix against integer overflows in the msn protocol handling was incomplete (CVE-2009-1376).\n\n - Fixed misparsing ICQ message as SMS DoS (CVE-2009-1889, Pidgin#9483).\n\nAlso the Yahoo IM protocol was made to work again.", "published": "2009-10-06T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=41999", "cvelist": ["CVE-2009-1376", "CVE-2009-1375", "CVE-2009-1889", "CVE-2009-1373"], "lastseen": "2017-10-29T13:43:16"}, {"id": "SUSE_11_FINCH-090709.NASL", "type": "nessus", "title": "SuSE 11 Security Update : pidgin (SAT Patch Number 1094)", "description": "Several bugfixes were done for the Instant Messenger Pidgin :\n\n - Malformed responses to file transfers could cause a buffer overflow in pidgin (CVE-2009-1373) and specially crafted packets could crash it. (CVE-2009-1375)\n\n - The fix against integer overflows in the msn protocol handling was incomplete. (CVE-2009-1376)\n\n - Fixed misparsing ICQ message as SMS DoS (CVE-2009-1889, Pidgin#9483). Also the Yahoo IM protocol was made to work again.", "published": "2009-09-24T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=41388", "cvelist": ["CVE-2009-1376", "CVE-2009-1375", "CVE-2009-1889", "CVE-2009-1373"], "lastseen": "2017-10-29T13:42:14"}], "seebug": [{"id": "SSV:11744", "type": "seebug", "title": "pidgin\u7279\u5236ICQ Web\u6d88\u606f\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "description": "BUGTRAQ ID: 35530\r\nCVE(CAN) ID: CVE-2009-1889\r\n\r\nPidgin\u662f\u652f\u6301\u591a\u79cd\u534f\u8bae\u7684\u5373\u65f6\u901a\u8baf\u5ba2\u6237\u7aef\u3002\r\n\r\nPidgin\u7684\u5b9e\u65f6\u901a\u8baf\u5f00\u653e\u7cfb\u7edf\uff08OSCAR\uff09\u534f\u8bae\u5b9e\u73b0\u4e2d\u5b58\u5728\u8d8a\u754c\u5185\u5b58\u8bbf\u95ee\u6f0f\u6d1e\u3002\u5982\u679c\u8fdc\u7a0bICQ\u7528\u6237\u5411\u4f7f\u7528\u8fd9\u4e2a\u534f\u8bae\u7684Pidgin\u7528\u6237\u53d1\u9001\u4e86\u7279\u5236web\u6d88\u606f\u7684\u8bdd\uff0c\u5c31\u4f1a\u5bfc\u81f4\u5206\u914d\u8fc7\u591a\u7684\u5185\u5b58\uff0c\u5ba2\u6237\u7aef\u53ef\u80fd\u4f1a\u5d29\u6e83\u3002\n\nPidgin < 2.5.8\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nPidgin\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://developer.pidgin.im/ticket/9483", "published": "2009-07-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-11744", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-11-19T18:52:02"}], "openvas": [{"id": "OPENVAS:1361412562310880796", "type": "openvas", "title": "CentOS Update for finch CESA-2009:1139 centos5 i386", "description": "Check for the Version of finch", "published": "2011-08-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880796", "cvelist": ["CVE-2009-1889"], "lastseen": "2018-04-09T11:37:40"}, {"id": "OPENVAS:136141256231064353", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-7370 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory FEDORA-2009-7370.", "published": "2009-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064353", "cvelist": ["CVE-2009-1889"], "lastseen": "2018-04-06T11:37:16"}, {"id": "OPENVAS:64336", "type": "openvas", "title": "RedHat Security Advisory RHSA-2009:1139", "description": "The remote host is missing updates announced in\nadvisory RHSA-2009:1139.\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously. The AOL\nOpen System for CommunicAtion in Realtime (OSCAR) protocol is used by the\nAOL ICQ and AIM instant messaging systems.\n\nA denial of service flaw was found in the Pidgin OSCAR protocol\nimplementation. If a remote ICQ user sent a web message to a local Pidgin\nuser using this protocol, it would cause excessive memory usage, leading to\na denial of service (Pidgin crash). (CVE-2009-1889)\n\nThese updated packages also fix the following bug:\n\n* the Yahoo! Messenger Protocol changed, making it incompatible (and\nunusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin\n2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which\nresolves this issue.\n\nNote: These packages upgrade Pidgin to version 2.5.8. Refer to the Pidgin\nrelease notes for a full list of changes:\n\nAll Pidgin users should upgrade to these updated packages, which correct\nthese issues. Pidgin must be restarted for this update to take effect.", "published": "2009-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64336", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-07-27T10:56:34"}, {"id": "OPENVAS:880796", "type": "openvas", "title": "CentOS Update for finch CESA-2009:1139 centos5 i386", "description": "Check for the Version of finch", "published": "2011-08-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=880796", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-07-25T10:55:49"}, {"id": "OPENVAS:1361412562310800824", "type": "openvas", "title": "Pidgin OSCAR Protocol Denial Of Service Vulnerability (Linux)", "description": "This host has installed Pidgin and is prone to Denial of Service\n vulnerability.", "published": "2009-07-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800824", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-07-02T21:14:13"}, {"id": "OPENVAS:64351", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-7359 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory FEDORA-2009-7359.", "published": "2009-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64351", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-07-25T10:56:37"}, {"id": "OPENVAS:136141256231064351", "type": "openvas", "title": "Fedora Core 11 FEDORA-2009-7359 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory FEDORA-2009-7359.", "published": "2009-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231064351", "cvelist": ["CVE-2009-1889"], "lastseen": "2018-04-06T11:38:52"}, {"id": "OPENVAS:64353", "type": "openvas", "title": "Fedora Core 10 FEDORA-2009-7370 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory FEDORA-2009-7370.", "published": "2009-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64353", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-07-25T10:56:01"}, {"id": "OPENVAS:64382", "type": "openvas", "title": "Ubuntu USN-796-1 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory USN-796-1.", "published": "2009-07-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64382", "cvelist": ["CVE-2009-1889"], "lastseen": "2018-02-02T13:15:42"}, {"id": "OPENVAS:64355", "type": "openvas", "title": "Fedora Core 9 FEDORA-2009-7415 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory FEDORA-2009-7415.", "published": "2009-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=64355", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-07-25T10:56:31"}], "centos": [{"id": "CESA-2009:1139", "type": "centos", "title": "finch, libpurple, pidgin security update", "description": "**CentOS Errata and Security Advisory** CESA-2009:1139\n\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously. The AOL\nOpen System for CommunicAtion in Realtime (OSCAR) protocol is used by the\nAOL ICQ and AIM instant messaging systems.\n\nA denial of service flaw was found in the Pidgin OSCAR protocol\nimplementation. If a remote ICQ user sent a web message to a local Pidgin\nuser using this protocol, it would cause excessive memory usage, leading to\na denial of service (Pidgin crash). (CVE-2009-1889)\n\nThese updated packages also fix the following bug:\n\n* the Yahoo! Messenger Protocol changed, making it incompatible (and\nunusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin\n2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which\nresolves this issue.\n\nNote: These packages upgrade Pidgin to version 2.5.8. Refer to the Pidgin\nrelease notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users should upgrade to these updated packages, which correct\nthese issues. Pidgin must be restarted for this update to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2009-July/016023.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-July/016024.html\n\n**Affected packages:**\nfinch\nfinch-devel\nlibpurple\nlibpurple-devel\nlibpurple-perl\nlibpurple-tcl\npidgin\npidgin-devel\npidgin-perl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2009-1139.html", "published": "2009-07-03T00:47:40", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2009-July/016023.html", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-10-03T18:24:25"}], "redhat": [{"id": "RHSA-2009:1139", "type": "redhat", "title": "(RHSA-2009:1139) Moderate: pidgin security and bug fix update", "description": "Pidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously. The AOL\nOpen System for CommunicAtion in Realtime (OSCAR) protocol is used by the\nAOL ICQ and AIM instant messaging systems.\n\nA denial of service flaw was found in the Pidgin OSCAR protocol\nimplementation. If a remote ICQ user sent a web message to a local Pidgin\nuser using this protocol, it would cause excessive memory usage, leading to\na denial of service (Pidgin crash). (CVE-2009-1889)\n\nThese updated packages also fix the following bug:\n\n* the Yahoo! Messenger Protocol changed, making it incompatible (and\nunusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin\n2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which\nresolves this issue.\n\nNote: These packages upgrade Pidgin to version 2.5.8. Refer to the Pidgin\nrelease notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users should upgrade to these updated packages, which correct\nthese issues. Pidgin must be restarted for this update to take effect.", "published": "2009-07-02T04:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2009:1139", "cvelist": ["CVE-2009-1889"], "lastseen": "2017-09-09T07:19:46"}], "oraclelinux": [{"id": "ELSA-2009-1139", "type": "oraclelinux", "title": "pidgin security and bug fix update", "description": "[2.5.8-1]\n- 2.5.8 with several important bug fixes\n[2.5.7-2]\n- glib2 compat with RHEL-4\n[2.5.7-1]\n- 2.5.7 with Yahoo Protocol 16 support\n[2.5.6-1]\n- 2.5.6\n[2.5.5-3]\n- F12+ removed krb4", "published": "2009-07-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2009-1139.html", "cvelist": ["CVE-2009-1889"], "lastseen": "2016-09-04T11:15:58"}], "ubuntu": [{"id": "USN-796-1", "type": "ubuntu", "title": "Pidgin vulnerability", "description": "Yuriy Kaminskiy discovered that Pidgin did not properly handle certain messages in the ICQ protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash.", "published": "2009-07-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/796-1/", "cvelist": ["CVE-2009-1889"], "lastseen": "2018-03-29T18:21:28"}], "gentoo": [{"id": "GLSA-200910-02", "type": "gentoo", "title": "Pidgin: Multiple vulnerabilities", "description": "### Background\n\nPidgin is a client for a variety of instant messaging protocols. \n\n### Description\n\nMultiple vulnerabilities were found in Pidgin: \n\n * Yuriy Kaminskiy reported that the OSCAR protocol implementation in Pidgin misinterprets the ICQWebMessage message type as the ICQSMS message type, triggering an allocation of a large amount of memory (CVE-2009-1889).\n * Federico Muttis of Core Security Technologies reported that the msn_slplink_process_msg() function in libpurple/protocols/msn/slplink.c in libpurple as used in Pidgin doesn't properly process incoming SLP messages, triggering an overwrite of an arbitrary memory location (CVE-2009-2694). NOTE: This issue reportedly exists because of an incomplete fix for CVE-2009-1376 (GLSA 200905-07).\n * bugdave reported that protocols/jabber/auth.c in libpurple as used in Pidgin does not follow the \"require TSL/SSL\" preference when connecting to older Jabber servers that do not follow the XMPP specification, resulting in a connection to the server without the expected encryption (CVE-2009-3026).\n\n### Impact\n\nA remote attacker could send specially crafted SLP (via MSN) or ICQ web messages, possibly leading to execution of arbitrary code with the privileges of the user running Pidgin, unauthorized information disclosure, or a Denial of Service. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Pidgin users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-im/pidgin-2.5.9-r1\"", "published": "2009-10-22T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/200910-02", "cvelist": ["CVE-2009-1376", "CVE-2009-3026", "CVE-2009-1889", "CVE-2009-2694"], "lastseen": "2016-09-06T19:46:39"}]}}
