ID OPENVAS:1361412562310862297 Type openvas Reporter Copyright (c) 2010 Greenbone Networks GmbH Modified 2018-01-19T00:00:00
Description
Check for the Version of pidgin
###############################################################################
# OpenVAS Vulnerability Test
#
# Fedora Update for pidgin FEDORA-2010-11315
#
# Authors:
# System Generated Check
#
# Copyright:
# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
include("revisions-lib.inc");
tag_insight = "Pidgin allows you to talk to anyone using a variety of messaging
protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu,
ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and
Zephyr. These protocols are implemented using a modular, easy to
use design. To use a protocol, just add an account using the
account editor.
Pidgin supports many common features of other clients, as well as many
unique features, such as perl scripting, TCL scripting and C plugins.
Pidgin is not affiliated with or endorsed by America Online, Inc.,
Microsoft Corporation, Yahoo! Inc., or ICQ Inc.";
tag_solution = "Please Install the Updated Packages.";
tag_affected = "pidgin on Fedora 12";
if(description)
{
script_xref(name : "URL" , value : "http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044628.html");
script_oid("1.3.6.1.4.1.25623.1.0.862297");
script_version("$Revision: 8469 $");
script_tag(name:"last_modification", value:"$Date: 2018-01-19 08:58:21 +0100 (Fri, 19 Jan 2018) $");
script_tag(name:"creation_date", value:"2010-08-02 12:38:17 +0200 (Mon, 02 Aug 2010)");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:N/I:N/A:P");
script_xref(name: "FEDORA", value: "2010-11315");
script_cve_id("CVE-2010-2528", "CVE-2010-1624", "CVE-2010-0277", "CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0013");
script_name("Fedora Update for pidgin FEDORA-2010-11315");
script_tag(name: "summary" , value: "Check for the Version of pidgin");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (c) 2010 Greenbone Networks GmbH");
script_family("Fedora Local Security Checks");
script_dependencies("gather-package-list.nasl");
script_mandatory_keys("ssh/login/fedora", "ssh/login/rpms");
script_tag(name : "affected" , value : tag_affected);
script_tag(name : "insight" , value : tag_insight);
script_tag(name : "solution" , value : tag_solution);
script_tag(name:"qod_type", value:"package");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("pkg-lib-rpm.inc");
release = get_kb_item("ssh/login/release");
res = "";
if(release == NULL){
exit(0);
}
if(release == "FC12")
{
if ((res = isrpmvuln(pkg:"pidgin", rpm:"pidgin~2.7.2~1.fc12", rls:"FC12")) != NULL)
{
security_message(data:res);
exit(0);
}
if (__pkg_match) exit(99); # Not vulnerable.
exit(0);
}
{"id": "OPENVAS:1361412562310862297", "bulletinFamily": "scanner", "title": "Fedora Update for pidgin FEDORA-2010-11315", "description": "Check for the Version of pidgin", "published": "2010-08-02T00:00:00", "modified": "2018-01-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862297", "reporter": "Copyright (c) 2010 Greenbone Networks GmbH", "references": ["http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044628.html", "2010-11315"], "cvelist": ["CVE-2010-0420", "CVE-2010-1624", "CVE-2010-0013", "CVE-2010-0423", "CVE-2010-0277", "CVE-2010-2528"], "type": "openvas", "lastseen": "2018-01-19T15:05:23", "history": [], "edition": 1, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "3658421793d2f5b363bbda9c74eb8ca2"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "acc9b66136f23b6a0c0cbb5dc734c6d4"}, {"key": "href", "hash": "9f66d7be50ef5aa24b1efc7026531db3"}, {"key": "modified", "hash": "8acef1c33f73aafdb7cffe84eda8c2b1"}, {"key": "naslFamily", "hash": "be931514784f88df80712740ad2723e7"}, {"key": "pluginID", "hash": "bfcfc88f853c73b937576ae054875f72"}, {"key": "published", "hash": "40f37fe8cb81012fec588dd007656635"}, {"key": "references", "hash": "d89b406ca56396b14c248f5d5c077cc2"}, {"key": "reporter", "hash": "82db6d7eefdc19955bb78be9fb178ae1"}, {"key": "sourceData", "hash": "d4d6760ee43ebed594db484565d71010"}, {"key": "title", "hash": "ac2839b5abf6fb86929b8a1257de32e0"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "51488b9b22a673d30dcd75597e830c06ef04f65dc8a9e7dde2704ab3b8378ed5", "viewCount": 0, "enchantments": {"vulnersScore": 9.0}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for pidgin FEDORA-2010-11315\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Pidgin allows you to talk to anyone using a variety of messaging\n protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu,\n ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and\n Zephyr. These protocols are implemented using a modular, easy to\n use design. To use a protocol, just add an account using the\n account editor.\n\n Pidgin supports many common features of other clients, as well as many\n unique features, such as perl scripting, TCL scripting and C plugins.\n \n Pidgin is not affiliated with or endorsed by America Online, Inc.,\n Microsoft Corporation, Yahoo! Inc., or ICQ Inc.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"pidgin on Fedora 12\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2010-July/044628.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862297\");\n script_version(\"$Revision: 8469 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-19 08:58:21 +0100 (Fri, 19 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-08-02 12:38:17 +0200 (Mon, 02 Aug 2010)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_xref(name: \"FEDORA\", value: \"2010-11315\");\n script_cve_id(\"CVE-2010-2528\", \"CVE-2010-1624\", \"CVE-2010-0277\", \"CVE-2010-0420\", \"CVE-2010-0423\", \"CVE-2010-0013\");\n script_name(\"Fedora Update for pidgin FEDORA-2010-11315\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of pidgin\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC12\")\n{\n\n if ((res = isrpmvuln(pkg:\"pidgin\", rpm:\"pidgin~2.7.2~1.fc12\", rls:\"FC12\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "1361412562310862297"}
{"result": {"cve": [{"id": "CVE-2010-0420", "type": "cve", "title": "CVE-2010-0420", "description": "libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname.", "published": "2010-02-24T13:30:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0420", "cvelist": ["CVE-2010-0420"], "lastseen": "2017-09-19T13:36:51"}, {"id": "CVE-2010-1624", "type": "cve", "title": "CVE-2010-1624", "description": "The msn_emoticon_msg function in slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.7.0 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via a custom emoticon in a malformed SLP message.", "published": "2010-05-14T15:30:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1624", "cvelist": ["CVE-2010-1624"], "lastseen": "2017-09-19T13:36:56"}, {"id": "CVE-2010-0013", "type": "cve", "title": "CVE-2010-0013", "description": "Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon.", "published": "2010-01-09T13:30:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0013", "cvelist": ["CVE-2010-0013"], "lastseen": "2017-09-19T13:36:49"}, {"id": "CVE-2010-0423", "type": "cve", "title": "CVE-2010-0423", "description": "gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.", "published": "2010-02-24T13:30:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0423", "cvelist": ["CVE-2010-0423"], "lastseen": "2017-09-19T13:36:51"}, {"id": "CVE-2010-0277", "type": "cve", "title": "CVE-2010-0277", "description": "slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.", "published": "2010-01-09T13:30:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0277", "cvelist": ["CVE-2010-0277"], "lastseen": "2017-09-19T13:36:50"}, {"id": "CVE-2010-2528", "type": "cve", "title": "CVE-2010-2528", "description": "The clientautoresp function in family_icbm.c in the oscar protocol plugin in libpurple in Pidgin before 2.7.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and application crash) via an X-Status message that lacks the expected end tag for a (1) desc or (2) title element.", "published": "2010-07-30T09:26:15", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2528", "cvelist": ["CVE-2010-2528"], "lastseen": "2017-09-19T13:37:00"}], "openvas": [{"id": "OPENVAS:68661", "type": "openvas", "title": "Debian Security Advisory DSA 2038-3 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-3.", "published": "2011-01-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=68661", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2017-07-24T12:55:42"}, {"id": "OPENVAS:67400", "type": "openvas", "title": "Debian Security Advisory DSA 2038-2 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-2.", "published": "2010-06-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=67400", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2017-07-24T12:49:07"}, {"id": "OPENVAS:67339", "type": "openvas", "title": "Debian Security Advisory DSA 2038-1 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-1.", "published": "2010-05-04T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=67339", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2017-07-24T12:49:09"}, {"id": "OPENVAS:136141256231067400", "type": "openvas", "title": "Debian Security Advisory DSA 2038-2 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-2.", "published": "2010-06-03T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067400", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2018-01-18T11:04:40"}, {"id": "OPENVAS:136141256231068661", "type": "openvas", "title": "Debian Security Advisory DSA 2038-3 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-3.", "published": "2011-01-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231068661", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2018-04-06T11:36:12"}, {"id": "OPENVAS:136141256231067339", "type": "openvas", "title": "Debian Security Advisory DSA 2038-1 (pidgin)", "description": "The remote host is missing an update to pidgin\nannounced via advisory DSA 2038-1.", "published": "2010-05-04T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=136141256231067339", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2018-01-26T11:05:31"}, {"id": "OPENVAS:880665", "type": "openvas", "title": "CentOS Update for finch CESA-2010:0115 centos5 i386", "description": "Check for the Version of finch", "published": "2011-08-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=880665", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-07-25T10:55:22"}, {"id": "OPENVAS:830882", "type": "openvas", "title": "Mandriva Update for pidgin MDVSA-2010:041 (pidgin)", "description": "Check for the Version of pidgin", "published": "2010-02-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=830882", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-12-15T11:58:04"}, {"id": "OPENVAS:1361412562310830882", "type": "openvas", "title": "Mandriva Update for pidgin MDVSA-2010:041 (pidgin)", "description": "Check for the Version of pidgin", "published": "2010-02-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310830882", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2018-01-02T10:54:35"}, {"id": "OPENVAS:840393", "type": "openvas", "title": "Ubuntu Update for pidgin vulnerabilities USN-902-1", "description": "Ubuntu Update for Linux kernel vulnerabilities USN-902-1", "published": "2010-03-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=840393", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-12-04T11:17:30"}], "nessus": [{"id": "DEBIAN_DSA-2038.NASL", "type": "nessus", "title": "Debian DSA-2038-1 : pidgin - several vulnerabilities", "description": "Several remote vulnerabilities have been discovered in Pidgin, a multi protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems :\n\n - CVE-2010-0420 Crafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\n - CVE-2010-0423 Remote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org.", "published": "2010-04-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=45560", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2017-10-29T13:41:36"}, {"id": "SL_20100218_PIDGIN_ON_SL4_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : pidgin on SL4.x, SL5.x i386/x86_64", "description": "CVE-2010-0277 pidgin MSN protocol plugin memory corruption\n\nCVE-2010-0420 pidgin: Finch XMPP MUC Crash\n\nCVE-2010-0423 pidgin: Smiley Denial of Service\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nA denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nPidgin must be restarted for this update to take effect.", "published": "2012-08-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=60738", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-29T13:33:24"}, {"id": "UBUNTU_USN-902-1.NASL", "type": "nessus", "title": "Ubuntu 8.04 LTS / 8.10 / 9.04 / 9.10 : pidgin vulnerabilities (USN-902-1)", "description": "Fabian Yamaguchi discovered that Pidgin incorrectly validated all fields of an incoming message in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0277)\n\nSadrul Habib Chowdhury discovered that Pidgin incorrectly handled certain nicknames in Finch group chat rooms. A remote attacker could use a specially crafted nickname and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0420)\n\nAntti Hayrynen discovered that Pidgin incorrectly handled large numbers of smileys. A remote attacker could send a specially crafted message and cause Pidgin to become unresponsive, leading to a denial of service. (CVE-2010-0423).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2010-02-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44688", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-29T13:42:47"}, {"id": "ORACLELINUX_ELSA-2010-0115.NASL", "type": "nessus", "title": "Oracle Linux 4 : pidgin (ELSA-2010-0115)", "description": "From Red Hat Security Advisory 2010:0115 :\n\nUpdated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68001", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-29T13:32:47"}, {"id": "FREEBSD_PKG_A2C4D3D54C7B11DF83FB0015587E2CC1.NASL", "type": "nessus", "title": "FreeBSD : pidgin -- multiple remote denial of service vulnerabilities (a2c4d3d5-4c7b-11df-83fb-0015587e2cc1)", "description": "Three denial of service vulnerabilities where found in pidgin and allow remote attackers to crash the application. The developers summarized these problems as follows :\n\nPidgin can become unresponsive when displaying large numbers of smileys\n\nCertain nicknames in group chat rooms can trigger a crash in Finch\n\nFailure to validate all fields of an incoming message can trigger a crash", "published": "2010-04-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=45585", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-29T13:40:53"}, {"id": "SLACKWARE_SSA_2010-069-01.NASL", "type": "nessus", "title": "Slackware 12.0 / 12.1 / 12.2 / 13.0 / current : pidgin (SSA:2010-069-01)", "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, and -current to fix denial of service issues.", "published": "2010-03-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=45024", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-29T13:34:46"}, {"id": "FEDORA_2010-1934.NASL", "type": "nessus", "title": "Fedora 13 : pidgin-2.6.6-1.fc13 (2010-1934)", "description": "2.6.6 with security and numerous minor bug fixes CVE-2010-0277 CVE-2010-0420 CVE-2010-0423\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2010-07-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=47286", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-29T13:38:32"}, {"id": "CENTOS_RHSA-2010-0115.NASL", "type": "nessus", "title": "CentOS 4 / 5 : pidgin (CESA-2010:0115)", "description": "Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.", "published": "2010-02-22T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44671", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-29T13:36:03"}, {"id": "REDHAT-RHSA-2010-0115.NASL", "type": "nessus", "title": "RHEL 4 / 5 : pidgin (RHSA-2010:0115)", "description": "Updated pidgin packages that fix three security issues are now available for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having moderate security impact by the Red Hat Security Response Team.\n\nPidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol implementation handled MSNSLP invitations. A remote attacker could send a specially crafted INVITE request that would cause a denial of service (memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation, when using multi-user chat. If a Finch user in a multi-user chat session were to change their nickname to contain the HTML 'br' element, it would cause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project for responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon images. A remote attacker could flood the victim with emoticon images during mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release notes for a full list of changes:\nhttp://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.", "published": "2010-02-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44666", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-29T13:46:08"}, {"id": "MANDRIVA_MDVSA-2010-041.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : pidgin (MDVSA-2010:041)", "description": "Multiple security vulnerabilities has been identified and fixed in pidgin :\n\nCertain malformed SLP messages can trigger a crash because the MSN protocol plugin fails to check that all pieces of the message are set correctly (CVE-2010-0277).\n\nIn a user in a multi-user chat room has a nickname containing '<br>' then libpurple ends up having two users with username ' ' in the room, and Finch crashes in this situation. We do not believe there is a possibility of remote code execution (CVE-2010-0420).\n\noCERT notified us about a problem in Pidgin, where a large amount of processing time will be used when inserting many smileys into an IM or chat window. This should not cause a crash, but Pidgin can become unusable slow (CVE-2010-0423).\n\nPackages for 2008.0 are provided for Corporate Desktop 2008.0 customers.\n\nThis update provides pidgin 2.6.6, which is not vulnerable to these issues.", "published": "2010-02-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=44664", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-29T13:36:33"}], "debian": [{"id": "DSA-2038", "type": "debian", "title": "pidgin -- several vulnerabilities", "description": "Several remote vulnerabilities have been discovered in Pidgin, a multi protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems:\n\n * [CVE-2010-0420](<https://security-tracker.debian.org/tracker/CVE-2010-0420>)\n\nCrafted nicknames in the XMPP protocol can crash Pidgin remotely.\n\n * [CVE-2010-0423](<https://security-tracker.debian.org/tracker/CVE-2010-0423>)\n\nRemote contacts may send too many custom smilies, crashing Pidgin.\n\nSince a few months, Microsoft's servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org.\n\nFor the stable distribution (lenny), these problems have been fixed in version 2.4.3-4lenny6.\n\nFor the unstable distribution (sid), these problems have been fixed in version 2.6.6-1.\n\nWe recommend that you upgrade your pidgin package.", "published": "2010-04-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-2038", "cvelist": ["CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2016-09-02T18:25:21"}], "freebsd": [{"id": "A2C4D3D5-4C7B-11DF-83FB-0015587E2CC1", "type": "freebsd", "title": "pidgin -- multiple remote denial of service vulnerabilities", "description": "\nThree denial of service vulnerabilities where found in\n\t pidgin and allow remote attackers to crash the application.\n\t The developers summarized these problems as follows:\n\nPidgin can become unresponsive when displaying large\n\t numbers of smileys\n\n\nCertain nicknames in group chat rooms can trigger a\n\t crash in Finch\n\n\nFailure to validate all fields of an incoming message\n\t can trigger a crash\n\n", "published": "2010-02-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/a2c4d3d5-4c7b-11df-83fb-0015587e2cc1.html", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2016-09-26T17:24:49"}], "oraclelinux": [{"id": "ELSA-2010-0115", "type": "oraclelinux", "title": "pidgin security update", "description": "[2.6.6-1]\n- 2.6.6 with security and numerous minor bug fixes\n CVE-2010-0277 CVE-2010-0420 CVE-2010-0423\n- Bug #528796: Get rid of #!/usr/bin/env python ", "published": "2010-02-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-0115.html", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2016-09-04T11:16:36"}, {"id": "ELSA-2010-0788", "type": "oraclelinux", "title": "pidgin security update", "description": "[2.6.6-5]\n- Add patch for CVE-2010-1624 (RH bug #644153).\n[2.6.6-4]\n- Initial patch for CVE-2010-3711 was incomplete. Here's the rest.\n[2.6.6-3]\n- Add patch for CVE-2010-3711 (RH bug #644153). ", "published": "2010-10-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-0788.html", "cvelist": ["CVE-2010-1624", "CVE-2010-3711"], "lastseen": "2016-09-04T11:17:14"}, {"id": "ELSA-2011-0616", "type": "oraclelinux", "title": "pidgin security and bug fix update", "description": "[2.7.9-3.el6]\n- Add patch for RH bug #684685 (zero-out crypto keys before freeing).\n[2.7.9-2.el6]\n- Add patch for CVE-2011-1091 (RH bug #683031).\n[2.7.9-1.el6]\n- Update to 2.7.9 (RH bug #616917).\n- Remove patches now included upstream:\n pidgin-2.6.6-clientLogin-proxy-fix.patch\n pidgin-2.6.6-clientLogin-use-https.patch\n pidgin-2.6.6-CVE-2010-1624.patch\n pidgin-2.6.6-CVE-2010-3711.patch\n- Disable the translation updates patch. It doesn't apply anymore and\n will have to be redone. Saving the patch for now in case some parts\n are still useful to translators.", "published": "2011-05-28T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2011-0616.html", "cvelist": ["CVE-2011-1091", "CVE-2010-1624", "CVE-2011-4922", "CVE-2010-3711"], "lastseen": "2016-09-04T11:16:39"}, {"id": "ELSA-2010-0044", "type": "oraclelinux", "title": "pidgin security update", "description": "[2.6.5-1.el4.1]\n- 2.6.5\n- CVE-2010-0013\n- Other bug fixes\n- build with old gcc\n[2.6.4-4]\n- temporarily disable evolution integration in F13 until it is fixed\n[2.6.4-2]\n- disable SILC in EL6 builds\n[2.6.4-1]\n- 2.6.4 ", "published": "2010-01-14T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2010-0044.html", "cvelist": ["CVE-2010-0013"], "lastseen": "2016-09-04T11:16:42"}], "redhat": [{"id": "RHSA-2010:0115", "type": "redhat", "title": "(RHSA-2010:0115) Moderate: pidgin security update", "description": "Pidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol\nimplementation handled MSNSLP invitations. A remote attacker could send a\nspecially-crafted INVITE request that would cause a denial of service\n(memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation,\nwhen using multi-user chat. If a Finch user in a multi-user chat session\nwere to change their nickname to contain the HTML \"br\" element, it would\ncause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project\nfor responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon\nimages. A remote attacker could flood the victim with emoticon images\nduring mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release\nnotes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which\ncorrect these issues. Pidgin must be restarted for this update to take\neffect.", "published": "2010-02-18T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2010:0115", "cvelist": ["CVE-2010-0277", "CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2017-09-08T08:04:23"}, {"id": "RHSA-2010:0788", "type": "redhat", "title": "(RHSA-2010:0788) Moderate: pidgin security update", "description": "Pidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nMultiple NULL pointer dereference flaws were found in the way Pidgin\nhandled Base64 decoding. A remote attacker could use these flaws to crash\nPidgin if the target Pidgin user was using the Yahoo! Messenger Protocol,\nMSN, MySpace, or Extensible Messaging and Presence Protocol (XMPP) protocol\nplug-ins, or using the Microsoft NT LAN Manager (NTLM) protocol for\nauthentication. (CVE-2010-3711)\n\nA NULL pointer dereference flaw was found in the way the Pidgin MSN\nprotocol plug-in processed custom emoticon messages. A remote attacker\ncould use this flaw to crash Pidgin by sending specially-crafted emoticon\nmessages during mutual communication. (CVE-2010-1624)\n\nRed Hat would like to thank the Pidgin project for reporting these issues.\nUpstream acknowledges Daniel Atallah as the original reporter of\nCVE-2010-3711, and Pierre Nogues of Meta Security as the original reporter\nof CVE-2010-1624.\n\nAll Pidgin users should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. Pidgin must be restarted for\nthis update to take effect.\n", "published": "2010-10-21T04:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2010:0788", "cvelist": ["CVE-2010-1624", "CVE-2010-3711"], "lastseen": "2017-09-09T07:20:04"}, {"id": "RHSA-2010:0044", "type": "redhat", "title": "(RHSA-2010:0044) Important: pidgin security update", "description": "Pidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nA directory traversal flaw was discovered in Pidgin's MSN protocol\nimplementation. A remote attacker could send a specially-crafted emoticon\nimage download request that would cause Pidgin to disclose an arbitrary\nfile readable to the user running Pidgin. (CVE-2010-0013)\n\nThese packages upgrade Pidgin to version 2.6.5. Refer to the Pidgin release\nnotes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users should upgrade to these updated packages, which correct\nthis issue. Pidgin must be restarted for this update to take effect.", "published": "2010-01-14T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2010:0044", "cvelist": ["CVE-2010-0013"], "lastseen": "2017-09-09T07:19:54"}], "seebug": [{"id": "SSV:19202", "type": "seebug", "title": "Pidgin\u591a\u4e2a\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e", "description": "BUGTRAQ ID: 38294\r\nCVE ID: CVE-2010-0277,CVE-2010-0420,CVE-2010-0423\r\n\r\nPidgin\u662f\u652f\u6301\u591a\u79cd\u534f\u8bae\u7684\u5373\u65f6\u901a\u8baf\u5ba2\u6237\u7aef\u3002\r\n\r\nPidgin\u7684MSN\u534f\u8bae\u5b9e\u73b0\u5904\u7406MSNSLP\u9080\u8bf7\u7684\u65b9\u5f0f\u5b58\u5728\u8f93\u5165\u8fc7\u6ee4\u6f0f\u6d1e\uff0c\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u53d1\u9001\u7279\u5236\u7684INVITE\u8bf7\u6c42\u5bfc\u81f4\u62d2\u7edd\u670d\u52a1\uff08\u5185\u5b58\u7834\u574f\u548c Pidgin\u5d29\u6e83\uff09\u3002\r\n\r\nFinch\u7684XMPP\u804a\u5929\u5b9e\u73b0\u5728\u4f7f\u7528\u591a\u7528\u6237\u4f1a\u8bdd\u65f6\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u5982\u679c\u591a\u7528\u6237\u804a\u5929\u4f1a\u8bdd\u4e2d\u7684Finch\u7528\u6237\u8981\u5c06\u6635\u79f0\u66f4\u6539\u4e3a\u5305\u542b\u6709HTML br\u5143\u7d20\uff0c\u5c31\u4f1a\u5bfc\u81f4Finch\u5d29\u6e83\u3002\r\n\r\nPidgin\u5904\u7406\u8868\u60c5\u7b26\u56fe\u5f62\u7684\u65b9\u5f0f\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u76f8\u4e92\u901a\u8baf\u4e2d\u5411\u53d7\u5bb3\u7528\u6237\u53d1\u9001\u5927\u91cf\u7684\u8868\u60c5\u7b26\u56fe\u5f62\uff0c\u5bfc\u81f4\u8fc7\u591a\u7684CPU\u4f7f\u7528\u7387\u3002\n\nPidgin < 2.6.6\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nRedHat\r\n------\r\nRedHat\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08RHSA-2010:0115-01\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nRHSA-2010:0115-01\uff1aModerate: pidgin security update\r\n\u94fe\u63a5\uff1ahttps://www.redhat.com/support/errata/RHSA-2010-0115.html\r\n\r\nPidgin\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://developer.pidgin.im/wiki/ChangeLog", "published": "2010-03-02T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-19202", "cvelist": ["CVE-2010-0277", "CVE-2010-0420", "CVE-2010-0423"], "lastseen": "2017-11-19T18:13:59"}, {"id": "SSV:67539", "type": "seebug", "title": "Pidgin MSN <= 2.6.4 File Download Vulnerability", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-67539", "cvelist": ["CVE-2010-0013"], "lastseen": "2017-11-19T12:19:02"}], "centos": [{"id": "CESA-2010:0115", "type": "centos", "title": "finch, libpurple, pidgin security update", "description": "**CentOS Errata and Security Advisory** CESA-2010:0115\n\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nAn input sanitization flaw was found in the way Pidgin's MSN protocol\nimplementation handled MSNSLP invitations. A remote attacker could send a\nspecially-crafted INVITE request that would cause a denial of service\n(memory corruption and Pidgin crash). (CVE-2010-0277)\n\nA denial of service flaw was found in Finch's XMPP chat implementation,\nwhen using multi-user chat. If a Finch user in a multi-user chat session\nwere to change their nickname to contain the HTML \"br\" element, it would\ncause Finch to crash. (CVE-2010-0420)\n\nRed Hat would like to thank Sadrul Habib Chowdhury of the Pidgin project\nfor responsibly reporting the CVE-2010-0420 issue.\n\nA denial of service flaw was found in the way Pidgin processed emoticon\nimages. A remote attacker could flood the victim with emoticon images\nduring mutual communication, leading to excessive CPU use. (CVE-2010-0423)\n\nThese packages upgrade Pidgin to version 2.6.6. Refer to the Pidgin release\nnotes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users are advised to upgrade to these updated packages, which\ncorrect these issues. Pidgin must be restarted for this update to take\neffect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016511.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016512.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016523.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-February/016524.html\n\n**Affected packages:**\nfinch\nfinch-devel\nlibpurple\nlibpurple-devel\nlibpurple-perl\nlibpurple-tcl\npidgin\npidgin-devel\npidgin-perl\n\n**Upstream details at:**\n\nhttps://rhn.redhat.com/errata/RHSA-2010-0115.html", "published": "2010-02-20T00:04:47", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2010-February/016511.html", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2017-10-03T18:24:33"}, {"id": "CESA-2010:0788", "type": "centos", "title": "finch, libpurple, pidgin security update", "description": "**CentOS Errata and Security Advisory** CESA-2010:0788\n\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nMultiple NULL pointer dereference flaws were found in the way Pidgin\nhandled Base64 decoding. A remote attacker could use these flaws to crash\nPidgin if the target Pidgin user was using the Yahoo! Messenger Protocol,\nMSN, MySpace, or Extensible Messaging and Presence Protocol (XMPP) protocol\nplug-ins, or using the Microsoft NT LAN Manager (NTLM) protocol for\nauthentication. (CVE-2010-3711)\n\nA NULL pointer dereference flaw was found in the way the Pidgin MSN\nprotocol plug-in processed custom emoticon messages. A remote attacker\ncould use this flaw to crash Pidgin by sending specially-crafted emoticon\nmessages during mutual communication. (CVE-2010-1624)\n\nRed Hat would like to thank the Pidgin project for reporting these issues.\nUpstream acknowledges Daniel Atallah as the original reporter of\nCVE-2010-3711, and Pierre Nogues of Meta Security as the original reporter\nof CVE-2010-1624.\n\nAll Pidgin users should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. Pidgin must be restarted for\nthis update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-October/017101.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-October/017102.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-October/017117.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-October/017118.html\n\n**Affected packages:**\nfinch\nfinch-devel\nlibpurple\nlibpurple-devel\nlibpurple-perl\nlibpurple-tcl\npidgin\npidgin-devel\npidgin-perl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0788.html", "published": "2010-10-21T18:51:36", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2010-October/017101.html", "cvelist": ["CVE-2010-1624", "CVE-2010-3711"], "lastseen": "2017-10-03T18:25:07"}, {"id": "CESA-2010:0044", "type": "centos", "title": "finch, libpurple, pidgin security update", "description": "**CentOS Errata and Security Advisory** CESA-2010:0044\n\n\nPidgin is an instant messaging program which can log in to multiple\naccounts on multiple instant messaging networks simultaneously.\n\nA directory traversal flaw was discovered in Pidgin's MSN protocol\nimplementation. A remote attacker could send a specially-crafted emoticon\nimage download request that would cause Pidgin to disclose an arbitrary\nfile readable to the user running Pidgin. (CVE-2010-0013)\n\nThese packages upgrade Pidgin to version 2.6.5. Refer to the Pidgin release\nnotes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog\n\nAll Pidgin users should upgrade to these updated packages, which correct\nthis issue. Pidgin must be restarted for this update to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2010-January/016447.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-January/016448.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-January/016465.html\nhttp://lists.centos.org/pipermail/centos-announce/2010-January/016466.html\n\n**Affected packages:**\nfinch\nfinch-devel\nlibpurple\nlibpurple-devel\nlibpurple-perl\nlibpurple-tcl\npidgin\npidgin-devel\npidgin-perl\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2010-0044.html", "published": "2010-01-14T21:33:39", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2010-January/016447.html", "cvelist": ["CVE-2010-0013"], "lastseen": "2017-10-03T18:24:57"}], "slackware": [{"id": "SSA-2010-069-01", "type": "slackware", "title": "pidgin", "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0,\nand -current to fix denial of service issues.\n\nMore details about the issues may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423\n\n\nHere are the details from the Slackware 13.0 ChangeLog:\n\npatches/packages/pidgin-2.6.6-i486-1_slack13.0.txz: Upgraded.\n This fixes a few denial-of-service flaws as well as other bugs.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/pidgin-2.6.6-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/pidgin-2.6.6-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/pidgin-2.6.6-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/pidgin-2.6.6-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/pidgin-2.6.6-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/pidgin-2.6.6-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/pidgin-2.6.6-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 package:\nab0bdf3a3de12e14973e603f812cb0de pidgin-2.6.6-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nf84d789da03ce5e6481c9e04481913a6 pidgin-2.6.6-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\n788ed01f917aa0bfca365e9f77a3490e pidgin-2.6.6-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\nc8456f8e3c9fb456afcb49871c557e9f pidgin-2.6.6-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n80baaeb8cb042fab6c9764b491c3ebd1 pidgin-2.6.6-x86_64-1_slack13.0.txz\n\nSlackware -current package:\n5ddf6032d36ba29d5ae14ecaedbab88f pidgin-2.6.6-i486-1.txz\n\nSlackware x86_64 -current package:\n451919ccd63ef9aa4245dbe1afb27587 pidgin-2.6.6-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg pidgin-2.6.6-i486-1_slack13.0.txz", "published": "2010-03-10T18:17:44", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.458630", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2018-02-02T18:11:34"}, {"id": "SSA-2010-138-01", "type": "slackware", "title": "pidgin", "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0,\nand -current to fix a security issue.\n\n\nHere are the details from the Slackware 13.0 ChangeLog:\n\npatches/packages/pidgin-2.7.0-i486-1_slack13.0.txz: Upgraded.\n Upgraded to pidgin-2.7.0 and pidgin-encryption-3.1.\n The msn_emoticon_msg function in slp.c in the MSN protocol plugin in\n libpurple in Pidgin before 2.7.0 allows remote attackers to cause\n a denial of service (application crash) via a custom emoticon in a\n malformed SLP message.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1624\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/pidgin-2.7.0-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/pidgin-2.7.0-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/pidgin-2.7.0-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/pidgin-2.7.0-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/pidgin-2.7.0-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/pidgin-2.7.0-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/pidgin-2.7.0-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 package:\nb988b50b9eacdb945e23f87d727cd9ea pidgin-2.7.0-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n18d32120919d0042d370813ab90a7d1d pidgin-2.7.0-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\nd3686755cf78d1f1b1c0e61663325c5f pidgin-2.7.0-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\n80002e97f1979c926b2a5c72ef7e4847 pidgin-2.7.0-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n03ac23f92b3884911718a9e4fce8d3b3 pidgin-2.7.0-x86_64-1_slack13.0.txz\n\nSlackware -current package:\n2573c594996ef632e013a0ffcb95fe75 pidgin-2.7.0-i486-1.txz\n\nSlackware x86_64 -current package:\nb65ac72c257d0fa7b82728030a79bb36 pidgin-2.7.0-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg pidgin-2.7.0-i486-1_slack13.0.txz", "published": "2010-05-18T16:13:01", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.441227", "cvelist": ["CVE-2010-1624"], "lastseen": "2018-02-02T18:11:29"}, {"id": "SSA-2010-024-03", "type": "slackware", "title": "pidgin", "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0,\nand -current to fix a security issue.\n\nMore details about this issue may be found in the Common\nVulnerabilities and Exposures (CVE) database:\n\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013\n\n\nHere are the details from the Slackware 13.0 ChangeLog:\n\npatches/packages/pidgin-2.6.5-i486-1_slack13.0.txz : Upgraded.\n This fixes a directory traversal vulnerability in Pidgin's MSN protocol\n handling that may allow attackers to download arbitrary files.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0013\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/pidgin-2.6.5-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/pidgin-2.6.5-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/pidgin-2.6.5-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/pidgin-2.6.5-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/pidgin-2.6.5-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/pidgin-2.6.5-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/pidgin-2.6.5-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 package:\n1d779642ef1728ee115d0159803ffce7 pidgin-2.6.5-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\n24e6a95472e15299f16ad137ca92c568 pidgin-2.6.5-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\nd5186bf297d9647f08e4ff8b8d3496e5 pidgin-2.6.5-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\nb73f234503067324f5a16bc1686d0192 pidgin-2.6.5-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n6ae919fbbfc06731d4b83a9ff65f88a8 pidgin-2.6.5-x86_64-1_slack13.0.txz\n\nSlackware -current package:\nda2ea9b466c31521cf3857fc6998cb4c pidgin-2.6.5-i486-1.txz\n\nSlackware x86_64 -current package:\n362a93381a225db704749b4249013731 pidgin-2.6.5-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg pidgin-2.6.5-i486-1_slack13.0.txz", "published": "2010-01-24T21:20:22", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.443459", "cvelist": ["CVE-2010-0013"], "lastseen": "2018-02-02T18:11:28"}, {"id": "SSA-2010-240-05", "type": "slackware", "title": "pidgin", "description": "New pidgin packages are available for Slackware 12.0, 12.1, 12.2, 13.0, 13.1,\nand -current to fix security issues.\n\nHere are the details from the Slackware 13.1 ChangeLog:\n\npatches/packages/pidgin-2.7.3-i486-1_slack13.1.txz: Upgraded.\n This fixes a crash due to malformed X-Status messages.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2528\n (* Security fix *)\n\nWhere to find the new packages:\n\nHINT: Getting slow download speeds from ftp.slackware.com?\nGive slackware.osuosl.org a try. This is another primary FTP site\nfor Slackware that can be considerably faster than downloading\ndirectly from ftp.slackware.com.\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating additional FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 12.0:\nftp://ftp.slackware.com/pub/slackware/slackware-12.0/patches/packages/pidgin-2.7.3-i486-1_slack12.0.tgz\n\nUpdated package for Slackware 12.1:\nftp://ftp.slackware.com/pub/slackware/slackware-12.1/patches/packages/pidgin-2.7.3-i486-1_slack12.1.tgz\n\nUpdated package for Slackware 12.2:\nftp://ftp.slackware.com/pub/slackware/slackware-12.2/patches/packages/pidgin-2.7.3-i486-1_slack12.2.tgz\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/pidgin-2.7.3-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/pidgin-2.7.3-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/pidgin-2.7.3-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/pidgin-2.7.3-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/xap/pidgin-2.7.3-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/xap/pidgin-2.7.3-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 12.0 package:\nfb7245579aa4015f005d0044aeb7fd52 pidgin-2.7.3-i486-1_slack12.0.tgz\n\nSlackware 12.1 package:\nba4084ade603a89b4e90e46bcd0c2b23 pidgin-2.7.3-i486-1_slack12.1.tgz\n\nSlackware 12.2 package:\n5f8e30a3bb04c445040b2b089fc6c04c pidgin-2.7.3-i486-1_slack12.2.tgz\n\nSlackware 13.0 package:\n10bf842cd6588250ee109c336ab89990 pidgin-2.7.3-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\nb395ee451748d348a0eec5b92d939581 pidgin-2.7.3-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n16b7bdbe33fa6939b550913c1014680c pidgin-2.7.3-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\ne84ee7496de30290c1c379b17ce25e32 pidgin-2.7.3-x86_64-1_slack13.1.txz\n\nSlackware -current package:\ne55e0f4e6a656e50dfa01da2da847cd7 xap/pidgin-2.7.3-i486-1.txz\n\nSlackware x86_64 -current package:\ne33c22e97f622500be3b84cde060b503 xap/pidgin-2.7.3-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg pidgin-2.7.3-i486-1_slack13.1.txz", "published": "2010-08-28T09:53:14", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2010&m=slackware-security.462873", "cvelist": ["CVE-2010-2528"], "lastseen": "2018-02-02T18:11:37"}], "ubuntu": [{"id": "USN-902-1", "type": "ubuntu", "title": "Pidgin vulnerabilities", "description": "Fabian Yamaguchi discovered that Pidgin incorrectly validated all fields of an incoming message in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0277)\n\nSadrul Habib Chowdhury discovered that Pidgin incorrectly handled certain nicknames in Finch group chat rooms. A remote attacker could use a specially crafted nickname and cause Pidgin to crash, leading to a denial of service. (CVE-2010-0420)\n\nAntti Hayrynen discovered that Pidgin incorrectly handled large numbers of smileys. A remote attacker could send a specially crafted message and cause Pidgin to become unresponsive, leading to a denial of service. (CVE-2010-0423)", "published": "2010-02-22T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/902-1/", "cvelist": ["CVE-2010-0420", "CVE-2010-0423", "CVE-2010-0277"], "lastseen": "2018-03-29T18:20:01"}, {"id": "USN-1014-1", "type": "ubuntu", "title": "Pidgin vulnerabilities", "description": "Pierre Nogu\u00e8s discovered that Pidgin incorrectly handled malformed SLP messages in the MSN protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, 9.10 and 10.04 LTS. (CVE-2010-1624)\n\nDaniel Atallah discovered that Pidgin incorrectly handled the return code of the Base64 decoding function. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. (CVE-2010-3711)", "published": "2010-11-04T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/1014-1/", "cvelist": ["CVE-2010-1624", "CVE-2010-3711"], "lastseen": "2018-03-29T18:17:31"}, {"id": "USN-886-1", "type": "ubuntu", "title": "Pidgin vulnerabilities", "description": "It was discovered that Pidgin did not properly handle certain topic messages in the IRC protocol handler. If a user were tricked into connecting to a malicious IRC server, an attacker could cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-2703)\n\nIt was discovered that Pidgin did not properly enforce the \u201crequire TLS/SSL\u201d setting when connecting to certain older Jabber servers. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3026)\n\nIt was discovered that Pidgin did not properly handle certain SLP invite messages in the MSN protocol handler. A remote attacker could send a specially crafted invite message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.04 LTS, Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3083)\n\nIt was discovered that Pidgin did not properly handle certain errors in the XMPP protocol handler. A remote attacker could send a specially crafted message and cause Pidgin to crash, leading to a denial of service. This issue only affected Ubuntu 8.10 and Ubuntu 9.04. (CVE-2009-3085)\n\nIt was discovered that Pidgin did not properly handle malformed contact-list data in the OSCAR protocol handler. A remote attacker could send specially crafted contact-list data and cause Pidgin to crash, leading to a denial of service. (CVE-2009-3615)\n\nIt was discovered that Pidgin did not properly handle custom smiley requests in the MSN protocol handler. A remote attacker could send a specially crafted filename in a custom smiley request and obtain arbitrary files via directory traversal. This issue only affected Ubuntu 8.10, Ubuntu 9.04 and Ubuntu 9.10. (CVE-2010-0013)\n\nPidgin for Ubuntu 8.04 LTS was also updated to fix connection issues with the MSN protocol.\n\nUSN-675-1 and USN-781-1 provided updated Pidgin packages to fix multiple security vulnerabilities in Ubuntu 8.04 LTS. The security patches to fix CVE-2008-2955 and CVE-2009-1376 were incomplete. This update corrects the problem. Original advisory details:\n\nIt was discovered that Pidgin did not properly handle file transfers containing a long filename and special characters in the MSN protocol handler. A remote attacker could send a specially crafted filename in a file transfer request and cause Pidgin to crash, leading to a denial of service. (CVE-2008-2955)\n\nIt was discovered that Pidgin did not properly handle certain malformed messages in the MSN protocol handler. A remote attacker could send a specially crafted message and possibly execute arbitrary code with user privileges. (CVE-2009-1376)", "published": "2010-01-18T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/886-1/", "cvelist": ["CVE-2009-3085", "CVE-2009-3083", "CVE-2009-1376", "CVE-2009-3026", "CVE-2010-0013", "CVE-2009-2703", "CVE-2009-3615", "CVE-2008-2955"], "lastseen": "2018-03-29T18:19:46"}], "packetstorm": [{"id": "PACKETSTORM:85413", "type": "packetstorm", "title": "Pidgin MSN 2.6.4 File Download", "description": "", "published": "2010-01-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://packetstormsecurity.com/files/85413/Pidgin-MSN-2.6.4-File-Download.html", "cvelist": ["CVE-2010-0013"], "lastseen": "2016-12-05T22:20:48"}], "exploitdb": [{"id": "EDB-ID:11203", "type": "exploitdb", "title": "Pidgin MSN <= 2.6.4 File Download Vulnerability", "description": "Pidgin MSN <= 2.6.4 File Download Vulnerability. CVE-2010-0013. Remote exploits for multiple platform", "published": "2010-01-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/11203/", "cvelist": ["CVE-2010-0013"], "lastseen": "2016-02-01T13:50:53"}], "gentoo": [{"id": "GLSA-201206-11", "type": "gentoo", "title": "Pidgin: Multiple vulnerabilities", "description": "### Background\n\nPidgin is an GTK Instant Messenger client.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Pidgin. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nThese vulnerabilities allow for arbitrary file retrieval, Denial of Service and arbitrary code execution with the privileges of the user running Pidgin. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Pidgin users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-im/pidgin-2.10.0-r1\"", "published": "2012-06-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://security.gentoo.org/glsa/201206-11", "cvelist": ["CVE-2011-3594", "CVE-2011-2485", "CVE-2010-0013"], "lastseen": "2016-09-06T19:46:34"}]}}