-
pidgin (1:2.10.3-0ubuntu1.8) precise-security; urgency=medium
* SECURITY UPDATE: Out-of-bounds write when stripping xml
- debian/patches/CVE-2017-2640.patch: improve entity processing in
libpurple/util.c.
- CVE-2017-2640
-- Marc Deslauriers <email address hidden> Mon, 13 Mar 2017 14:31:38 -0400
-
pidgin (1:2.10.3-0ubuntu1.7) precise-security; urgency=medium
* SECURITY UPDATE: denial of service and code execution in MXIT protocol
- debian/patches/CVE-2016-*.patch: fix multiple issues.
- CVE-2016-2365
- CVE-2016-2366
- CVE-2016-2367
- CVE-2016-2368
- CVE-2016-2369
- CVE-2016-2370
- CVE-2016-2371
- CVE-2016-2372
- CVE-2016-2373
- CVE-2016-2374
- CVE-2016-2375
- CVE-2016-2376
- CVE-2016-2377
- CVE-2016-2378
- CVE-2016-2380
- CVE-2016-4323
-- Marc Deslauriers <email address hidden> Tue, 12 Jul 2016 09:12:35 -0400
-
pidgin (1:2.10.3-0ubuntu1.6) precise-security; urgency=medium
* SECURITY UPDATE: insufficient ssl certificate validation
- debian/patches/CVE-2014-3694.patch: fix basic constraints checking in
libpurple/certificate.c, libpurple/certificate.h,
libpurple/plugins/ssl/ssl-gnutls.c, libpurple/plugins/ssl/ssl-nss.c.
- CVE-2014-3694
* SECURITY UPDATE: denial of service via malformed MXit emoticon response
- debian/patches/CVE-2014-3695.patch: properly check lengths in
libpurple/protocols/mxit/markup.c.
- CVE-2014-3695
* SECURITY UPDATE: denial of service via malformed Groupwise message
- debian/patches/CVE-2014-3696.patch: check sizes in
libpurple/protocols/novell/nmevent.c.
- CVE-2014-3696
* SECURITY UPDATE: XMPP information leak
- debian/patches/CVE-2014-3698.patch: fix leaks in
libpurple/protocols/jabber/jutil.c.
- CVE-2014-3698
-- Marc Deslauriers <email address hidden> Mon, 27 Oct 2014 11:48:53 -0400
-
pidgin (1:2.10.3-0ubuntu1.5) precise-security; urgency=medium
* SECURITY UPDATE: memory corruption via crafted message from gadu-gadu
file relay server
- debian/patches/CVE-2014-3775.patch: check relay_count in
libpurple/protocols/gg/lib/dcc7.c
- CVE-2014-3775
-- Marc Deslauriers <email address hidden> Tue, 20 May 2014 11:11:00 -0400
-
pidgin (1:2.10.3-0ubuntu1.4) precise-security; urgency=medium
* SECURITY UPDATE: remote crash in yahoo via incorrect char encoding
- debian/patches/CVE-2012-6152.patch: validate strings as utf-8
before parsing in libpurple/protocols/yahoo/{libymsg,yahoo_aliases,
yahoo_filexfer,yahoo_friend,yahoo_picture,yahoochat}.c.
- CVE-2012-6152
* SECURITY UPDATE: crash via bad XMPP timestamp
- debian/patches/CVE-2013-6477.patch: properly handle invalid
timestamps in libpurple/{conversation,log,server}.c.
- CVE-2013-6477
* SECURITY UPDATE: crash via hovering pointer over long URL
- debian/patches/CVE-2013-6478.patch: set max lengths in
pidgin/gtkimhtml.c.
- CVE-2013-6478
* SECURITY UPDATE: remote crash via HTTP response parsing
- debian/patches/CVE-2013-6479.patch: don't implicitly trust
Content-Length in libpurple/util.c.
- CVE-2013-6479
* SECURITY UPDATE: remote crash via yahoo P2P message
- debian/patches/CVE-2013-6481.patch: perform bounds checking in
libpurple/protocols/yahoo/libymsg.c.
- CVE-2013-6481
* SECURITY UPDATE: crashes via MSN NULL pointer dereferences
- debian/patches/CVE-2013-6482.patch: fix NULL pointers in
libpurple/protocols/msn/{msg,oim,soap}.c.
- CVE-2013-6482
* SECURITY UPDATE: iq reply spoofing via incorrect from verification
- debian/patches/CVE-2013-6483.patch: verify from field on iq replies
in libpurple/protocols/jabber/{iq.*,jabber.c,jutil.*}.
- CVE-2013-6483
* SECURITY UPDATE: crash via response from STUN server
- debian/patches/CVE-2013-6484.patch: validate len in libpurple/stun.c.
- CVE-2013-6484
* SECURITY UPDATE: buffer overflow in chunked HTTP response parsing
- debian/patches/CVE-2013-6485.patch: limit chunk size in
libpurple/util.c.
- CVE-2013-6485
* SECURITY UPDATE: buffer overflow in gadu-gadu HTTP parsing
- debian/patches/CVE-2013-6487.patch: limit length in
libpurple/protocols/gg/lib/http.c.
- CVE-2013-6487
* SECURITY UPDATE: buffer overflow in MXit emoticon parsing
- debian/patches/CVE-2013-6489.patch: check return code in
libpurple/protocols/mxit/markup.c.
- CVE-2013-6489
* SECURITY UPDATE: buffer overflow in SIMPLE header parsing
- debian/patches/CVE-2013-6490.patch: use g_new in
libpurple/protocols/simple/simple.c and check length in
libpurple/protocols/simple/sipmsg.c.
- CVE-2013-6490
* SECURITY UPDATE: crash via IRC argument parsing
- debian/patches/CVE-2014-0020.patch: fix arg handling in
libpurple/protocols/irc/msgs.c, fix counts in
libpurple/protocols/irc/parse.c.
- CVE-2014-0020
-- Marc Deslauriers <email address hidden> Wed, 05 Feb 2014 15:58:24 -0500
-
pidgin (1:2.10.3-0ubuntu1.3) precise-security; urgency=low
* SECURITY UPDATE: file overwrite via MXit crafted pathname
- debian/patches/CVE-2013-0271.patch: properly escape filenames in
libpurple/protocols/mxit/formcmds.c,
libpurple/protocols/mxit/splashscreen.c.
- CVE-2013-0271
* SECURITY UPDATE: arbitrary code execution via long HTTP header in MXit
- debian/patches/CVE-2013-0272.patch: properly check lengths in
libpurple/protocols/mxit/http.c.
- CVE-2013-0272
* SECURITY UPDATE: denial of service via long user ID in Sametime
- debian/patches/CVE-2013-0273.patch: use g_strlcpy in
libpurple/protocols/sametime/sametime.c.
- CVE-2013-0273
* SECURITY UPDATE: denial of service via long UPnP responses
- debian/patches/CVE-2013-0274.patch: use g_strlcpy in libpurple/upnp.c.
- CVE-2013-0274
-- Marc Deslauriers <email address hidden> Thu, 21 Feb 2013 12:53:30 -0500
-
pidgin (1:2.10.3-0ubuntu1.2) precise-proposed; urgency=low
* debian/patches/pounce-webview.patch (LP: #1026442)
- Buddy pounce - send message window too short
-- Ritesh Khadgaray <email address hidden> Wed, 09 Jan 2013 17:50:06 +0530
-
pidgin (1:2.10.3-0ubuntu1.1) precise-security; urgency=low
* SECURITY UPDATE: Remote denial of service via specially crafted XMPP file
transfer requests (LP: #996691)
- debian/patches/CVE-2012-2214.patch: Properly tear down SOCKS5
connection attempts. Based on upstream patch.
- CVE-2012-2214
* SECURITY UPDATE: Remote denial of service via specially crafted MSN
messages (LP: #996691)
- debian/patches/CVE-2012-2318.patch: Convert incoming messages to UTF-8,
then validate the messages. Based on upstream patch.
- CVE-2012-2318
* SECURITY UPDATE: Remote denial of service via specially crafted MXit
messages (LP: #1022012)
- debian/patches/CVE-2012-3374.patch: Use dynamically allocated memory
instead of a fixed size buffer. Based on upstream patch.
- CVE-2012-3374
-- Tyler Hicks <email address hidden> Sun, 08 Jul 2012 18:14:21 -0500
-
pidgin (1:2.10.3-0ubuntu1) precise; urgency=low
* update to new stable release, fixes (LP: #964210)
-- Alexander Fougner <email address hidden> Fri, 06 Apr 2012 10:03:13 +0200
-
pidgin (1:2.10.2-1ubuntu2) precise; urgency=low
* debian/patches/70_farstream_rename.patch
- updated patch from the upstream bug report
http://developer.pidgin.im/ticket/14936
-- Ken VanDine <email address hidden> Wed, 04 Apr 2012 17:02:58 -0400
-
pidgin (1:2.10.2-1ubuntu1) precise; urgency=low
* New upstream version based on the Debian update
pidgin (2.10.2-1) unstable; urgency=medium
* Imported Upstream version 2.10.2
- Fixes a possible remote crash in XMPP (CVE-2011-4939) (Closes: #664028)
- Fixes a possible remote crash in XMPP (CVE-2012-1178) (Closes: #664030)
-- Sebastien Bacher <email address hidden> Thu, 05 Jan 2012 15:46:36 +0100
-
pidgin (1:2.10.1-1ubuntu2) precise; urgency=low
* debian/control
- build depend on farstream instead of farsight, it was renamed upstream
* debian/patches/70_farstream_rename.patch
- updated for the transition from farsight to farstream
-- Ken VanDine <email address hidden> Mon, 05 Mar 2012 15:13:12 -0500
-
pidgin (1:2.10.1-1ubuntu1) precise; urgency=low
* New upstream version based on the Debian update
pidgin (2.10.1-1) unstable; urgency=medium
* Imported Upstream version 2.10.1
- Fixes remotely-triggered crash in XMPP/Jingle
- Fixes remotely-triggered crash in AIM/ICQ (CVE-2011-4601)
- Fixes remotely-triggered crash in SILC (CVE-2011-3594)
* add NEWS to installed docs
* nm09-more.patch: change deprecated Network Manager signal name
(Closes: #642117)
pidgin (2.10.0-2) unstable; urgency=low
* Add Conflicts: network-manager (<< 0.9.0) so there shouldn't be any
version mismatch issues
(Closes: #642199)
pidgin (2.10.0-1) unstable; urgency=high
* Imported Upstream version 2.10.0
- Fixes a remote crash in IRC
- Fixes a remote crash in MSN
* Use linux-any instead of hardcoded list of non-Linux architectures
(Closes: #634612)
-- Sebastien Bacher <email address hidden> Thu, 05 Jan 2012 15:46:36 +0100
-
pidgin (1:2.10.0-0ubuntu3) precise; urgency=low
* Rebuild for Perl 5.14 (LP: #890845).
-- Colin Watson <email address hidden> Tue, 15 Nov 2011 21:05:59 +0000
-
pidgin (1:2.10.0-0ubuntu2) oneiric; urgency=low
* debian/patches/irc_disable_periodic_who.patch: work around spontaneous
disconnects from IRC due to 'Max SendQ exceeded' errors caused by periodic
/who checks. (LP: #856631)
-- Mathieu Trudel-Lapierre <email address hidden> Fri, 23 Sep 2011 22:00:52 -0400
