-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2038-3 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst November 13, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : pidgin Vulnerability : several Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-0420 CVE-2010-0423 Debian Bug : 566775 579601 The packages for Pidgin released as DSA 2038-2 had a regression, as they unintentionally disabled the Silc, Simple, and Yahoo instant messaging protocols. This update restore that functionality. For reference the original advisory text below. Several remote vulnerabilities have been discovered in Pidgin, a multi protocol instant messaging client. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-0420 Crafted nicknames in the XMPP protocol can crash Pidgin remotely. CVE-2010-0423 Remote contacts may send too many custom smilies, crashing Pidgin. Since a few months, Microsoft's servers for MSN have changed the protocol, making Pidgin non-functional for use with MSN. It is not feasible to port these changes to the version of Pidgin in Debian Lenny. This update formalises that situation by disabling the protocol in the client. Users of the MSN protocol are advised to use the version of Pidgin in the repositories of www.backports.org. For the stable distribution (lenny), these problems have been fixed in version 2.4.3-4lenny8. For the unstable distribution (sid), these problems have been fixed in version 2.6.6-1. We recommend that you upgrade your pidgin package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3.orig.tar.gz Size/MD5 checksum: 13123610 d0e0bd218fbc67df8b2eca2f21fcd427 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8.diff.gz Size/MD5 checksum: 72269 0119701838d8ad1cdeac7ce4c91bae65 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8.dsc Size/MD5 checksum: 1769 ad33ad23693b546e86e0912e88a4ea12 Architecture independent packages: http://security.debian.org/pool/updates/main/p/pidgin/libpurple-dev_2.4.3-4lenny8_all.deb Size/MD5 checksum: 278150 84022a327404419ae540f3f3bc427e3b http://security.debian.org/pool/updates/main/p/pidgin/libpurple-bin_2.4.3-4lenny8_all.deb Size/MD5 checksum: 133688 16372c01693c7744ff48f411aaaac5a2 http://security.debian.org/pool/updates/main/p/pidgin/pidgin-data_2.4.3-4lenny8_all.deb Size/MD5 checksum: 7014900 c2c210652333d77e3573be4a8a699c9b http://security.debian.org/pool/updates/main/p/pidgin/finch-dev_2.4.3-4lenny8_all.deb Size/MD5 checksum: 159954 51bde77053b4ea6e14b1442bf1a1607d http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dev_2.4.3-4lenny8_all.deb Size/MD5 checksum: 194580 a7dde485b3f5d3e4893ceb2a22ee47aa alpha architecture (DEC Alpha) http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_alpha.deb Size/MD5 checksum: 5315572 1cf0367c5e3881549bac1a4fe45aa5eb http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_alpha.deb Size/MD5 checksum: 371260 ba6898cf2c154319bffcc9cd6d4cd4a7 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_alpha.deb Size/MD5 checksum: 777478 228be5cdb1f26820e5f5348096f3c3ee http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_alpha.deb Size/MD5 checksum: 1719898 c04983751b915ceeef5a2d884edddcfd amd64 architecture (AMD x86_64 (AMD64)) http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_amd64.deb Size/MD5 checksum: 1633712 927a05948c7ea50b4ff1515820495093 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_amd64.deb Size/MD5 checksum: 347692 4bea6a2d558defbfc9cf1bee25ec4a4d http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_amd64.deb Size/MD5 checksum: 727282 b148a28348d91d43e78b02798893bb6a http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_amd64.deb Size/MD5 checksum: 5428234 ab7cc975d13b3abd8faa2498896d8d44 arm architecture (ARM) http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_arm.deb Size/MD5 checksum: 5118248 e2f34bded56a07650f91e119cd739c7b http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_arm.deb Size/MD5 checksum: 315658 18a22ae56dab911aa7c8667db51afbc4 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_arm.deb Size/MD5 checksum: 655810 200950fcc1f558d92e50fda7f494ea0b http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_arm.deb Size/MD5 checksum: 1422998 1e4c635bdba06539a081b1c6f422b1d2 armel architecture (ARM EABI) http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_armel.deb Size/MD5 checksum: 1430694 4c96fa5a80593ddf0c3e4f998173bdcf http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_armel.deb Size/MD5 checksum: 667108 330bd6dcb19da7bb1ce21013f035ae32 http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_armel.deb Size/MD5 checksum: 5152254 6b61008ee4337db73612d4943ed756e6 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_armel.deb Size/MD5 checksum: 319130 56c3e97232ceb5fed1688dff1c6b07f2 hppa architecture (HP PA RISC) http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_hppa.deb Size/MD5 checksum: 5249334 f9380ac4d099646026092869254f36af http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_hppa.deb Size/MD5 checksum: 360850 31898206d949ddd8a0645e756700e5e6 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_hppa.deb Size/MD5 checksum: 752928 5668adccc2caf428e04b35adad06753a http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_hppa.deb Size/MD5 checksum: 1741168 32a16b666040fd28dad3a50cb2508edd i386 architecture (Intel ia32) http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_i386.deb Size/MD5 checksum: 5142098 46afbb8656ef35617b90e5272ff4fb0f http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_i386.deb Size/MD5 checksum: 326492 8ffe29c959a8494c2421a0aa2f4f4d32 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_i386.deb Size/MD5 checksum: 679860 9588d20c33677a0acfffce3a98c97280 http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_i386.deb Size/MD5 checksum: 1506712 e324dae1d982241abb5537b719a4831a ia64 architecture (Intel ia64) http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_ia64.deb Size/MD5 checksum: 5000868 ae42b44a76ecb3558c5a2e5db5f19e2a http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_ia64.deb Size/MD5 checksum: 2087484 b7bc9718fd1ef427eb763a34c34b900b http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_ia64.deb Size/MD5 checksum: 435108 aa579727d0272a8fb8968bfa6e4062a7 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_ia64.deb Size/MD5 checksum: 948900 9f829afda7629eeca4f38bb043f20676 mips architecture (MIPS (Big Endian)) http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_mips.deb Size/MD5 checksum: 1304070 c57c7afa0b340b070bc2f54f340549a3 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_mips.deb Size/MD5 checksum: 320686 c3a2186b1f6037b7fd66bdef4e47e26b http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_mips.deb Size/MD5 checksum: 656496 8b848d690917eab703a60698a3be2e1f http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_mips.deb Size/MD5 checksum: 5409338 e7fbcb9776703eb244a79fcb363adbbd mipsel architecture (MIPS (Little Endian)) http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_mipsel.deb Size/MD5 checksum: 1291760 7fb32d3297f440c73e964081860e460e http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_mipsel.deb Size/MD5 checksum: 318700 e5baa0a06a8900638e3088b9879b1923 http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_mipsel.deb Size/MD5 checksum: 5306128 762422060524ce5019abe682005dd273 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_mipsel.deb Size/MD5 checksum: 651552 892ac43fc97903793d60239843524bc7 powerpc architecture (PowerPC) http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_powerpc.deb Size/MD5 checksum: 1682748 37529f1ef367a5e984aa027c5f270d8b http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_powerpc.deb Size/MD5 checksum: 757670 9a9aef7b7215ba897e731e0dc1c2e645 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_powerpc.deb Size/MD5 checksum: 362828 f2482932f44d26f9878d1943e24fbb6a http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_powerpc.deb Size/MD5 checksum: 5360552 12cef47bcab4db9af3071cb31ce1c4f9 s390 architecture (IBM S/390) http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_s390.deb Size/MD5 checksum: 5331892 1de914be4947ec1f1d4e9f029f350480 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_s390.deb Size/MD5 checksum: 360378 e9bb6c133cb59909e1418fae60245352 http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_s390.deb Size/MD5 checksum: 719338 795beea30a9d2d289ebbd9e2ffc0f286 http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_s390.deb Size/MD5 checksum: 1562530 186ca2624c320ef40cfcf309bd6bcf32 sparc architecture (Sun SPARC/UltraSPARC) http://security.debian.org/pool/updates/main/p/pidgin/pidgin_2.4.3-4lenny8_sparc.deb Size/MD5 checksum: 683482 7e54e2b074c6d6ad4a1fb28a070009f2 http://security.debian.org/pool/updates/main/p/pidgin/pidgin-dbg_2.4.3-4lenny8_sparc.deb Size/MD5 checksum: 4921794 c712395d28b865aab3ede218504c7ae4 http://security.debian.org/pool/updates/main/p/pidgin/finch_2.4.3-4lenny8_sparc.deb Size/MD5 checksum: 329552 591579e595077a26fc6616302723bfe7 http://security.debian.org/pool/updates/main/p/pidgin/libpurple0_2.4.3-4lenny8_sparc.deb Size/MD5 checksum: 1513948 68603d70bc41cb6f300a85ad9b0454df These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJM3uYeAAoJEOxfUAG2iX57Td8H/18wfLFH2TALauLI6KWRChGt OW3gVYr0TgNUDj2NfJHW8bjns5xVrQvySgaQJPHu+4Xp5/5BanIreBT/cThVmC8q U1urgfwImqun01/rIx/EJTTd+7Buw4AtboQqGoXA1NkhVHdtsRjeR8wTl9cT6/W0 fY8c3NTvShLdPEOYvqA5gaPxR62QPMjT50oTtzkwGNCKcsVMCMiPbeEcHdkA2ihf 0QbOV8MRUCXNFPG5cg270k9kLm6vrwMNLPoyHTCfZZfZ28FrRYG5TjHHYg3Dblo7 q8j/CMkjJI83/rbBfD1AeP9z1YdmxP1+IGlnjI2Zv907bIm1Enp5bE2+fxPchP0= =ND5l -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/