23.08.54 [ MDVSA-2009:173 ] pidgin | |
| -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ______________________________ Mandriva Linux Security Advisory MDVSA-2009:173 http://www.mandriva.com/ ______________________________ Package : pidgin Date : July 29, 2009 Affected: Enterprise Server 5.0 ______________________________ Problem Description: Security vulnerabilities has been identified and fixed in pidgin: Buffer overflow in the XMPP SOCKS5 bytestream server in Pidgin (formerly Gaim) before 2.5.6 allows remote authenticated users to execute arbitrary code via vectors involving an outbound XMPP file transfer. NOTE: some of these details are obtained from third party information (CVE-2009-1373). Buffer overflow in the decrypt_out function in Pidgin (formerly Gaim) before 2.5.6 allows remote attackers to cause a denial of service (application crash) via a QQ packet (CVE-2009-1374). The PurpleCircBuffer implementation in Pidgin (formerly Gaim) before 2.5.6 does not properly maintain a certain buffer, which allows remote attackers to cause a denial of service (memory corruption and application crash) via vectors involving the (1) XMPP or (2) Sametime protocol (CVE-2009-1375). Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in (1) libpurple/protocols/msn/ (2) libpurple/protocols/msnp9/ before 2.5.6 on 32-bit platforms allow remote attackers to execute arbitrary code via a malformed SLP message with a crafted offset value, leading to buffer overflows. NOTE: this issue exists because of an incomplete fix for CVE-2008-2927 (CVE-2009-1376). This update provides pidgin 2.5.8, which is not vulnerable to these issues. ______________________________ References: http://cve.mitre.org/cgi-bin/ http://cve.mitre.org/cgi-bin/ http://cve.mitre.org/cgi-bin/ http://cve.mitre.org/cgi-bin/ http://pidgin.im/news/ ______________________________ Updated Packages: Mandriva Enterprise Server 5: 8fceb83b3c8d05b8e19c7c6d55f7c8 087b107937da63fd2f36bacd6893ec 5965e9790058b2283859f2329dd3f5 d09c178fa8e7b23d4217ce8016742e 9c5845a75b7663c5b10e5aaee2330d fc57a75250ddde1c86486c6444f403 4615f81a030de2af18af27a41c039b 650b3c09bfd6e5b07014d763cabcc2 dadfa4fd0dce10a72829235f2f9afd cc3e9966e475eebb01003c36f65991 01768025392289d917d77f53442582 69b9c804c0b1a14c06b64e5a383944 51ee90ff3b21ff9cf9891104e6c1e6 f8d49efc67bc6914d1fc2404f88e41 bcb84b61b39dc33ed0b5803548b512 e8f3cd8b45c9d38e4def57d1c3352d d2537da945cf826f5974de541c5e71 f29a596d394d9c0a5bf742e8370004 afc32532d57b156a66fb575fc3b23e 46a06badda4442d8c7bd313371c431 Mandriva Enterprise Server 5/X86_64: 38fb3a6108e404216b379eaab09200 a8697503bc8891855790f30cfbb2bd b6d59030d2367052f9d7c47c39ef7d 0c4f3335c648f8763418d07f153069 e172b9fda1fd82f2e9548998ab2784 b69d53282ed78f9364978a74b27dd5 721f8e4dc2aae949bcd847bd4f48ae dde2286db18bb676591ee1e5359f32 a5ba4db1a6a3a7ed70cbd26f51996f 8540b4360131ccc61a766ffe70accd e61d2242bb8106e27539d9f2d2805c 4b2f52bacc076f31264e2a501fe609 782c2dae71574c8a21a0d9813bfda4 5b45076bc9438853886c22c79dcda2 4651354914578fc9b7fa930a5134c0 23c753fa429158e4e4589cdfd8e8d0 03db701b5da3f39d8e86aaccf4db25 1e20f2237f16dda6b90c7621526e0c afc32532d57b156a66fb575fc3b23e 46a06badda4442d8c7bd313371c431 ______________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com ______________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKb6z2mqjQ0CJFipgRAvszAJ A0bUhj6wrTOTJBLJwMLwSPY= =LiUJ -----END PGP SIGNATURE----- | |
|
| |
| Total comments: 0 | |