* SECURITY UPDATE: code execution via integer overflow in the MSN protocol
handler (LP: #245770)
- debian/patches/99_SECURITY_CVE-2008-2927.patch: fix
msn_slplink_process_msg() in src/protocols/msn/slplink.c by checking
against maximum size G_MAXSIZE.
- CVE-2008-2927
* SECURITY UPDATE: denial of service via specially formulated long
filename (LP: #245769)
- debian/patches/99_SECURITY_CVE-2008-2955.patch: change
src/protocols/msn/[slplink.c,slpcall.*] to make sure xfer structure still
exists before putting dest_fp in it.
- CVE-2008-2955
* SECURITY UPDATE: denial of service via resource exhaustion from arbitrary
URL in UPnP functionality (LP: #245769)
- debian/patches/99_SECURITY_CVE-2008-2957.patch: modified
libpurple/[upnp.c,util.*] to add purple_util_fetch_url_request_len() in
order to limit http downloads to 128k.
- CVE-2008-2957
* SECURITY UPDATE: man in the middle attack from lack of certificate
validation in nss plugin (LP: #251304)
- debian/patches/99_SECURITY_CVE-2008-3532.patch: modified
libpurple/plugins/ssl/ssl-nss.c to add certificate validation code.
- CVE-2008-3532
-- Marc Deslauriers <email address hidden> Thu, 20 Nov 2008 15:54:34 -0500
This bug was fixed in the package pidgin - 1:2.2.1-1ubuntu4.3
--------------- 1-1ubuntu4. 3) gutsy-security; urgency=low
pidgin (1:2.2.
* SECURITY UPDATE: code execution via integer overflow in the MSN protocol patches/ 99_SECURITY_ CVE-2008- 2927.patch: fix slplink_ process_ msg() in src/protocols/ msn/slplink. c by checking patches/ 99_SECURITY_ CVE-2008- 2955.patch: change protocols/ msn/[slplink. c,slpcall. *] to make sure xfer structure still patches/ 99_SECURITY_ CVE-2008- 2957.patch: modified /[upnp. c,util. *] to add purple_ util_fetch_ url_request_ len() in patches/ 99_SECURITY_ CVE-2008- 3532.patch: modified /plugins/ ssl/ssl- nss.c to add certificate validation code.
handler (LP: #245770)
- debian/
msn_
against maximum size G_MAXSIZE.
- CVE-2008-2927
* SECURITY UPDATE: denial of service via specially formulated long
filename (LP: #245769)
- debian/
src/
exists before putting dest_fp in it.
- CVE-2008-2955
* SECURITY UPDATE: denial of service via resource exhaustion from arbitrary
URL in UPnP functionality (LP: #245769)
- debian/
libpurple
order to limit http downloads to 128k.
- CVE-2008-2957
* SECURITY UPDATE: man in the middle attack from lack of certificate
validation in nss plugin (LP: #251304)
- debian/
libpurple
- CVE-2008-3532
-- Marc Deslauriers <email address hidden> Thu, 20 Nov 2008 15:54:34 -0500