Update to latest upstream release (2.10.11)

Bug #1402424 reported by Amr Ibrahim on 2014-12-14
This bug affects 7 people
Affects Status Importance Assigned to Milestone
pidgin (Ubuntu)

Bug Description

Update to latest upstream release (2.10.11) in vivid.

Upstream changelog https://developer.pidgin.im/wiki/ChangeLog:

version 2.10.11 (11/23/14)

        Fix handling of Self-Signed SSL/TLS Certificates when using the NSS plugin
        Improve default cipher suites used with the NSS plugin
        Add NSS Preferences plugin which allows the SSL/TLS Versions and cipher suites to be configured

        Fix a bug that prevented plugin to load when compiled without GnuTLS. (mancha)
        Fix build for platforms without AF_LOCAL definition.

        Fix broken login due to server change (dx, TReKiE).
        Fail early when buddy list is unavailable instead of wasting bandwidth endlessly re-trying.

version 2.10.10 (10/22/2014)

        Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694)
        Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL. (Elrond and Ashish Gupta)

    libpurple3 compatibility
        Encrypted account passwords are preserved until the new one is set.
        Fix loading Google Talk and Facebook XMPP accounts.

    Windows-Specific Changes
        Don't allow overwriting arbitrary files on the file system when the user installs a smiley theme via drag-and-drop. (Discovered by Yves Younan of Cisco Talos) (CVE-2014-3697)
        Updates to dependencies
            NSS 3.17.1 and NSPR 4.10.7

        Fix build against Python 3. (Ed Catmur)

        Updated internal libgadu to version 1.12.0.

        Fix potential remote crash parsing server message that indicates that a large amount of memory should be allocated. (Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3696)

        Fix a possible leak of unencrypted data when using /me command with OTR. (Thijs Alkemade)

        Fix potential remote crash parsing a malformed emoticon response. (Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3695)

        Fix potential information leak where a malicious XMPP server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory. (Discovered and fixed by Thijs Alkemade and Paul Aurich) (CVE-2014-3698)
        Fix Facebook XMPP roster quirks.

        Fix login when using the GnuTLS library for TLS connections.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in pidgin (Ubuntu):
status: New → Confirmed
Changed in pidgin (Ubuntu):
importance: Undecided → High
Yuriy (uri-inf) on 2015-01-09
no longer affects: pidgin
Julian Alarcon (julian-alarcon) wrote :

Hi, this bug is affecting me. Beacuse of pidgin bug https://developer.pidgin.im/ticket/16412 I cant use Lync 2013 inside the company.

tags: added: trusty
Adolfo Jayme (fitojb) on 2015-04-24
Changed in pidgin (Ubuntu):
status: Confirmed → Triaged
importance: High → Wishlist
djcj (djcj) wrote :

Newest upstream version is available in Debian stable, so I guess it's about time to import it from there: https://packages.debian.org/jessie/pidgin

tags: added: wily
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pidgin - 1:2.10.11-0ubuntu2

pidgin (1:2.10.11-0ubuntu2) wily; urgency=medium

  * debian/control:
    - Build-depend on libgstreamer1.0-dev, libgstreamer-plugins-base1.0-dev,
    - Recommend gstreamer1.0-plugins-base, gstreamer1.0-plugins-good
  * debian/patches/gstreamer1.patch:
    - Use gstreamer 1.0 (LP: #1295207)

 -- Robert Ancell <email address hidden> Fri, 29 May 2015 11:28:51 +1200

Changed in pidgin (Ubuntu):
status: Triaged → Fix Released
StoatWblr (stoatwblr) wrote :

NOT fixed: The only version available for vivid is still 2.10.9 - and has a information leak hole in it.

This needs to be backported to vivid.

StoatWblr (stoatwblr) wrote :

Closure disputed: This has NOT been fixed on Vivid and Wily is not officially released.
Why is Canonical allowing an known security hole to remain unfixed?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.