Pidgin 2.6.6 was released earlier today fixing 3 security bugs: CVE-2010-0423 | CVE-2010-0420 | CVE-2010-0277 and many other fixes and changes according to this log http://developer.pidgin.im/wiki/ChangeLog Reproducible: Always
New version is in the tree.
Thanks Dani and Peter. Arches, please test and mark stable: =net-im/pidgin-2.6.6 Target keywords : "alpha amd64 hppa ppc ppc64 x86"
Stable for HPPA.
Tested on x86: Looks good.
x86 stable, thanks Thomas
ppc64 done
alpha/ia64/sparc stable
amd64 stable.
CVE-2010-0420 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0420): libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user chat (MUC) room is used, does not properly parse nicknames containing <br> sequences, which allows remote attackers to cause a denial of service (application crash) via a crafted nickname. CVE-2010-0423 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0423): gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a denial of service (CPU consumption and application hang) by sending many smileys in a (1) IM or (2) chat.
CVE-2010-0277 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0277): slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6, including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed MSNSLP INVITE request in an SLP message, a different issue than CVE-2010-0013.
Marked ppc stable.
ready for GLSA vote there is also bug 324023
DoS in client application → noglsa.