Pidgin version 2.7.0 was released on 05/12/2010. They dropped support for old MSNP9, changed GTK+ minimum version requirement to 2.10.0 and set GLib minimum version requirement to 2.12.0. In addition to security fixes CVE-2010-0423 CVE-2010-0420 CVE-2010-0277. It looks like there is a new security bug in 2.7.0 under CVE-2010-1624 check the link http://pidgin.im/news/security/?id=46 but it looks like disabling custom emoticons will fix the issue. Should we wait for 2.7.1 or release the ebuild? Reproducible: Always
There's also the problem that pidgin-2.7.0 doesn't compile when gstreamer isn't installed: http://developer.pidgin.im/ticket/11850 So I'd say wait for pidgin-2.7.1
My solution is to force gst on everyone instead... its bumped.
Olivier, thanks for this bump. But I fell some work is still required here :) ChangeLog states: # Using the --disable-nls argument to configure now works properly. You will no longer be forced to have intltool to configure and build. Have you tested this? It look like it'll save intoolize/autoreconf run and thus speeds up build... Also following: # Minimum requirement for external libgadu is now also 1.9.0-rc2. It's good idea to bump libgadu to 1.9.0 and test with it, while setting 1.9.0-rc2 in ebuild. # Fix CVE-2010-1624 (custom emoticon remote crash). Security bug should be filled, although I'd like postpone stabilization until gstreamer will be back. I don't have time to do this right now, so I'll reopen bug in hope someone catches this ;)
Also, solution to force gst is not really a solution, there is a pidgin-2.7.0-fix-build-without-gst.patch at http://developer.pidgin.im/ticket/11850 .
Please note that with --disable-nls, at least the GTK+ frontend is not installed.
Pidgin compiles fine with USE=-gstreamer and pidgin-2.7.0-fix-build-without-gst.patch; no runtime issues noticed so far. Suggest adding this patch to the tree.
the gtk front-end is installed, but not the desktop file. Forced nls for everyone, disabling it is just dumb.
FIXED? We still don't have the gstreamer patch.
CVE-2010-1624 (custom emoticon remote crash) is fixed and I think that it could be also applied by adding a patch into the tree from this revision: http://developer.pidgin.im/viewmtn/revision/diff/884d44222e8c81ecec51c25e07d005e002a5479b/with/894460d22c434e73d60b71ec031611988e687c8b/libpurple/protocols/msn/slp.c
Forceing gstreamer uppon everybody isn't that nice. I run pidgin on a server via nx and am not really looking forward into having to install, maintain etc all of the gstreamer libs only for pidgin.