Summary: | <net-im/pidgin-2.5.9-r1: Information disclosure during XMPP session (CVE-2009-3026) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tobias Heinlein (RETIRED) <keytoaster> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-im, volkmar |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/36384/ | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tobias Heinlein (RETIRED)
2009-08-31 12:37:48 UTC
More information at http://developer.pidgin.im/ticket/8131 net-im, can we stabilize 2.6.1 or do you want to backport the patch to 2.5.9? Just for the record: =2.6.0 is affected by another vulnerability listed at $URL. I think we should wait for 2.6.1, it adds new deps that are not keyworded on all architectures yet. And has lots of new features, especially video calling. So I added net-im/pidgin-2.5.9-r1 with the backported fix. Thanks for the fast response. Arches, please test and mark stable: =net-im/pidgin-2.5.9-r1 Target keywords : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" x86 stable CVE-2009-3026 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3026): protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions. Stable for HPPA. alpha/ia64/sparc stable amd64 stable ppc64 done ppc stable. That was the last arch so this bug is ready to be fixed by security team. Btw, STABLEREQ isn't in KEYWORDS so this bug wasn't in my list. Let me know if it's not mandatory for security bugs so I can update my bug list. Thanks! Ready to vote, I vote NO. Thanks for pointing out the missing STABLEREQ, the Gentoo Linux Vulnerability Treatment Policy (http://www.gentoo.org/security/en/vulnerability-policy.xml) says: "once an ebuild is committed, evaluate what keywords are needed for the fix ebuild and get arch-specific teams to test and mark the ebuild stable on their architectures (arch-teams should be cc'd on the bug, as well as releng during release preparation) and set status whiteboard to stable" It's not mentioned, but I think it is desirable to add it. Maybe the GLVTP should be updated? (In reply to comment #12) > Thanks! > Ready to vote, I vote NO. No further votes necessary, the issue is already drafted. Needless to say, I vote YES. > Thanks for pointing out the missing STABLEREQ, the Gentoo Linux Vulnerability > Treatment Policy (http://www.gentoo.org/security/en/vulnerability-policy.xml) > says: [...] > > It's not mentioned, but I think it is desirable to add it. Maybe the GLVTP > should be updated? I just put this in the coordinator guide as I think it rather belongs there. GLSA 200910-02, thanks everyone. |