Issue 1: http://marc.info/?l=bugtraq&m=121449329530282&w=4 Issues 2 and 3: http://crisp.cs.du.edu/?q=ca2007-1
err .. 2007-01 is for version 2.0.0..... 2.4.3 should be released soon according to upstream
That's correct, it has been reported for 2.0.0 -- but looking at the code in 2.4.2, the patches linked in the advisory never made it in. Was this fixed at another place?
2955 seems fixed by 2.4.3 .. 2956 and 2957 don't seem to be
Arches, please test and mark stable: =net-im/pidgin-2.4.3 Target keywords : "alpha amd64 hppa ia64 ppc sparc x86"
*** Bug 229099 has been marked as a duplicate of this bug. ***
On sparc at least, I'm not sure this installs the pidgin executable unless you have USE=gtk? Can anyone confirm? Is this intentional?
This is intentional, if you have neither the gtk nor ncurses use flags, then you only get libpurple (which is used by telepathy-haze for example).
Thanks for the information (although it seems strange. Does it warn the user in this case (USE='-ncurses gtk')? If so, I didn't see it; if not, it might be worth considering.) I am used to having USE=tk work as an alternative to USE=gtk. Sparc stable.
amd64 stable
Err.. USE=tk is completely different from USE=gtk, but I agree its probably a good idea to add a warning
actually, there is already an elog message when you do that..
x86 stable, this is good for people using ICQ, too.
net-im/pidgin-2.4.3 is already stable (x86) in portage on mirors :) Every one can update :) (I hope this will fix MSN and ICQ problems)
(In reply to comment #3) > 2955 seems fixed by 2.4.3 Did you research the code? I could find no indication in the ChangeLog.
I believe these are the two relevant commits to 2955 in 2.4.3: http://developer.pidgin.im/viewmtn/revision/diff/6eb1949a96fa80a4c744fc749c2562abc4cc9ed6/with/709ec9c29e9d76eebbded25061107ef0a2a2b148 http://developer.pidgin.im/viewmtn/revision/diff/e09d33c61a6e5a59bfc3a52a4370aadf0a90f254/with/c3831c9181f4f61b747321240086ee79e4a08fd8 But I see nothign in their tree about the two other CVEs... Did I mentin that viewmtn sucks balls?
I just emerged 2.4.3 ... I dont know if it fixes the mentioned security issue, but MSN now works again. I mean: this new version is now compatible with the update of most servers.
Stable for HPPA.
alpha/ia64 stable
ppc stable
glsa request filed.
As pointed out in [1], the update fixes another issue, CVE-2008-2927 -- and not the MSN filename. So back to [ebuild]. [1] http://article.gmane.org/gmane.comp.security.oss.general/618
upstream bug for CVE-2008-2955 http://developer.pidgin.im/ticket/6246
(In reply to comment #22) > upstream bug for CVE-2008-2955 > http://developer.pidgin.im/ticket/6246 > It's fixed upstream... so where are we now? Is this fix included in 2.5.1?
http://www.pidgin.im/news/security/ states: CVE-2008-2957 was fixed in 2.5.0 CVE-2008-2955 was fixed in 2.4.3 CVE-2008-2927 was fixed in 2.4.3 It seems upstream does not consider CVE-2008-2956 an issue, as they have no bug report or similar. Since this would only lead to a client-side DoS, we might want to ignore it as well.
GLSA 200901-13, sorry for the delay.
