-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2859-1 security@debian.org http://www.debian.org/security/ Moritz Muehlenhoff February 10, 2014 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : pidgin Vulnerability : several CVE ID : CVE-2013-6477 CVE-2013-6478 CVE-2013-6479 CVE-2013-6481 CVE-2013-6482 CVE-2013-6483 CVE-2013-6484 CVE-2013-6485 CVE-2013-6487 CVE-2013-6489 CVE-2013-6490 CVE-2014-0020 Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client: CVE-2013-6477 Jaime Breva Ribes discovered that a remote XMPP user can trigger a crash by sending a message with a timestamp in the distant future. CVE-2013-6478 Pidgin could be crashed through overly wide tooltip windows. CVE-2013-6479 Jacob Appelbaum discovered that a malicious server or a "man in the middle" could send a malformed HTTP header resulting in denial of service. CVE-2013-6481 Daniel Atallah discovered that Pidgin could be crashed through malformed Yahoo! P2P messages. CVE-2013-6482 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed MSN messages. CVE-2013-6483 Fabian Yamaguchi and Christian Wressnegger discovered that Pidgin could be crashed through malformed XMPP messages. CVE-2013-6484 It was discovered that incorrect error handling when reading the response from a STUN server could result in a crash. CVE-2013-6485 Matt Jones discovered a buffer overflow in the parsing of malformed HTTP responses. CVE-2013-6487 Yves Younan and Ryan Pentney discovered a buffer overflow when parsing Gadu-Gadu messages. CVE-2013-6489 Yves Younan and Pawel Janic discovered an integer overflow when parsing MXit emoticons. CVE-2013-6490 Yves Younan discovered a buffer overflow when parsing SIMPLE headers. CVE-2014-0020 Daniel Atallah discovered that Pidgin could be crashed via malformed IRC arguments. For the oldstable distribution (squeeze), no direct backport is provided. A fixed packages will be provided through backports.debian.org shortly For the stable distribution (wheezy), these problems have been fixed in version 2.10.9-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2.10.9-1. We recommend that you upgrade your pidgin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlL5DAsACgkQXm3vHE4uylpHBACgi35NdKeWengFu5JzJ4NKkj0T w2MAni+6nXq2FQYjbUm+0k1QW5OrgtU+ =wmw4 -----END PGP SIGNATURE-----