news 28 Posted January 23, 2009 This is a multi-part message in MIME format... ------------=_1232672413-14940-7809 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:025 http://www.mandriva.com/security/ _______________________________________________________________________ Package : pidgin Date : January 22, 2009 Affected: 2008.1 _______________________________________________________________________ Problem Description: The NSS plugin in libpurple in Pidgin 2.4.1 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service. (CVE-2008-3532) Pidgin 2.4.1 allows remote attackers to cause a denial of service (crash) via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function. (CVE-2008-2955) The UPnP functionality in Pidgin 2.0.0, and possibly other versions, allows remote attackers to trigger the download of arbitrary files and cause a denial of service (memory or disk consumption) via a UDP packet that specifies an arbitrary URL. (CVE-2008-2957) The updated packages have been patched to fix these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532 _______________________________________________________________________ Updated Packages: Mandriva Linux 2008.1: 8d986cf90ce366f40da1ed22f99227e2 2008.1/i586/finch-2.4.1-2.3mdv2008.1.i586.rpm 1591abeaedbde92f9e851fc163ecbc14 2008.1/i586/libfinch0-2.4.1-2.3mdv2008.1.i586.rpm 81b2f07e1a3e82683dd761e913630ae8 2008.1/i586/libpurple0-2.4.1-2.3mdv2008.1.i586.rpm bc958e4178ea9037b2faef5e46fdc367 2008.1/i586/libpurple-devel-2.4.1-2.3mdv2008.1.i586.rpm 9ad56f8214068aa578c74de4476b6a21 2008.1/i586/pidgin-2.4.1-2.3mdv2008.1.i586.rpm 97e7beb6d69c8cd48427845537cd7092 2008.1/i586/pidgin-bonjour-2.4.1-2.3mdv2008.1.i586.rpm 4bc7839dba2efbe27fb814be39c0e2d3 2008.1/i586/pidgin-client-2.4.1-2.3mdv2008.1.i586.rpm 551a0888b40c5b234f14d9814a9249d2 2008.1/i586/pidgin-gevolution-2.4.1-2.3mdv2008.1.i586.rpm 86ccded472fa0974e1a28be7d559ff4a 2008.1/i586/pidgin-i18n-2.4.1-2.3mdv2008.1.i586.rpm 37869e45dee88264c183faf4f4ad5140 2008.1/i586/pidgin-meanwhile-2.4.1-2.3mdv2008.1.i586.rpm 0c424324da44beb62b61243106fc3599 2008.1/i586/pidgin-mono-2.4.1-2.3mdv2008.1.i586.rpm c61e9c1cd651abcc805970df7dcae18a 2008.1/i586/pidgin-perl-2.4.1-2.3mdv2008.1.i586.rpm fbc16077149cff9111bda6ada529ef5f 2008.1/i586/pidgin-silc-2.4.1-2.3mdv2008.1.i586.rpm f97215d6643336a155e298a404386d7e 2008.1/i586/pidgin-tcl-2.4.1-2.3mdv2008.1.i586.rpm a7816e51fd0c35798accad228aa67be9 2008.1/SRPMS/pidgin-2.4.1-2.3mdv2008.1.src.rpm Mandriva Linux 2008.1/X86_64: 63ba74e6aeae1f940cdd4b5d6af3128b 2008.1/x86_64/finch-2.4.1-2.3mdv2008.1.x86_64.rpm c9cbed1c7267fd449e6c26ad8454e438 2008.1/x86_64/lib64finch0-2.4.1-2.3mdv2008.1.x86_64.rpm 739eeb3e632023f89acd9e4baf826590 2008.1/x86_64/lib64purple0-2.4.1-2.3mdv2008.1.x86_64.rpm e63ce782ee2e8b9e157fa85ccd7f4511 2008.1/x86_64/lib64purple-devel-2.4.1-2.3mdv2008.1.x86_64.rpm e80d06d3e544b29f406c291a23b005b8 2008.1/x86_64/pidgin-2.4.1-2.3mdv2008.1.x86_64.rpm 5aa3f2383fd83b025efa28bf9b6d817d 2008.1/x86_64/pidgin-bonjour-2.4.1-2.3mdv2008.1.x86_64.rpm cea0458cbf8fb2e16131e33a7f1e2587 2008.1/x86_64/pidgin-client-2.4.1-2.3mdv2008.1.x86_64.rpm 54327daad8ed2658fe9c9bbe8482f388 2008.1/x86_64/pidgin-gevolution-2.4.1-2.3mdv2008.1.x86_64.rpm 08d375b245f16b41077e6e9baf82c6df 2008.1/x86_64/pidgin-i18n-2.4.1-2.3mdv2008.1.x86_64.rpm 536edfbb015f173dcc09a7c4481b20cd 2008.1/x86_64/pidgin-meanwhile-2.4.1-2.3mdv2008.1.x86_64.rpm 6747c3d56d317d3733bea26a2d18fe9a 2008.1/x86_64/pidgin-mono-2.4.1-2.3mdv2008.1.x86_64.rpm ae3767379a0ccbcc577d8521fbed8432 2008.1/x86_64/pidgin-perl-2.4.1-2.3mdv2008.1.x86_64.rpm 5e8b1bfd757e596536e0c0fa8f680aea 2008.1/x86_64/pidgin-silc-2.4.1-2.3mdv2008.1.x86_64.rpm 9b2f9b0732f14981423f57454e68b3b1 2008.1/x86_64/pidgin-tcl-2.4.1-2.3mdv2008.1.x86_64.rpm a7816e51fd0c35798accad228aa67be9 2008.1/SRPMS/pidgin-2.4.1-2.3mdv2008.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJeOvHmqjQ0CJFipgRAraEAJ98EF/sllsypuWtjUk/7wUDNstJPACg85S/ MdDiL87nCpghlEbABOrCLmk= =wRcj -----END PGP SIGNATURE----- ------------=_1232672413-14940-7809 Content-Type: text/plain; name="message-footer.txt" Content-Disposition: inline; filename="message-footer.txt" Content-Transfer-Encoding: 8bit To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org with this subject : unsubscribe security-announce _______________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://www.mandrivastore.com Join the Club : http://www.mandrivaclub.com _______________________________________________________ ------------=_1232672413-14940-7809-- Share this post Link to post