Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0321
Multiple vulnerabilities corrected in pidgin
22 March 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: pidgin
Publisher: Mandriva
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2011-1091
Comment: This advisory references vulnerabilities in products which run on
platforms other than Mandriva. It is recommended that administrators
running pidgin check for an updated version of the software for
their operating system.
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2011:050
http://www.mandriva.com/security/
_______________________________________________________________________
Package : pidgin
Date : March 21, 2011
Affected: 2009.0, 2010.0, 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities has been identified and fixed in pidgin:
It was discovered that libpurple versions prior to 2.7.10 do not
properly clear certain data structures used in libpurple/cipher.c
prior to freeing. An attacker could potentially extract partial
information from memory regions freed by libpurple.
The Yahoo protocol plugin in libpurple versions 2.6.0 through 2.7.10
do not properly handle malformed YMSG packets, leading to NULL pointer
dereferences and application crash (CVE-2011-1091).
Packages for 2009.0 are provided as of the Extended Maintenance
Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&products_id=490
This update provides pidgin 2.7.11, which is not vulnerable to
these issues.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1091
http://pidgin.im/news/security/
http://www.pidgin.im/news/security/?id=50
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2009.0:
02272c0ea45399b7de8c5ad91769ccaf 2009.0/i586/finch-2.7.11-0.2mdv2009.0.i586.rpm
a56eb1e6da24916ddfd63c1538aaf0bc 2009.0/i586/libfinch0-2.7.11-0.2mdv2009.0.i586.rpm
b4ea5510c4d97b27067f24d9c96e1212 2009.0/i586/libpurple0-2.7.11-0.2mdv2009.0.i586.rpm
f77ab49a70a4f5db1b24cfa795ee5eb9 2009.0/i586/libpurple-devel-2.7.11-0.2mdv2009.0.i586.rpm
f0b2306c0998d4b09a983e663c786193 2009.0/i586/pidgin-2.7.11-0.2mdv2009.0.i586.rpm
f2789d7667315b04d15db7e3b5197158 2009.0/i586/pidgin-bonjour-2.7.11-0.2mdv2009.0.i586.rpm
12930ae763926350b49c6b34c83193d2 2009.0/i586/pidgin-client-2.7.11-0.2mdv2009.0.i586.rpm
13626e83a07a7b9326c9ce4e4e815a38 2009.0/i586/pidgin-gevolution-2.7.11-0.2mdv2009.0.i586.rpm
4b6aa19ce16ef38993f8a9e31d516841 2009.0/i586/pidgin-i18n-2.7.11-0.2mdv2009.0.i586.rpm
c6cbde47277d8b8e0bb41ee287498def 2009.0/i586/pidgin-meanwhile-2.7.11-0.2mdv2009.0.i586.rpm
55de9d811460b4425ec33ee5cb5e9ada 2009.0/i586/pidgin-perl-2.7.11-0.2mdv2009.0.i586.rpm
85d7cfca3d002b0e104ebe63c7707e86 2009.0/i586/pidgin-plugins-2.7.11-0.2mdv2009.0.i586.rpm
46523f4fc58ee90f81d114ceac2c3194 2009.0/i586/pidgin-silc-2.7.11-0.2mdv2009.0.i586.rpm
13434680dc34880f9cacbb8433c6068d 2009.0/i586/pidgin-tcl-2.7.11-0.2mdv2009.0.i586.rpm
482d48fd33b0456e45fdc967065b034f 2009.0/SRPMS/pidgin-2.7.11-0.2mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
5526e0654879e71c6067cf50d4eccff2 2009.0/x86_64/finch-2.7.11-0.2mdv2009.0.x86_64.rpm
305546197e6a9f2d183726ebc7f5f03c 2009.0/x86_64/lib64finch0-2.7.11-0.2mdv2009.0.x86_64.rpm
4026ea992e4e581621e9385dd33fec66 2009.0/x86_64/lib64purple0-2.7.11-0.2mdv2009.0.x86_64.rpm
d30572d27b4dadb1078bf5481840c0db 2009.0/x86_64/lib64purple-devel-2.7.11-0.2mdv2009.0.x86_64.rpm
e010842b726c6678f9e80511deb82f56 2009.0/x86_64/pidgin-2.7.11-0.2mdv2009.0.x86_64.rpm
730ca0d8a3a8c88a128628237c29ce98 2009.0/x86_64/pidgin-bonjour-2.7.11-0.2mdv2009.0.x86_64.rpm
91419b735a9179fa1e375a4b423ddbd9 2009.0/x86_64/pidgin-client-2.7.11-0.2mdv2009.0.x86_64.rpm
15ffd7a64f98234b8630385195a8d8ca 2009.0/x86_64/pidgin-gevolution-2.7.11-0.2mdv2009.0.x86_64.rpm
918fddb097cc3eb188de6d7f03c860c8 2009.0/x86_64/pidgin-i18n-2.7.11-0.2mdv2009.0.x86_64.rpm
014c5daf75ca00977a2fd579cf39cda5 2009.0/x86_64/pidgin-meanwhile-2.7.11-0.2mdv2009.0.x86_64.rpm
cd78ed435f6776883b519b74201c29b5 2009.0/x86_64/pidgin-perl-2.7.11-0.2mdv2009.0.x86_64.rpm
b8fd7f1371113f9cef6c9baeaf239279 2009.0/x86_64/pidgin-plugins-2.7.11-0.2mdv2009.0.x86_64.rpm
5502d8887ec65246ee16ba9bf2bdd859 2009.0/x86_64/pidgin-silc-2.7.11-0.2mdv2009.0.x86_64.rpm
a043ab0eaba8238e93975ace64445553 2009.0/x86_64/pidgin-tcl-2.7.11-0.2mdv2009.0.x86_64.rpm
482d48fd33b0456e45fdc967065b034f 2009.0/SRPMS/pidgin-2.7.11-0.2mdv2009.0.src.rpm
Mandriva Linux 2010.0:
cd089b274f9f2c508ea71a9860a7e81e 2010.0/i586/finch-2.7.11-0.2mdv2010.0.i586.rpm
92bdd3dd221dff87594c9ddea7ccae2a 2010.0/i586/libfinch0-2.7.11-0.2mdv2010.0.i586.rpm
7ec9bea4f87d573c7ac621b0d1bb9a7c 2010.0/i586/libpurple0-2.7.11-0.2mdv2010.0.i586.rpm
068ec31247de3cc5efd609bde8288f45 2010.0/i586/libpurple-devel-2.7.11-0.2mdv2010.0.i586.rpm
e3f6770ecbeeb66a3a5b6c5d09246e97 2010.0/i586/pidgin-2.7.11-0.2mdv2010.0.i586.rpm
0f3ddb35b183e5a0949658e2a9d878a8 2010.0/i586/pidgin-bonjour-2.7.11-0.2mdv2010.0.i586.rpm
91366f3dacb3a561827fb92f30818bcf 2010.0/i586/pidgin-client-2.7.11-0.2mdv2010.0.i586.rpm
aff60bb8589a47af9461eb9e4fe535ac 2010.0/i586/pidgin-i18n-2.7.11-0.2mdv2010.0.i586.rpm
e5af4a521b468eb817810c64db1f9dbf 2010.0/i586/pidgin-meanwhile-2.7.11-0.2mdv2010.0.i586.rpm
34b76b56c4d152b539b0192adaf23455 2010.0/i586/pidgin-perl-2.7.11-0.2mdv2010.0.i586.rpm
30969dc21c07afee4c5f739910c7a364 2010.0/i586/pidgin-plugins-2.7.11-0.2mdv2010.0.i586.rpm
82a223a52e764f710303493250497bd2 2010.0/i586/pidgin-silc-2.7.11-0.2mdv2010.0.i586.rpm
1cba7023d19e7a2f60ee0da45d0a25d2 2010.0/i586/pidgin-tcl-2.7.11-0.2mdv2010.0.i586.rpm
b6824de47afccf4609f12e5c965fc1fa 2010.0/SRPMS/pidgin-2.7.11-0.2mdv2010.0.src.rpm
Mandriva Linux 2010.0/X86_64:
7e15a3c3a6dde1b54ac450115107f28b 2010.0/x86_64/finch-2.7.11-0.2mdv2010.0.x86_64.rpm
a4b3c4e56428541207a12d081221670a 2010.0/x86_64/lib64finch0-2.7.11-0.2mdv2010.0.x86_64.rpm
bd22a826db8b32f6bfb6f4b8eb1d4344 2010.0/x86_64/lib64purple0-2.7.11-0.2mdv2010.0.x86_64.rpm
deb65f4089d881b15d9dd52c9e63f051 2010.0/x86_64/lib64purple-devel-2.7.11-0.2mdv2010.0.x86_64.rpm
beed87ce786c88aebf8f7d42b46510bc 2010.0/x86_64/pidgin-2.7.11-0.2mdv2010.0.x86_64.rpm
fc7e641651b961bc1a0556fedc6ce0d7 2010.0/x86_64/pidgin-bonjour-2.7.11-0.2mdv2010.0.x86_64.rpm
0abe6b7652766dc424c0af5cd512228c 2010.0/x86_64/pidgin-client-2.7.11-0.2mdv2010.0.x86_64.rpm
3c02e69fcc4dde4e519f445453b561d3 2010.0/x86_64/pidgin-i18n-2.7.11-0.2mdv2010.0.x86_64.rpm
bce8a3dd6ee27ca6473645b099f9c937 2010.0/x86_64/pidgin-meanwhile-2.7.11-0.2mdv2010.0.x86_64.rpm
853565b529225e2134fc577867076934 2010.0/x86_64/pidgin-perl-2.7.11-0.2mdv2010.0.x86_64.rpm
3c43bb7945fd920fbb598656945e61c6 2010.0/x86_64/pidgin-plugins-2.7.11-0.2mdv2010.0.x86_64.rpm
2490e01d78f54daa02bfad01a73c62b7 2010.0/x86_64/pidgin-silc-2.7.11-0.2mdv2010.0.x86_64.rpm
9f7b53d3e7bb3f763dcafd7ea5bc6a33 2010.0/x86_64/pidgin-tcl-2.7.11-0.2mdv2010.0.x86_64.rpm
b6824de47afccf4609f12e5c965fc1fa 2010.0/SRPMS/pidgin-2.7.11-0.2mdv2010.0.src.rpm
Mandriva Linux 2010.1:
026808d321db13dd3959c09c0870291d 2010.1/i586/finch-2.7.11-0.2mdv2010.2.i586.rpm
6795337877c16953af8778ea7409cc02 2010.1/i586/libfinch0-2.7.11-0.2mdv2010.2.i586.rpm
acaf6ea2525b497c01c3ab0dd8d676f7 2010.1/i586/libpurple0-2.7.11-0.2mdv2010.2.i586.rpm
6a6ab92f284d8e94f9e6cfb0f7e75ce8 2010.1/i586/libpurple-devel-2.7.11-0.2mdv2010.2.i586.rpm
6dbc69766a51468948eb0a0de3ca0c65 2010.1/i586/pidgin-2.7.11-0.2mdv2010.2.i586.rpm
1845aed0441b7e537c49bfee5a811ee7 2010.1/i586/pidgin-bonjour-2.7.11-0.2mdv2010.2.i586.rpm
ac8a5dad1500407a72184a430529c40f 2010.1/i586/pidgin-client-2.7.11-0.2mdv2010.2.i586.rpm
3de3eb03e4a03b32a52a0224704721a1 2010.1/i586/pidgin-i18n-2.7.11-0.2mdv2010.2.i586.rpm
ea2f55af7216565c6fc1e5361db0ce69 2010.1/i586/pidgin-meanwhile-2.7.11-0.2mdv2010.2.i586.rpm
f416adfcef2ecf72317176c63e6ef5e3 2010.1/i586/pidgin-perl-2.7.11-0.2mdv2010.2.i586.rpm
f1d484f54c41419aedca7f9b1a436a2e 2010.1/i586/pidgin-plugins-2.7.11-0.2mdv2010.2.i586.rpm
d28959266d5b38c90d63077f02ed1298 2010.1/i586/pidgin-silc-2.7.11-0.2mdv2010.2.i586.rpm
2e9b442b87c031ab8155a8df52f9793c 2010.1/i586/pidgin-tcl-2.7.11-0.2mdv2010.2.i586.rpm
930ca1a55c447105e1288c6a45f53161 2010.1/SRPMS/pidgin-2.7.11-0.2mdv2010.2.src.rpm
Mandriva Linux 2010.1/X86_64:
a75bf57617d370a7c9c9ad36ca71db39 2010.1/x86_64/finch-2.7.11-0.2mdv2010.2.x86_64.rpm
09df970f28dc2d3d5674750c1f9836d6 2010.1/x86_64/lib64finch0-2.7.11-0.2mdv2010.2.x86_64.rpm
96cbaaa67c894d9812cdbac93472c103 2010.1/x86_64/lib64purple0-2.7.11-0.2mdv2010.2.x86_64.rpm
2fe0b3e647fdffb778e404f26cfb6489 2010.1/x86_64/lib64purple-devel-2.7.11-0.2mdv2010.2.x86_64.rpm
0e662738d89dd37b8b1ef1e757e5e618 2010.1/x86_64/pidgin-2.7.11-0.2mdv2010.2.x86_64.rpm
87677f66c63f6a6bdb1f861dc4a344ed 2010.1/x86_64/pidgin-bonjour-2.7.11-0.2mdv2010.2.x86_64.rpm
073fab54248329d6bf32384a66dd45a6 2010.1/x86_64/pidgin-client-2.7.11-0.2mdv2010.2.x86_64.rpm
ba6f0cd87136a0bbb28bea0e042fbdc0 2010.1/x86_64/pidgin-i18n-2.7.11-0.2mdv2010.2.x86_64.rpm
3631bd926ab388282cc26f1aa84558c3 2010.1/x86_64/pidgin-meanwhile-2.7.11-0.2mdv2010.2.x86_64.rpm
f8a431960b83b9d850d95d33782d9a0e 2010.1/x86_64/pidgin-perl-2.7.11-0.2mdv2010.2.x86_64.rpm
2cb185bfa3d598610c157e3b9b27ad75 2010.1/x86_64/pidgin-plugins-2.7.11-0.2mdv2010.2.x86_64.rpm
ec043019418e5f9baf3280195259aeb5 2010.1/x86_64/pidgin-silc-2.7.11-0.2mdv2010.2.x86_64.rpm
bb8c246dccb0edf2915e3ec752af1cc4 2010.1/x86_64/pidgin-tcl-2.7.11-0.2mdv2010.2.x86_64.rpm
930ca1a55c447105e1288c6a45f53161 2010.1/SRPMS/pidgin-2.7.11-0.2mdv2010.2.src.rpm
Mandriva Enterprise Server 5:
1e3ad1b92aaf9b058a8e42fc7e3f318c mes5/i586/finch-2.7.11-0.2mdvmes5.2.i586.rpm
7ba1e7c867fe14f93f75da870148b0cd mes5/i586/libfinch0-2.7.11-0.2mdvmes5.2.i586.rpm
61371efd06e2578fec9735767a3c535b mes5/i586/libpurple0-2.7.11-0.2mdvmes5.2.i586.rpm
cbd6e53d3bef5c96ac19f255ddd34539 mes5/i586/libpurple-devel-2.7.11-0.2mdvmes5.2.i586.rpm
4c48c636da767806d036de1d50670cee mes5/i586/pidgin-2.7.11-0.2mdvmes5.2.i586.rpm
5da5bfa0f6ac6f57ec7e8b4760800ca9 mes5/i586/pidgin-bonjour-2.7.11-0.2mdvmes5.2.i586.rpm
77ac8a8a4515c9856b22e822b59936d0 mes5/i586/pidgin-client-2.7.11-0.2mdvmes5.2.i586.rpm
71b95113f643294a45a4915250c7f3dc mes5/i586/pidgin-gevolution-2.7.11-0.2mdvmes5.2.i586.rpm
5b4d95d26d978a07b21478500cf1d843 mes5/i586/pidgin-i18n-2.7.11-0.2mdvmes5.2.i586.rpm
aa03169b88348e19b3392e9ac1db9321 mes5/i586/pidgin-meanwhile-2.7.11-0.2mdvmes5.2.i586.rpm
60aa33eda063d596568dc1285ed02ffa mes5/i586/pidgin-perl-2.7.11-0.2mdvmes5.2.i586.rpm
99d79def857a8540f20c5b9d3f9af4f3 mes5/i586/pidgin-plugins-2.7.11-0.2mdvmes5.2.i586.rpm
ecd19053f387e7d2c9c311bba1ce0345 mes5/i586/pidgin-silc-2.7.11-0.2mdvmes5.2.i586.rpm
e46a2af4b4b483422b1444a400c4326f mes5/i586/pidgin-tcl-2.7.11-0.2mdvmes5.2.i586.rpm
519a5739ec90348e9c0c913db00a1bda mes5/SRPMS/pidgin-2.7.11-0.2mdvmes5.2.src.rpm
Mandriva Enterprise Server 5/X86_64:
efad2e14e43adaf9a603476cd0cb96c7 mes5/x86_64/finch-2.7.11-0.2mdvmes5.2.x86_64.rpm
9ecf9785b1cf3559c9e4eb574d741e1a mes5/x86_64/lib64finch0-2.7.11-0.2mdvmes5.2.x86_64.rpm
c7b753e051fcab5f10f326b6258fa5cb mes5/x86_64/lib64purple0-2.7.11-0.2mdvmes5.2.x86_64.rpm
f8f1f05027272163e7bf89a9bbf6c729 mes5/x86_64/lib64purple-devel-2.7.11-0.2mdvmes5.2.x86_64.rpm
047b794605866b547b73c0c39a1a1cdc mes5/x86_64/pidgin-2.7.11-0.2mdvmes5.2.x86_64.rpm
02c72f23542a310c733e3d34055e77d5 mes5/x86_64/pidgin-bonjour-2.7.11-0.2mdvmes5.2.x86_64.rpm
edf63c606244670e52c5c411d0e05079 mes5/x86_64/pidgin-client-2.7.11-0.2mdvmes5.2.x86_64.rpm
9c24cd7e741f360acd336dafa211c48a mes5/x86_64/pidgin-gevolution-2.7.11-0.2mdvmes5.2.x86_64.rpm
353e1b7c0bd2e0e3ce828886260d8059 mes5/x86_64/pidgin-i18n-2.7.11-0.2mdvmes5.2.x86_64.rpm
885bba4bcf04a03b350d24f2e24d03cc mes5/x86_64/pidgin-meanwhile-2.7.11-0.2mdvmes5.2.x86_64.rpm
8c5c057d080404a6f44d8e5b0bada975 mes5/x86_64/pidgin-perl-2.7.11-0.2mdvmes5.2.x86_64.rpm
da1430c5131cf10fca52ce5c810b1da4 mes5/x86_64/pidgin-plugins-2.7.11-0.2mdvmes5.2.x86_64.rpm
176c13d9a1d4556cf507fbdc8cb2e9bc mes5/x86_64/pidgin-silc-2.7.11-0.2mdvmes5.2.x86_64.rpm
a2d085db784fe652c82a07bf3fa2408b mes5/x86_64/pidgin-tcl-2.7.11-0.2mdvmes5.2.x86_64.rpm
519a5739ec90348e9c0c913db00a1bda mes5/SRPMS/pidgin-2.7.11-0.2mdvmes5.2.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFNhyAhmqjQ0CJFipgRAm2MAKDTsiKn05AyvmkhUMuBytCviBXGXACdGCPR
Y2w+ZPLVesVZe5ZLOxPekm0=
=aJu8
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFNiCMP/iFOrG6YcBERAs3iAKDSNCnh0RnJwr/QKLkIefXHdP1Z6gCglfRS
zNgF3d2pyZIVjQlIDD3lI/M=
=tiL1
-----END PGP SIGNATURE-----