Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1874 Moderate: pidgin security, bug fix, and enhancement update 2 August 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: pidgin Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Access Privileged Data -- Remote with User Interaction Denial of Service -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2017-2640 CVE-2014-3698 CVE-2014-3696 CVE-2014-3695 CVE-2014-3694 Reference: ESB-2017.0626 ESB-2014.1940 Original Bulletin: https://access.redhat.com/errata/RHSA-2017:1854 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: pidgin security, bug fix, and enhancement update Advisory ID: RHSA-2017:1854-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2017:1854 Issue date: 2017-08-01 CVE Names: CVE-2014-3694 CVE-2014-3695 CVE-2014-3696 CVE-2014-3698 CVE-2017-2640 ===================================================================== 1. Summary: An update for pidgin is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - x86_64 Red Hat Enterprise Linux Client Optional (v. 7) - x86_64 Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64 Red Hat Enterprise Linux Workstation (v. 7) - x86_64 Red Hat Enterprise Linux Workstation Optional (v. 7) - x86_64 3. Description: Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The following packages have been upgraded to a later upstream version: pidgin (2.10.11). (BZ#1369526) Security Fix(es): * A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emoticons. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to crash Pidgin by sending a specially crafted emoticon. (CVE-2014-3695) * A denial of service flaw was found in the way Pidgin parsed Groupwise server messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to cause Pidgin to consume an excessive amount of memory, possibly leading to a crash, by sending a specially crafted message. (CVE-2014-3696) * An information disclosure flaw was discovered in the way Pidgin parsed XMPP messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to disclose a portion of memory belonging to the Pidgin process by sending a specially crafted XMPP message. (CVE-2014-3698) * An out-of-bounds write flaw was found in the way Pidgin processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process. (CVE-2017-2640) * It was found that Pidgin's SSL/TLS plug-ins had a flaw in the certificate validation functionality. An attacker could use this flaw to create a fake certificate, that Pidgin would trust, which could be used to conduct man-in-the-middle attacks against Pidgin. (CVE-2014-3694) Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Yves Younan (Cisco Talos) and Richard Johnson (Cisco Talos) as the original reporters of CVE-2014-3695 and CVE-2014-3696; Thijs Alkemade and Paul Aurich as the original reporters of CVE-2014-3698; and Jacob Appelbaum and Moxie Marlinspike as the original reporters of CVE-2014-3694. Additional Changes: For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Pidgin must be restarted for this update to take effect. 5. Bugs fixed (https://bugzilla.redhat.com/): 1154908 - CVE-2014-3694 pidgin: SSL/TLS plug-ins failed to check Basic Constraints 1154909 - CVE-2014-3695 pidgin: crash in Mxit protocol plug-in 1154910 - CVE-2014-3696 pidgin: denial of service parsing Groupwise server message 1154911 - CVE-2014-3698 pidgin: remote information leak via crafted XMPP message 1369526 - Rebase pidgin to a newer upstream release 1430019 - CVE-2017-2640 pidgin: Out-of-bounds write in purple_markup_unescape_entity triggered by invalid XML 1439296 - Disable MXit 1445921 - jingle_rtp_initiate_media: 'resource' is used after being freed in an error path 1446368 - Silence -Wsign-compare 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: pidgin-2.10.11-5.el7.src.rpm x86_64: libpurple-2.10.11-5.el7.i686.rpm libpurple-2.10.11-5.el7.x86_64.rpm pidgin-2.10.11-5.el7.x86_64.rpm pidgin-debuginfo-2.10.11-5.el7.i686.rpm pidgin-debuginfo-2.10.11-5.el7.x86_64.rpm Red Hat Enterprise Linux Client Optional (v. 7): x86_64: finch-2.10.11-5.el7.i686.rpm finch-2.10.11-5.el7.x86_64.rpm finch-devel-2.10.11-5.el7.i686.rpm finch-devel-2.10.11-5.el7.x86_64.rpm libpurple-devel-2.10.11-5.el7.i686.rpm libpurple-devel-2.10.11-5.el7.x86_64.rpm libpurple-perl-2.10.11-5.el7.x86_64.rpm libpurple-tcl-2.10.11-5.el7.x86_64.rpm pidgin-debuginfo-2.10.11-5.el7.i686.rpm pidgin-debuginfo-2.10.11-5.el7.x86_64.rpm pidgin-devel-2.10.11-5.el7.i686.rpm pidgin-devel-2.10.11-5.el7.x86_64.rpm pidgin-perl-2.10.11-5.el7.x86_64.rpm Red Hat Enterprise Linux Server (v. 7): Source: pidgin-2.10.11-5.el7.src.rpm aarch64: libpurple-2.10.11-5.el7.aarch64.rpm pidgin-debuginfo-2.10.11-5.el7.aarch64.rpm ppc64: libpurple-2.10.11-5.el7.ppc.rpm libpurple-2.10.11-5.el7.ppc64.rpm pidgin-debuginfo-2.10.11-5.el7.ppc.rpm pidgin-debuginfo-2.10.11-5.el7.ppc64.rpm ppc64le: libpurple-2.10.11-5.el7.ppc64le.rpm pidgin-debuginfo-2.10.11-5.el7.ppc64le.rpm s390x: libpurple-2.10.11-5.el7.s390.rpm libpurple-2.10.11-5.el7.s390x.rpm pidgin-debuginfo-2.10.11-5.el7.s390.rpm pidgin-debuginfo-2.10.11-5.el7.s390x.rpm x86_64: libpurple-2.10.11-5.el7.i686.rpm libpurple-2.10.11-5.el7.x86_64.rpm pidgin-debuginfo-2.10.11-5.el7.i686.rpm pidgin-debuginfo-2.10.11-5.el7.x86_64.rpm Red Hat Enterprise Linux Server Optional (v. 7): aarch64: finch-2.10.11-5.el7.aarch64.rpm finch-devel-2.10.11-5.el7.aarch64.rpm libpurple-devel-2.10.11-5.el7.aarch64.rpm libpurple-perl-2.10.11-5.el7.aarch64.rpm libpurple-tcl-2.10.11-5.el7.aarch64.rpm pidgin-2.10.11-5.el7.aarch64.rpm pidgin-debuginfo-2.10.11-5.el7.aarch64.rpm pidgin-devel-2.10.11-5.el7.aarch64.rpm pidgin-perl-2.10.11-5.el7.aarch64.rpm ppc64: finch-2.10.11-5.el7.ppc.rpm finch-2.10.11-5.el7.ppc64.rpm finch-devel-2.10.11-5.el7.ppc.rpm finch-devel-2.10.11-5.el7.ppc64.rpm libpurple-devel-2.10.11-5.el7.ppc.rpm libpurple-devel-2.10.11-5.el7.ppc64.rpm libpurple-perl-2.10.11-5.el7.ppc64.rpm libpurple-tcl-2.10.11-5.el7.ppc64.rpm pidgin-2.10.11-5.el7.ppc64.rpm pidgin-debuginfo-2.10.11-5.el7.ppc.rpm pidgin-debuginfo-2.10.11-5.el7.ppc64.rpm pidgin-devel-2.10.11-5.el7.ppc.rpm pidgin-devel-2.10.11-5.el7.ppc64.rpm pidgin-perl-2.10.11-5.el7.ppc64.rpm ppc64le: finch-2.10.11-5.el7.ppc64le.rpm finch-devel-2.10.11-5.el7.ppc64le.rpm libpurple-devel-2.10.11-5.el7.ppc64le.rpm libpurple-perl-2.10.11-5.el7.ppc64le.rpm libpurple-tcl-2.10.11-5.el7.ppc64le.rpm pidgin-2.10.11-5.el7.ppc64le.rpm pidgin-debuginfo-2.10.11-5.el7.ppc64le.rpm pidgin-devel-2.10.11-5.el7.ppc64le.rpm pidgin-perl-2.10.11-5.el7.ppc64le.rpm s390x: finch-2.10.11-5.el7.s390.rpm finch-2.10.11-5.el7.s390x.rpm finch-devel-2.10.11-5.el7.s390.rpm finch-devel-2.10.11-5.el7.s390x.rpm libpurple-devel-2.10.11-5.el7.s390.rpm libpurple-devel-2.10.11-5.el7.s390x.rpm libpurple-perl-2.10.11-5.el7.s390x.rpm libpurple-tcl-2.10.11-5.el7.s390x.rpm pidgin-2.10.11-5.el7.s390x.rpm pidgin-debuginfo-2.10.11-5.el7.s390.rpm pidgin-debuginfo-2.10.11-5.el7.s390x.rpm pidgin-devel-2.10.11-5.el7.s390.rpm pidgin-devel-2.10.11-5.el7.s390x.rpm pidgin-perl-2.10.11-5.el7.s390x.rpm x86_64: finch-2.10.11-5.el7.i686.rpm finch-2.10.11-5.el7.x86_64.rpm finch-devel-2.10.11-5.el7.i686.rpm finch-devel-2.10.11-5.el7.x86_64.rpm libpurple-devel-2.10.11-5.el7.i686.rpm libpurple-devel-2.10.11-5.el7.x86_64.rpm libpurple-perl-2.10.11-5.el7.x86_64.rpm libpurple-tcl-2.10.11-5.el7.x86_64.rpm pidgin-2.10.11-5.el7.x86_64.rpm pidgin-debuginfo-2.10.11-5.el7.i686.rpm pidgin-debuginfo-2.10.11-5.el7.x86_64.rpm pidgin-devel-2.10.11-5.el7.i686.rpm pidgin-devel-2.10.11-5.el7.x86_64.rpm pidgin-perl-2.10.11-5.el7.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: pidgin-2.10.11-5.el7.src.rpm x86_64: libpurple-2.10.11-5.el7.i686.rpm libpurple-2.10.11-5.el7.x86_64.rpm pidgin-2.10.11-5.el7.x86_64.rpm pidgin-debuginfo-2.10.11-5.el7.i686.rpm pidgin-debuginfo-2.10.11-5.el7.x86_64.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): x86_64: finch-2.10.11-5.el7.i686.rpm finch-2.10.11-5.el7.x86_64.rpm finch-devel-2.10.11-5.el7.i686.rpm finch-devel-2.10.11-5.el7.x86_64.rpm libpurple-devel-2.10.11-5.el7.i686.rpm libpurple-devel-2.10.11-5.el7.x86_64.rpm libpurple-perl-2.10.11-5.el7.x86_64.rpm libpurple-tcl-2.10.11-5.el7.x86_64.rpm pidgin-debuginfo-2.10.11-5.el7.i686.rpm pidgin-debuginfo-2.10.11-5.el7.x86_64.rpm pidgin-devel-2.10.11-5.el7.i686.rpm pidgin-devel-2.10.11-5.el7.x86_64.rpm pidgin-perl-2.10.11-5.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2014-3694 https://access.redhat.com/security/cve/CVE-2014-3695 https://access.redhat.com/security/cve/CVE-2014-3696 https://access.redhat.com/security/cve/CVE-2014-3698 https://access.redhat.com/security/cve/CVE-2017-2640 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/index.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFZgOOQXlSAg2UNWIIRArTDAJ9ElaYa4L43ig0PFTIPzdm7hyi96wCgp6I3 EymRu7I4NbeQhLYa5FSBRes= =DF4W - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWYEh2Ix+lLeg9Ub1AQjV3g/+JLPy6zfjeG/EGzhTF2C6tNxk5Hqf1aGO RCk3Yr4Vlpjrbjm4t9AGwnml1NmS33NNor5QeUwFbK7ypSg0ThyOEfJpJrUZ3dq6 35qLLwTiEW2/NTSx4doBxEuAbQE3vSX6/ndou9yGX8WDdi0m95+e5Z8CpG7fFay2 4m/p8q9omi3Mip3PxtUSKNAS0WZF4dQtc+ULXsxbZJ2+XNUOPK21QQk89pvI2T/K GNysaJxNSGtZShBLndTTqau3XwLIssrdIjPLQKGbtPeGUOwvbYKjzJVJdilfznCh wiLQrNrW9PEDQ3m6K2vMYyPKHs0skRovJ7W/5qj5me/ZZ/cuyNC6GN/YN+ToOJd3 oq9pnqh+A+ipxZ5gye6Gn6gECeIZm1trc6Q0Uc9/rZE+Z+LF+e94dYjFBRy/yy7M MAAL7m8haNclb+7MIQol1TAWn5EgbP89UQs+M8pCDKhV7YhYXAzeUKR380SWGasK U/wSVBvYo/nf5+V2y3IihQVbdF/exzL3xCgbs5p44VAFCyHuGC1Q25+eDRUKORla SZdgevAAaQFIZ78lesjpYr8VAKAKzrbSj9g8rvfMHAJrXheYUnRQ9yJaVA5BrUk4 O8q+oonqhthFKtRb0+PgmZ3NIPKFlumS0Ve0v8ovSonQv40ckCG3P28QQCp5Qwtd 95XVXN614c8= =wxVo -----END PGP SIGNATURE-----