Debian Security Advisory
DSA-3055-1 pidgin -- security update
- Date Reported:
- 23 Oct 2014
- Affected Packages:
- pidgin
- Vulnerable:
- Yes
- Security database references:
- In Mitre's CVE dictionary: CVE-2014-3694, CVE-2014-3695, CVE-2014-3696, CVE-2014-3698.
- More information:
-
Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client:
- CVE-2014-3694
It was discovered that the SSL/TLS plugins failed to validate the basic constraints extension in intermediate CA certificates.
- CVE-2014-3695
Yves Younan and Richard Johnson discovered that emoticons with overly large length values could crash Pidgin.
- CVE-2014-3696
Yves Younan and Richard Johnson discovered that malformed Groupwise messages could crash Pidgin.
- CVE-2014-3698
Thijs Alkemade and Paul Aurich discovered that malformed XMPP messages could result in memory disclosure.
For the stable distribution (wheezy), these problems have been fixed in version 2.10.10-1~deb7u1.
For the unstable distribution (sid), these problems have been fixed in version 2.10.10-1.
We recommend that you upgrade your pidgin packages.
- CVE-2014-3694