Bugzilla – Bug 984655
VUL-0: pidgin: Pidgin Security Vulnerabilities
Last modified: 2018-06-11 22:59:18 UTC
bugbot adjusting priority
For Felix: Fixes for embargoed bugs must not appear in public part of openSUSE Build Service before the CRD date. You can prepare the fix in IBS as you like. But in OBS, you have to use: osc branch --noaccess Nobody else will be able to access such repository. Note that if you make submitreq, noaccess flag does not prevent public disclosure. So please make submitreq in OBS AFTER CRD. Marcus: I have no other information that the mail from the private packagers mailing list.
(In reply to Stanislav Brabec from comment #10) > For Felix: Fixes for embargoed bugs must not appear in public part of > openSUSE Build Service before the CRD date. > > You can prepare the fix in IBS as you like. > > But in OBS, you have to use: > osc branch --noaccess > > Nobody else will be able to access such repository. > > Note that if you make submitreq, noaccess flag does not prevent public > disclosure. So please make submitreq in OBS AFTER CRD. > > > Marcus: I have no other information that the mail from the private packagers > mailing list. Thanks Stanislav, those are very helpful hints to me.
Pidgin 2.11.0 released. Vulnerabilities are public. https://pidgin.im/news/security/
Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability CVE 2016-2375 2016-06-21 2.11.0 Pidgin MXIT MultiMX Message Code Execution Vulnerability CVE 2016-2374 2016-06-21 2.11.0 Pidgin MXIT Contact Mood Denial of Service Vulnerability CVE 2016-2373 2016-06-21 2.11.0 Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability CVE 2016-2372 2016-06-21 2.11.0 Pidgin MXIT Extended Profiles Code Execution Vulnerability CVE 2016-2371 2016-06-21 2.11.0 Pidgin MXIT Custom Resource Denial of Service Vulnerability CVE 2016-2370 2016-06-21 2.11.0 Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability CVE 2016-2369 2016-06-21 2.11.0 Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities CVE 2016-2368 2016-06-21 2.11.0 Pidgin MXIT Avatar Length Memory Disclosure Vulnerability CVE 2016-2367 2016-06-21 2.11.0 Pidgin MXIT Table Command Denial of Service Vulnerability CVE 2016-2366 2016-06-21 2.11.0 Pidgin MXIT Markup Command Denial of Service Vulnerability CVE 2016-2365 2016-06-21 2.11.0 Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability CVE 2016-4323 2016-06-21 2.11.0 Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability CVE 2016-2380 2016-06-21 2.11.0 CVE 2016-2379 2016-06-21 Pidgin MXIT get_utf8_string Code Execution Vulnerability CVE 2016-2378 2016-06-21 2.11.0 Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability CVE 2016-2377 2016-06-21 2.11.0 Pidgin MXIT read stage 0x3 Code Execution Vulnerability CVE 2016-2376 2016-06-21 2.11.0 X.509 Certificates Improperly Imported None 2016-06-21 2.11.0
Pidgin MXIT Suggested Contacts Memory Disclosure Vulnerability CVE-2016-2375 2016-06-21 2.11.0 Pidgin MXIT MultiMX Message Code Execution Vulnerability CVE-2016-2374 2016-06-21 2.11.0 Pidgin MXIT Contact Mood Denial of Service Vulnerability CVE-2016-2373 2016-06-21 2.11.0 Pidgin MXIT File Transfer Length Memory Disclosure Vulnerability CVE-2016-2372 2016-06-21 2.11.0 Pidgin MXIT Extended Profiles Code Execution Vulnerability CVE-2016-2371 2016-06-21 2.11.0 Pidgin MXIT Custom Resource Denial of Service Vulnerability CVE-2016-2370 2016-06-21 2.11.0 Pidgin MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability CVE-2016-2369 2016-06-21 2.11.0 Pidgin MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities CVE-2016-2368 2016-06-21 2.11.0 Pidgin MXIT Avatar Length Memory Disclosure Vulnerability CVE-2016-2367 2016-06-21 2.11.0 Pidgin MXIT Table Command Denial of Service Vulnerability CVE-2016-2366 2016-06-21 2.11.0 Pidgin MXIT Markup Command Denial of Service Vulnerability CVE-2016-2365 2016-06-21 2.11.0 Pidgin MXIT Splash Image Arbitrary File Overwrite Vulnerability CVE-2016-4323 2016-06-21 2.11.0 Pidgin MXIT mxit_convert_markup_tx Information Leak Vulnerability CVE-2016-2380 2016-06-21 2.11.0 CVE-2016-2379 2016-06-21 Pidgin MXIT get_utf8_string Code Execution Vulnerability CVE-2016-2378 2016-06-21 2.11.0 Pidgin MXIT HTTP Content-Length Buffer Overflow Vulnerability CVE-2016-2377 2016-06-21 2.11.0 Pidgin MXIT read stage 0x3 Code Execution Vulnerability CVE-2016-2376 2016-06-21 2.11.0 X.509 Certificates Improperly Imported None 2016-06-21 2.11.0
(would you prefer the cves split off to seperate bugs, or can we keep them in one bug?)
(In reply to Marcus Meissner from comment #15) > (would you prefer the cves split off to seperate bugs, or can we keep them > in one bug?) Sorry Marcus, I'm afraid I must humbly ask for your opinion here as I'm not familiar with the philosophy and best practices used in handling security incidents. What's the cons and pros for either way? How is a similar case usually handled in other packages?
what is easier for you? what is your plan to fix these issues?
All the bugs tracked are either deprecated due to the shutdown of MXIT service or irrelevant to existing code base (the x.209 one). Closing this tracker bug too.