UbuntuUpdates.org

Package "finch"

Name: finch

Description:

text-based multi-protocol instant messaging client

Latest version: 1:2.10.3-0ubuntu1.8
Release: precise (12.04)
Level: updates
Repository: main
Head package: pidgin
Homepage: http://www.pidgin.im

Links


Download "finch"


Other versions of "finch" in Precise

Repository Area Version
base main 1:2.10.3-0ubuntu1
security main 1:2.10.3-0ubuntu1.8
PPA: Pidgin 1:2.10.11-1ubuntu0+pidgin7.12.04

Changelog

Version: 1:2.10.3-0ubuntu1.8 2017-03-14 13:06:49 UTC

  pidgin (1:2.10.3-0ubuntu1.8) precise-security; urgency=medium

  * SECURITY UPDATE: Out-of-bounds write when stripping xml
    - debian/patches/CVE-2017-2640.patch: improve entity processing in
      libpurple/util.c.
    - CVE-2017-2640

 -- Marc Deslauriers <email address hidden> Mon, 13 Mar 2017 14:31:38 -0400

Source diff to previous version
CVE-2017-2640 Out-of-bounds write when stripping xml

Version: 1:2.10.3-0ubuntu1.7 2016-07-12 20:07:04 UTC

  pidgin (1:2.10.3-0ubuntu1.7) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service and code execution in MXIT protocol
    - debian/patches/CVE-2016-*.patch: fix multiple issues.
    - CVE-2016-2365
    - CVE-2016-2366
    - CVE-2016-2367
    - CVE-2016-2368
    - CVE-2016-2369
    - CVE-2016-2370
    - CVE-2016-2371
    - CVE-2016-2372
    - CVE-2016-2373
    - CVE-2016-2374
    - CVE-2016-2375
    - CVE-2016-2376
    - CVE-2016-2377
    - CVE-2016-2378
    - CVE-2016-2380
    - CVE-2016-4323

 -- Marc Deslauriers <email address hidden> Tue, 12 Jul 2016 09:12:35 -0400

Source diff to previous version
CVE-2016-2365 MXIT Markup Command Denial of Service Vulnerability
CVE-2016-2366 MXIT Table Command Denial of Service Vulnerability
CVE-2016-2367 MXIT Avatar Length Memory Disclosure Vulnerability
CVE-2016-2368 MXIT g_snprintf Multiple Buffer Overflow Vulnerabilities
CVE-2016-2369 MXIT CP_SOCK_REC_TERM Denial of Service Vulnerability
CVE-2016-2370 MXIT Custom Resource Denial of Service Vulnerability
CVE-2016-2371 MXIT Extended Profiles Code Execution Vulnerability
CVE-2016-2372 MXIT File Transfer Length Memory Disclosure Vulnerability
CVE-2016-2373 MXIT Contact Mood Denial of Service Vulnerability
CVE-2016-2374 MXIT MultiMX Message Code Execution Vulnerability
CVE-2016-2375 MXIT Suggested Contacts Memory Disclosure Vulnerability
CVE-2016-2376 MXIT read stage 0x3 Code Execution Vulnerability
CVE-2016-2377 MXIT HTTP Content-Length Buffer Overflow Vulnerability
CVE-2016-2378 MXIT get_utf8_string Code Execution Vulnerability
CVE-2016-2380 MXIT mxit_convert_markup_tx Information Leak Vulnerability
CVE-2016-4323 MXIT Splash Image Arbitrary File Overwrite Vulnerability

Version: 1:2.10.3-0ubuntu1.6 2014-10-28 16:06:45 UTC

  pidgin (1:2.10.3-0ubuntu1.6) precise-security; urgency=medium

  * SECURITY UPDATE: insufficient ssl certificate validation
    - debian/patches/CVE-2014-3694.patch: fix basic constraints checking in
      libpurple/certificate.c, libpurple/certificate.h,
      libpurple/plugins/ssl/ssl-gnutls.c, libpurple/plugins/ssl/ssl-nss.c.
    - CVE-2014-3694
  * SECURITY UPDATE: denial of service via malformed MXit emoticon response
    - debian/patches/CVE-2014-3695.patch: properly check lengths in
      libpurple/protocols/mxit/markup.c.
    - CVE-2014-3695
  * SECURITY UPDATE: denial of service via malformed Groupwise message
    - debian/patches/CVE-2014-3696.patch: check sizes in
      libpurple/protocols/novell/nmevent.c.
    - CVE-2014-3696
  * SECURITY UPDATE: XMPP information leak
    - debian/patches/CVE-2014-3698.patch: fix leaks in
      libpurple/protocols/jabber/jutil.c.
    - CVE-2014-3698
 -- Marc Deslauriers <email address hidden> Mon, 27 Oct 2014 11:48:53 -0400

Source diff to previous version

Version: 1:2.10.3-0ubuntu1.5 2014-05-21 15:07:03 UTC

  pidgin (1:2.10.3-0ubuntu1.5) precise-security; urgency=medium

  * SECURITY UPDATE: memory corruption via crafted message from gadu-gadu
    file relay server
    - debian/patches/CVE-2014-3775.patch: check relay_count in
      libpurple/protocols/gg/lib/dcc7.c
    - CVE-2014-3775
 -- Marc Deslauriers <email address hidden> Tue, 20 May 2014 11:11:00 -0400

Source diff to previous version
CVE-2014-3775 memory corruption

Version: 1:2.10.3-0ubuntu1.4 2014-02-06 17:06:27 UTC

  pidgin (1:2.10.3-0ubuntu1.4) precise-security; urgency=medium

  * SECURITY UPDATE: remote crash in yahoo via incorrect char encoding
    - debian/patches/CVE-2012-6152.patch: validate strings as utf-8
      before parsing in libpurple/protocols/yahoo/{libymsg,yahoo_aliases,
      yahoo_filexfer,yahoo_friend,yahoo_picture,yahoochat}.c.
    - CVE-2012-6152
  * SECURITY UPDATE: crash via bad XMPP timestamp
    - debian/patches/CVE-2013-6477.patch: properly handle invalid
      timestamps in libpurple/{conversation,log,server}.c.
    - CVE-2013-6477
  * SECURITY UPDATE: crash via hovering pointer over long URL
    - debian/patches/CVE-2013-6478.patch: set max lengths in
      pidgin/gtkimhtml.c.
    - CVE-2013-6478
  * SECURITY UPDATE: remote crash via HTTP response parsing
    - debian/patches/CVE-2013-6479.patch: don't implicitly trust
      Content-Length in libpurple/util.c.
    - CVE-2013-6479
  * SECURITY UPDATE: remote crash via yahoo P2P message
    - debian/patches/CVE-2013-6481.patch: perform bounds checking in
      libpurple/protocols/yahoo/libymsg.c.
    - CVE-2013-6481
  * SECURITY UPDATE: crashes via MSN NULL pointer dereferences
    - debian/patches/CVE-2013-6482.patch: fix NULL pointers in
      libpurple/protocols/msn/{msg,oim,soap}.c.
    - CVE-2013-6482
  * SECURITY UPDATE: iq reply spoofing via incorrect from verification
    - debian/patches/CVE-2013-6483.patch: verify from field on iq replies
      in libpurple/protocols/jabber/{iq.*,jabber.c,jutil.*}.
    - CVE-2013-6483
  * SECURITY UPDATE: crash via response from STUN server
    - debian/patches/CVE-2013-6484.patch: validate len in libpurple/stun.c.
    - CVE-2013-6484
  * SECURITY UPDATE: buffer overflow in chunked HTTP response parsing
    - debian/patches/CVE-2013-6485.patch: limit chunk size in
      libpurple/util.c.
    - CVE-2013-6485
  * SECURITY UPDATE: buffer overflow in gadu-gadu HTTP parsing
    - debian/patches/CVE-2013-6487.patch: limit length in
      libpurple/protocols/gg/lib/http.c.
    - CVE-2013-6487
  * SECURITY UPDATE: buffer overflow in MXit emoticon parsing
    - debian/patches/CVE-2013-6489.patch: check return code in
      libpurple/protocols/mxit/markup.c.
    - CVE-2013-6489
  * SECURITY UPDATE: buffer overflow in SIMPLE header parsing
    - debian/patches/CVE-2013-6490.patch: use g_new in
      libpurple/protocols/simple/simple.c and check length in
      libpurple/protocols/simple/sipmsg.c.
    - CVE-2013-6490
  * SECURITY UPDATE: crash via IRC argument parsing
    - debian/patches/CVE-2014-0020.patch: fix arg handling in
      libpurple/protocols/irc/msgs.c, fix counts in
      libpurple/protocols/irc/parse.c.
    - CVE-2014-0020
 -- Marc Deslauriers <email address hidden> Wed, 05 Feb 2014 15:58:24 -0500




About   -   Send Feedback to @ubuntu_updates