Public bug reported:

Update to latest upstream release (2.10.11) in vivid.

Upstream changelog https://developer.pidgin.im/wiki/ChangeLog:

version 2.10.11 (11/23/14)

    General
        Fix handling of Self-Signed SSL/TLS Certificates when using the NSS 
plugin 
        Improve default cipher suites used with the NSS plugin 
        Add NSS Preferences plugin which allows the SSL/TLS Versions and cipher 
suites to be configured  

    Gadu-Gadu
        Fix a bug that prevented plugin to load when compiled without GnuTLS. 
(mancha) 
        Fix build for platforms without AF_LOCAL definition.  

    MSN
        Fix broken login due to server change (dx, TReKiE).  
        Fail early when buddy list is unavailable instead of wasting bandwidth 
endlessly re-trying. 


version 2.10.10 (10/22/2014)

    General
        Check the basic constraints extension when validating SSL/TLS 
certificates. This fixes a security hole that allowed a malicious 
man-in-the-middle to impersonate an IM server or any other https endpoint. This 
affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person 
and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for 
first publishing about this type of vulnerability. Thanks to Kai Engert for 
guidance and for some of the NSS changes) (CVE-2014-3694)
        Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL. 
(Elrond and Ashish Gupta)  

    libpurple3 compatibility
        Encrypted account passwords are preserved until the new one is set.
        Fix loading Google Talk and Facebook XMPP accounts. 

    Windows-Specific Changes
        Don't allow overwriting arbitrary files on the file system when the 
user installs a smiley theme via drag-and-drop. (Discovered by Yves Younan of 
Cisco Talos) (CVE-2014-3697)
        Updates to dependencies
            NSS 3.17.1 and NSPR 4.10.7 

    Finch
        Fix build against Python 3. (Ed Catmur)  

    Gadu-Gadu
        Updated internal libgadu to version 1.12.0. 

    Groupwise
        Fix potential remote crash parsing server message that indicates that a 
large amount of memory should be allocated. (Discovered by Yves Younan and 
Richard Johnson of Cisco Talos) (CVE-2014-3696) 

    IRC
        Fix a possible leak of unencrypted data when using /me command with 
OTR. (Thijs Alkemade)  

    MXit
        Fix potential remote crash parsing a malformed emoticon response. 
(Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3695) 

    XMPP
        Fix potential information leak where a malicious XMPP server and 
possibly even a malicious remote user could create a carefully crafted XMPP 
message that causes libpurple to send an XMPP message containing arbitrary 
memory. (Discovered and fixed by Thijs Alkemade and Paul Aurich) (CVE-2014-3698)
        Fix Facebook XMPP roster quirks.   

    Yahoo
        Fix login when using the GnuTLS library for TLS connections.

** Affects: pidgin (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: upgrade-software-version vivid

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pidgin in Ubuntu.
https://bugs.launchpad.net/bugs/1402424

Title:
  Update to latest upstream release (2.10.11)

Status in pidgin package in Ubuntu:
  New

Bug description:
  Update to latest upstream release (2.10.11) in vivid.

  Upstream changelog https://developer.pidgin.im/wiki/ChangeLog:

  version 2.10.11 (11/23/14)

      General
          Fix handling of Self-Signed SSL/TLS Certificates when using the NSS 
plugin 
          Improve default cipher suites used with the NSS plugin 
          Add NSS Preferences plugin which allows the SSL/TLS Versions and 
cipher suites to be configured  

      Gadu-Gadu
          Fix a bug that prevented plugin to load when compiled without GnuTLS. 
(mancha) 
          Fix build for platforms without AF_LOCAL definition.  

      MSN
          Fix broken login due to server change (dx, TReKiE).  
          Fail early when buddy list is unavailable instead of wasting 
bandwidth endlessly re-trying. 

  
  version 2.10.10 (10/22/2014)

      General
          Check the basic constraints extension when validating SSL/TLS 
certificates. This fixes a security hole that allowed a malicious 
man-in-the-middle to impersonate an IM server or any other https endpoint. This 
affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person 
and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for 
first publishing about this type of vulnerability. Thanks to Kai Engert for 
guidance and for some of the NSS changes) (CVE-2014-3694)
          Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL. 
(Elrond and Ashish Gupta)  

      libpurple3 compatibility
          Encrypted account passwords are preserved until the new one is set.
          Fix loading Google Talk and Facebook XMPP accounts. 

      Windows-Specific Changes
          Don't allow overwriting arbitrary files on the file system when the 
user installs a smiley theme via drag-and-drop. (Discovered by Yves Younan of 
Cisco Talos) (CVE-2014-3697)
          Updates to dependencies
              NSS 3.17.1 and NSPR 4.10.7 

      Finch
          Fix build against Python 3. (Ed Catmur)  

      Gadu-Gadu
          Updated internal libgadu to version 1.12.0. 

      Groupwise
          Fix potential remote crash parsing server message that indicates that 
a large amount of memory should be allocated. (Discovered by Yves Younan and 
Richard Johnson of Cisco Talos) (CVE-2014-3696) 

      IRC
          Fix a possible leak of unencrypted data when using /me command with 
OTR. (Thijs Alkemade)  

      MXit
          Fix potential remote crash parsing a malformed emoticon response. 
(Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3695) 

      XMPP
          Fix potential information leak where a malicious XMPP server and 
possibly even a malicious remote user could create a carefully crafted XMPP 
message that causes libpurple to send an XMPP message containing arbitrary 
memory. (Discovered and fixed by Thijs Alkemade and Paul Aurich) (CVE-2014-3698)
          Fix Facebook XMPP roster quirks.   

      Yahoo
          Fix login when using the GnuTLS library for TLS connections.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pidgin/+bug/1402424/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to