Bug#572946: marked as done (qutecom: multiple vulnerabilities)

Debian Bug Tracking System Tue, 09 Mar 2010 14:10:25 -0800

Your message dated Tue, 09 Mar 2010 22:01:19 +0000
with message-id <[email protected]>
and subject line Bug#572946: fixed in qutecom 2.2~rc3.hg396~dfsg1-6
has caused the Debian Bug report #572946,
regarding qutecom: multiple vulnerabilities
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
572946: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=572946
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: qutecom
Version: 2.2~rc3.hg396~dfsg1-5+b1
Severity: important
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for pidgin.  Since qutecom embeds libpurple, it may also be
affected.  I have not checked this myself, so please do so, and close
the bug if you find the package to be not affected.

CVE-2010-0423[0]:
| gtkimhtml.c in Pidgin before 2.6.6 allows remote attackers to cause a
| denial of service (CPU consumption and application hang) by sending
| many smileys in a (1) IM or (2) chat.

CVE-2010-0420[1]:
| libpurple in Finch in Pidgin before 2.6.6, when an XMPP multi-user
| chat (MUC) room is used, does not properly parse nicknames containing
| &lt;br&gt; sequences, which allows remote attackers to cause a denial of
| service (application crash) via a crafted nickname.

CVE-2010-0277[2]:
| slp.c in the MSN protocol plugin in libpurple in Pidgin before 2.6.6,
| including 2.6.4, and Adium 1.3.8 allows remote attackers to cause a
| denial of service (memory corruption and application crash) or
| possibly have unspecified other impact via a malformed MSNSLP INVITE
| request in an SLP message, a different issue than CVE-2010-0013.

If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0423
    http://security-tracker.debian.org/tracker/CVE-2010-0423
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0420
    http://security-tracker.debian.org/tracker/CVE-2010-0420
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0277
    http://security-tracker.debian.org/tracker/CVE-2010-0277

--- End Message ---

--- Begin Message ---

Source: qutecom
Source-Version: 2.2~rc3.hg396~dfsg1-6

We believe that the bug you reported is fixed in the latest version of
qutecom, which is due to be installed in the Debian FTP archive:

qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
  to main/q/qutecom/qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
  to main/q/qutecom/qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
  to main/q/qutecom/qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
qutecom_2.2~rc3.hg396~dfsg1-6.dsc
  to main/q/qutecom/qutecom_2.2~rc3.hg396~dfsg1-6.dsc
qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
  to main/q/qutecom/qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
  to main/q/qutecom/wengophone_2.2~rc3.hg396~dfsg1-6_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ludovico Cavedon <[email protected]> (supplier of updated qutecom package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 09 Mar 2010 20:35:47 +0100
Source: qutecom
Binary: qutecom qutecom-data qutecom-dbg wengophone
Architecture: source all amd64
Version: 2.2~rc3.hg396~dfsg1-6
Distribution: unstable
Urgency: low
Maintainer: Debian VoIP Team <[email protected]>
Changed-By: Ludovico Cavedon <[email protected]>
Description: 
 qutecom    - SIP-based software telephone with video and chat features
 qutecom-data - SIP-based software telephone with video and chat features (data 
f
 qutecom-dbg - SIP-based software telephone with video and chat features (debug
 wengophone - SIP-based software telephone with video and chat (transitional pa
Closes: 556311 559785 572946
Changes: 
 qutecom (2.2~rc3.hg396~dfsg1-6) unstable; urgency=low
 .
   * Add fix-binutils-gold.patch for building with binutils-gold.
     Closes: #556311.
   * Add libpurple-glib.patch and purple-wait-init.patch for fixing crash with
     external liburple.
   * Compile against external libpurple (CVE-2010-0423, CVE-2010-0420,
     CVE-2010-0277). Closes: #559785, #572946.
   * Update Standards-Version to 3.8.4.
Checksums-Sha1: 
 9237b8854b92ea5ec911eb07d43b12cfaf90bd2d 2028 qutecom_2.2~rc3.hg396~dfsg1-6.dsc
 ee86486341c76ef7e11e1130ae9519f64e977a76 35968 
qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
 662d0c201d887dea5a77a07936ced9ef199d9c94 6401092 
qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
 5396d590fc7728c6ff73021e436b0d1fbaee7ca1 20182 
wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
 54fe8fdcc27abeb6868aca2cccbd7df9864a1b8c 2850174 
qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
 f5241b630e2cb457e4813b4310a402a8bb10277f 31185354 
qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
Checksums-Sha256: 
 f6b97c9c5a12ab516c716dd9d6317f02908cb203c46ca959b8eec3aeeae6c598 2028 
qutecom_2.2~rc3.hg396~dfsg1-6.dsc
 1751701be1910f2ae23d44bd9c57da2f3fa5de2265a2976b31da8fe288359752 35968 
qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
 7464674429e0d40bf56d0970db3f25413e3fcab067f41fe5389441ebfa62803b 6401092 
qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
 02b32336225301ef799e912ca7352331b6a40f4cbdded860dfe7bf90aad25069 20182 
wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
 96ae2dc0ba53d19577e560f0788a0255922aa341b3fb654af663fb3d3cc50cd0 2850174 
qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
 25bb1e5d985409dde589c2f850bc4b3ce38deba4ddd02a2fdb509fbb95b92df6 31185354 
qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb
Files: 
 7290d07a7169639bad5aa96a7465993f 2028 net optional 
qutecom_2.2~rc3.hg396~dfsg1-6.dsc
 8fa618b5f50e544de608c9965c2fecf7 35968 net optional 
qutecom_2.2~rc3.hg396~dfsg1-6.debian.tar.gz
 f1ac0ae50531ca29eb4ea74471085198 6401092 net optional 
qutecom-data_2.2~rc3.hg396~dfsg1-6_all.deb
 5397b77bb6f93a505fa549c4239fad14 20182 net optional 
wengophone_2.2~rc3.hg396~dfsg1-6_all.deb
 e971bca280f3360e5595d72f68928bfb 2850174 net optional 
qutecom_2.2~rc3.hg396~dfsg1-6_amd64.deb
 48845e7657b356b71dfdc92f888ea4d2 31185354 debug extra 
qutecom-dbg_2.2~rc3.hg396~dfsg1-6_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkuWuY8ACgkQCidatrS8pdfDpQCdEk5jNlBEhnie5bLK/vkcvNhf
IB4An2mu2RNQ4t4LxlXSgn9iHjeNskKe
=DZr3
-----END PGP SIGNATURE-----

--- End Message ---

Bug#572946: marked as done (qutecom: multiple vulnerabilities)

Reply via email to