[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
This bug was fixed in the package pidgin - 1:2.2.1-1ubuntu4.3 --- pidgin (1:2.2.1-1ubuntu4.3) gutsy-security; urgency=low * SECURITY UPDATE: code execution via integer overflow in the MSN protocol handler (LP: #245770) - debian/patches/99_SECURITY_CVE-2008-2927.patch: fix msn_slplink_process_msg() in src/protocols/msn/slplink.c by checking against maximum size G_MAXSIZE. - CVE-2008-2927 * SECURITY UPDATE: denial of service via specially formulated long filename (LP: #245769) - debian/patches/99_SECURITY_CVE-2008-2955.patch: change src/protocols/msn/[slplink.c,slpcall.*] to make sure xfer structure still exists before putting dest_fp in it. - CVE-2008-2955 * SECURITY UPDATE: denial of service via resource exhaustion from arbitrary URL in UPnP functionality (LP: #245769) - debian/patches/99_SECURITY_CVE-2008-2957.patch: modified libpurple/[upnp.c,util.*] to add purple_util_fetch_url_request_len() in order to limit http downloads to 128k. - CVE-2008-2957 * SECURITY UPDATE: man in the middle attack from lack of certificate validation in nss plugin (LP: #251304) - debian/patches/99_SECURITY_CVE-2008-3532.patch: modified libpurple/plugins/ssl/ssl-nss.c to add certificate validation code. - CVE-2008-3532 -- Marc Deslauriers [EMAIL PROTECTED] Thu, 20 Nov 2008 15:54:34 -0500 ** Changed in: pidgin (Ubuntu) Status: Confirmed = Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-2927 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-2955 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-2957 -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
Has the fix been included into pidgin on ubuntu ? This is a security risk and should be fixed at some point. -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
** Changed in: pidgin Status: Unknown = Fix Released -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
** Also affects: pidgin via http://developer.pidgin.im/ticket/3381 Importance: Unknown Status: Unknown -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
** Changed in: pidgin (Debian) Status: Confirmed = Fix Released -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
On Fri, Aug 8, 2008 at 02:11, Steven M. Christey coley at linus mitre org wrote: On Tue, 5 Aug 2008, Josh Bressers wrote: http://developer.pidgin.im/ticket/6500 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434 Use CVE-2008-3532, to be updated later. - Steve ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2008-3532 -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
** Changed in: pidgin (Debian) Status: Unknown = Confirmed -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
** Bug watch added: Debian Bug tracker #492434 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434 ** Also affects: pidgin (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434 Importance: Unknown Status: Unknown -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
See also http://developer.pidgin.im/ticket/6500 which includes a patch. -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
Has a CVE been assigned for this design failure? I haven't been able to find one yet. ** Changed in: pidgin (Ubuntu) Status: New = Confirmed -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
I don't think so. I would have done it, but not certain of the procedure. -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
Ah-ha, it appears the request is pending. I found the thread on the oss-security mailing list. -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 251304] Re: Pidgin XMPP TLS/SSL Man in the Middle attack
See also: http://developer.pidgin.im/ticket/3381 -- Pidgin XMPP TLS/SSL Man in the Middle attack https://bugs.launchpad.net/bugs/251304 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
