1.175. pidgin
1.175.1. RHSA-2009:1218: Critical security update
Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1218
This update has been rated as having critical security impact by the Red Hat Security Response Team.
Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.
Federico Muttis of Core Security Technologies discovered a flaw in Pidgin's MSN protocol handler. If a user received a malicious MSN message, it was possible to execute arbitrary code with the permissions of the user running Pidgin. (CVE-2009-2694)
Note: Users can change their privacy settings to only allow messages from users on their buddy list to limit the impact of this flaw.
These packages upgrade Pidgin to version 2.5.9. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog
All Pidgin users should upgrade to these updated packages, which resolve this issue. Pidgin must be restarted for this update to take effect.
1.175.2. RHSA-2009:1139: Moderate security and bug fix update
Important
This update has already been released (prior to the GA of this release) as the security errata RHSA-2009:1139
This update has been rated as having moderate security impact by the Red Hat Security Response Team.
Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously. The AOL Open System for CommunicAtion in Realtime (OSCAR) protocol is used by the AOL ICQ and AIM instant messaging systems.
A denial of service flaw was found in the Pidgin OSCAR protocol implementation. If a remote ICQ user sent a web message to a local Pidgin user using this protocol, it would cause excessive memory usage, leading to a denial of service (Pidgin crash). (CVE-2009-1889)
These updated packages also fix the following bug:
- the Yahoo! Messenger Protocol changed, making it incompatible (and unusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin 2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which resolves this issue.
Note
These packages upgrade Pidgin to version 2.5.8. Refer to the Pidgin release notes for a full list of changes: http://developer.pidgin.im/wiki/ChangeLog
All Pidgin users should upgrade to these updated packages, which correct these issues. Pidgin must be restarted for this update to take effect.
1.175.3. RHBA-2009:0407: bug fix update
Note
This update has already been released (prior to the GA of this release) as errata RHBA-2009:0407
Pidgin is a multi-protocol Internet Messaging (IM) client.
This update addresses the following bugs:
- the ICQ Internet message protocol servers recently changed and now require clients to use a newer version of the ICQ protocol. When logging in to ICQ Pidgin 2.5.2 (the version previously shipped with Red Hat Enterprise Linux 4 and 5) fails with an error message as a result. Pidgin 2.5.5, included with this update, uses the newer ICQ protocol, which resolves this issue. (BZ#490104 , BZ#490094)
Note
Pidgin 2.5.5 also addresses several other minor bugs. See the Pidgin 2.5.5 ChangeLog, for details regarding these other changes. - users with "One-Time Password" authenticated logins reported authentication failures because Pidgin attempts to re-connect using the previous password after disconnecting from an IM service. This behavior presented even if the "Remember password" check-box was unchecked in the Account Editor dialog box for a given account (Choose Accounts > Manage Accounts to open a list of active accounts. Double-click an account on this list to show the Account Editor dialog box for that account.)
A new plug-in, "One Time Password Support", is included with this update. With this plug-in enabled, a "One-Time Password" checkbox appears in the Advanced tab of the Account Editor dialog box. For each account that requires One-Time Password authentication, check this checkbox in the Advanced tab. You must also uncheck the "Remember password" checkbox in the Basic tab for this plug-in to work. (BZ#490536 , BZ#490539)
Note
because of the unpredictable disconnection rate for IM sessions, the attempts to automatically re-connect noted above are by design and are not considered a bug. The One Time Password plug-in allows the enforcement, on a per-account basis, of One-Time Password authentication. With the plug-in active, Pidgin will still attempt to re-connect to services after being disconnected. It will not, however, use the previous password.
All Pidgin users should upgrade to these updated packages, which contains Pidgin version 2.5.5 and resolves these issues. Note: after these errata packages are installed, Pidgin must be restarted for the update to take effect.
