"-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: pidgin security and bug fix update
Advisory ID: RHSA-2009:1139-01
Product: Red Hat Enterprise Linux
Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1139.html
Issue date: 2009-07-02
CVE Names: CVE-2009-1889
=====================================================================
1. Summary:
Updated pidgin packages that fix one security issue and one bug are now
available for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having moderate security impact by the Red
Hat Security Response Team.
2. Relevant releases/architectures:
Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, x86_64
Red Hat Enterprise Linux Desktop version 4 - i386, x86_64
Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64
Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
RHEL Optional Productivity Applications (v. 5 server) - i386, x86_64
3. Description:
Pidgin is an instant messaging program which can log in to multiple
accounts on multiple instant messaging networks simultaneously. The AOL
Open System for CommunicAtion in Realtime (OSCAR) protocol is used by the
AOL ICQ and AIM instant messaging systems.
A denial of service flaw was found in the Pidgin OSCAR protocol
implementation. If a remote ICQ user sent a web message to a local Pidgin
user using this protocol, it would cause excessive memory usage, leading to
a denial of service (Pidgin crash). (CVE-2009-1889)
These updated packages also fix the following bug:
* the Yahoo! Messenger Protocol changed, making it incompatible (and
unusable) with Pidgin versions prior to 2.5.7. This update provides Pidgin
2.5.8, which implements version 16 of the Yahoo! Messenger Protocol, which
resolves this issue.
Note: These packages upgrade Pidgin to version 2.5.8. Refer to the Pidgin
release notes for a full list of changes:
http://developer.pidgin.im/wiki/ChangeLog
All Pidgin users should upgrade to these updated packages, which correct
these issues. Pidgin must be restarted for this update to take effect.
4. Solution:
Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.
This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
5. Bugs fixed (http://bugzilla.redhat.com/):
508271 - pidgin Yahoo protocol 16 [rhel-4.8.z]
508272 - pidgin Yahoo protocol 16 [rhel-5.3.z]
508738 - CVE-2009-1889 pidgin: DoS via specially-crafted ICQWebMessage
6. Package List:
Red Hat Enterprise Linux AS version 4:
Source:
ftp://updates.redhat.com/enterprise/4AS/en/os/SRPMS/pidgin-2.5.8-1.el4.src.rpm
i386:
finch-2.5.8-1.el4.i386.rpm
finch-devel-2.5.8-1.el4.i386.rpm
libpurple-2.5.8-1.el4.i386.rpm
libpurple-devel-2.5.8-1.el4.i386.rpm
libpurple-perl-2.5.8-1.el4.i386.rpm
libpurple-tcl-2.5.8-1.el4.i386.rpm
pidgin-2.5.8-1.el4.i386.rpm
pidgin-debuginfo-2.5.8-1.el4.i386.rpm
pidgin-devel-2.5.8-1.el4.i386.rpm
pidgin-perl-2.5.8-1.el4.i386.rpm
ia64:
finch-2.5.8-1.el4.ia64.rpm
finch-devel-2.5.8-1.el4.ia64.rpm
libpurple-2.5.8-1.el4.ia64.rpm
libpurple-devel-2.5.8-1.el4.ia64.rpm
libpurple-perl-2.5.8-1.el4.ia64.rpm
libpurple-tcl-2.5.8-1.el4.ia64.rpm
pidgin-2.5.8-1.el4.ia64.rpm
pidgin-debuginfo-2.5.8-1.el4.ia64.rpm
pidgin-devel-2.5.8-1.el4.ia64.rpm
pidgin-perl-2.5.8-1.el4.ia64.rpm
ppc:
finch-2.5.8-1.el4.ppc.rpm
finch-devel-2.5.8-1.el4.ppc.rpm
libpurple-2.5.8-1.el4.ppc.rpm
libpurple-devel-2.5.8-1.el4.ppc.rpm
libpurple-perl-2.5.8-1.el4.ppc.rpm
libpurple-tcl-2.5.8-1.el4.ppc.rpm
pidgin-2.5.8-1.el4.ppc.rpm
pidgin-debuginfo-2.5.8-1.el4.ppc.rpm
pidgin-devel-2.5.8-1.el4.ppc.rpm
pidgin-perl-2.5.8-1.el4.ppc.rpm
x86_64:
finch-2.5.8-1.el4.x86_64.rpm
finch-devel-2.5.8-1.el4.x86_64.rpm
libpurple-2.5.8-1.el4.x86_64.rpm
libpurple-devel-2.5.8-1.el4.x86_64.rpm
libpurple-perl-2.5.8-1.el4.x86_64.rpm
libpurple-tcl-2.5.8-1.el4.x86_64.rpm
pidgin-2.5.8-1.el4.x86_64.rpm
pidgin-debuginfo-2.5.8-1.el4.x86_64.rpm
pidgin-devel-2.5.8-1.el4.x86_64.rpm
pidgin-perl-2.5.8-1.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop version 4:
Source:
ftp://updates.redhat.com/enterprise/4Desktop/en/os/SRPMS/pidgin-2.5.8-1.el4.src.rpm
i386:
finch-2.5.8-1.el4.i386.rpm
finch-devel-2.5.8-1.el4.i386.rpm
libpurple-2.5.8-1.el4.i386.rpm
libpurple-devel-2.5.8-1.el4.i386.rpm
libpurple-perl-2.5.8-1.el4.i386.rpm
libpurple-tcl-2.5.8-1.el4.i386.rpm
pidgin-2.5.8-1.el4.i386.rpm
pidgin-debuginfo-2.5.8-1.el4.i386.rpm
pidgin-devel-2.5.8-1.el4.i386.rpm
pidgin-perl-2.5.8-1.el4.i386.rpm
x86_64:
finch-2.5.8-1.el4.x86_64.rpm
finch-devel-2.5.8-1.el4.x86_64.rpm
libpurple-2.5.8-1.el4.x86_64.rpm
libpurple-devel-2.5.8-1.el4.x86_64.rpm
libpurple-perl-2.5.8-1.el4.x86_64.rpm
libpurple-tcl-2.5.8-1.el4.x86_64.rpm
pidgin-2.5.8-1.el4.x86_64.rpm
pidgin-debuginfo-2.5.8-1.el4.x86_64.rpm
pidgin-devel-2.5.8-1.el4.x86_64.rpm
pidgin-perl-2.5.8-1.el4.x86_64.rpm
Red Hat Enterprise Linux ES version 4:
Source:
ftp://updates.redhat.com/enterprise/4ES/en/os/SRPMS/pidgin-2.5.8-1.el4.src.rpm
i386:
finch-2.5.8-1.el4.i386.rpm
finch-devel-2.5.8-1.el4.i386.rpm
libpurple-2.5.8-1.el4.i386.rpm
libpurple-devel-2.5.8-1.el4.i386.rpm
libpurple-perl-2.5.8-1.el4.i386.rpm
libpurple-tcl-2.5.8-1.el4.i386.rpm
pidgin-2.5.8-1.el4.i386.rpm
pidgin-debuginfo-2.5.8-1.el4.i386.rpm
pidgin-devel-2.5.8-1.el4.i386.rpm
pidgin-perl-2.5.8-1.el4.i386.rpm
ia64:
finch-2.5.8-1.el4.ia64.rpm
finch-devel-2.5.8-1.el4.ia64.rpm
libpurple-2.5.8-1.el4.ia64.rpm
libpurple-devel-2.5.8-1.el4.ia64.rpm
libpurple-perl-2.5.8-1.el4.ia64.rpm
libpurple-tcl-2.5.8-1.el4.ia64.rpm
pidgin-2.5.8-1.el4.ia64.rpm
pidgin-debuginfo-2.5.8-1.el4.ia64.rpm
pidgin-devel-2.5.8-1.el4.ia64.rpm
pidgin-perl-2.5.8-1.el4.ia64.rpm
x86_64:
finch-2.5.8-1.el4.x86_64.rpm
finch-devel-2.5.8-1.el4.x86_64.rpm
libpurple-2.5.8-1.el4.x86_64.rpm
libpurple-devel-2.5.8-1.el4.x86_64.rpm
libpurple-perl-2.5.8-1.el4.x86_64.rpm
libpurple-tcl-2.5.8-1.el4.x86_64.rpm
pidgin-2.5.8-1.el4.x86_64.rpm
pidgin-debuginfo-2.5.8-1.el4.x86_64.rpm
pidgin-devel-2.5.8-1.el4.x86_64.rpm
pidgin-perl-2.5.8-1.el4.x86_64.rpm
Red Hat Enterprise Linux WS version 4:
Source:
ftp://updates.redhat.com/enterprise/4WS/en/os/SRPMS/pidgin-2.5.8-1.el4.src.rpm
i386:
finch-2.5.8-1.el4.i386.rpm
finch-devel-2.5.8-1.el4.i386.rpm
libpurple-2.5.8-1.el4.i386.rpm
libpurple-devel-2.5.8-1.el4.i386.rpm
libpurple-perl-2.5.8-1.el4.i386.rpm
libpurple-tcl-2.5.8-1.el4.i386.rpm
pidgin-2.5.8-1.el4.i386.rpm
pidgin-debuginfo-2.5.8-1.el4.i386.rpm
pidgin-devel-2.5.8-1.el4.i386.rpm
pidgin-perl-2.5.8-1.el4.i386.rpm
ia64:
finch-2.5.8-1.el4.ia64.rpm
finch-devel-2.5.8-1.el4.ia64.rpm
libpurple-2.5.8-1.el4.ia64.rpm
libpurple-devel-2.5.8-1.el4.ia64.rpm
libpurple-perl-2.5.8-1.el4.ia64.rpm
libpurple-tcl-2.5.8-1.el4.ia64.rpm
pidgin-2.5.8-1.el4.ia64.rpm
pidgin-debuginfo-2.5.8-1.el4.ia64.rpm
pidgin-devel-2.5.8-1.el4.ia64.rpm
pidgin-perl-2.5.8-1.el4.ia64.rpm
x86_64:
finch-2.5.8-1.el4.x86_64.rpm
finch-devel-2.5.8-1.el4.x86_64.rpm
libpurple-2.5.8-1.el4.x86_64.rpm
libpurple-devel-2.5.8-1.el4.x86_64.rpm
libpurple-perl-2.5.8-1.el4.x86_64.rpm
libpurple-tcl-2.5.8-1.el4.x86_64.rpm
pidgin-2.5.8-1.el4.x86_64.rpm
pidgin-debuginfo-2.5.8-1.el4.x86_64.rpm
pidgin-devel-2.5.8-1.el4.x86_64.rpm
pidgin-perl-2.5.8-1.el4.x86_64.rpm
Red Hat Enterprise Linux Desktop (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.5.8-1.el5.src.rpm
i386:
finch-2.5.8-1.el5.i386.rpm
libpurple-2.5.8-1.el5.i386.rpm
libpurple-perl-2.5.8-1.el5.i386.rpm
libpurple-tcl-2.5.8-1.el5.i386.rpm
pidgin-2.5.8-1.el5.i386.rpm
pidgin-debuginfo-2.5.8-1.el5.i386.rpm
pidgin-perl-2.5.8-1.el5.i386.rpm
x86_64:
finch-2.5.8-1.el5.i386.rpm
finch-2.5.8-1.el5.x86_64.rpm
libpurple-2.5.8-1.el5.i386.rpm
libpurple-2.5.8-1.el5.x86_64.rpm
libpurple-perl-2.5.8-1.el5.x86_64.rpm
libpurple-tcl-2.5.8-1.el5.x86_64.rpm
pidgin-2.5.8-1.el5.i386.rpm
pidgin-2.5.8-1.el5.x86_64.rpm
pidgin-debuginfo-2.5.8-1.el5.i386.rpm
pidgin-debuginfo-2.5.8-1.el5.x86_64.rpm
pidgin-perl-2.5.8-1.el5.x86_64.rpm
RHEL Desktop Workstation (v. 5 client):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/pidgin-2.5.8-1.el5.src.rpm
i386:
finch-devel-2.5.8-1.el5.i386.rpm
libpurple-devel-2.5.8-1.el5.i386.rpm
pidgin-debuginfo-2.5.8-1.el5.i386.rpm
pidgin-devel-2.5.8-1.el5.i386.rpm
x86_64:
finch-devel-2.5.8-1.el5.i386.rpm
finch-devel-2.5.8-1.el5.x86_64.rpm
libpurple-devel-2.5.8-1.el5.i386.rpm
libpurple-devel-2.5.8-1.el5.x86_64.rpm
pidgin-debuginfo-2.5.8-1.el5.i386.rpm
pidgin-debuginfo-2.5.8-1.el5.x86_64.rpm
pidgin-devel-2.5.8-1.el5.i386.rpm
pidgin-devel-2.5.8-1.el5.x86_64.rpm
RHEL Optional Productivity Applications (v. 5 server):
Source:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/pidgin-2.5.8-1.el5.src.rpm
i386:
finch-2.5.8-1.el5.i386.rpm
finch-devel-2.5.8-1.el5.i386.rpm
libpurple-2.5.8-1.el5.i386.rpm
libpurple-devel-2.5.8-1.el5.i386.rpm
libpurple-perl-2.5.8-1.el5.i386.rpm
libpurple-tcl-2.5.8-1.el5.i386.rpm
pidgin-2.5.8-1.el5.i386.rpm
pidgin-debuginfo-2.5.8-1.el5.i386.rpm
pidgin-devel-2.5.8-1.el5.i386.rpm
pidgin-perl-2.5.8-1.el5.i386.rpm
x86_64:
finch-2.5.8-1.el5.i386.rpm
finch-2.5.8-1.el5.x86_64.rpm
finch-devel-2.5.8-1.el5.i386.rpm
finch-devel-2.5.8-1.el5.x86_64.rpm
libpurple-2.5.8-1.el5.i386.rpm
libpurple-2.5.8-1.el5.x86_64.rpm
libpurple-devel-2.5.8-1.el5.i386.rpm
libpurple-devel-2.5.8-1.el5.x86_64.rpm
libpurple-perl-2.5.8-1.el5.x86_64.rpm
libpurple-tcl-2.5.8-1.el5.x86_64.rpm
pidgin-2.5.8-1.el5.i386.rpm
pidgin-2.5.8-1.el5.x86_64.rpm
pidgin-debuginfo-2.5.8-1.el5.i386.rpm
pidgin-debuginfo-2.5.8-1.el5.x86_64.rpm
pidgin-devel-2.5.8-1.el5.i386.rpm
pidgin-devel-2.5.8-1.el5.x86_64.rpm
pidgin-perl-2.5.8-1.el5.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package
7. References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1889
http://www.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is . More contact
details at https://www.redhat.com/security/team/contact/
Copyright 2009 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)
iD8DBQFKTNF/XlSAg2UNWIIRAr8lAKCr/4odojtnNTEP/gqW9lDWfQjv5wCgkjsb
3ibMWjOdc4L9r3p2PHAGfFA=
=WHwQ
-----END PGP SIGNATURE-----
"
This entry was posted
on 2:55 PM
.
You can leave a response
and follow any responses to this entry through the
Subscribe to:
Post Comments (Atom)
.
Archives
-
▼
2009
(418)
-
►
November
(20)
- RHSA-2009:1562-01 Important: tomcat security updat...
- USN-853-2: Firefox and Xulrunner regression
- USN-854-1: GD library vulnerabilities
- DSA 1928-1: New Linux 2.6.24 packages fix several ...
- RHSA-2009:1540-01 Important: kernel-rt security, b...
- RHSA-2009:1550-01 Important: kernel security and b...
- RHSA-2009:1541-01 Important: kernel security updat...
- USN-850-3: poppler vulnerabilities
- DSA 1927-1: New Linux 2.6.26 packages fix several ...
- USN-855-1: libhtml-parser-perl vulnerability
- RHSA-2009:1548-01 Important: kernel security and b...
- RHSA-2009:1530-01 Critical: firefox security updat...
- DSA 1924-1: New mahara packages fix several vulner...
- USN-853-1: Firefox and Xulrunner vulnerabilities
- RHSA-2009:1528-01 Moderate: samba security and bug...
- RHSA-2009:1531-01 Critical: seamonkey security upd...
- DSA 1922-1: New xulrunner packages fix several vul...
- DSA 1923-1: New libhtml-parser-perl packages fix d...
- RHSA-2009:1535-01 Moderate: pidgin security update...
- DSA 1921-1: New expat packages fix denial of servi...
-
►
October
(44)
- DSA 1915-1: New Linux 2.6.26 packages fix several ...
- RHSA-2009:1529-01 Moderate: samba security update
- USN-850-2: poppler regression
- GLSA 200910-03 Adobe Reader: Multiple vulnerabili...
- DSA 1919-1: New smarty packages fix several vulner...
- DSA 1917-1: New mimetex packages fix several vulne...
- DSA 1912-2: New advi packages fix arbitrary code e...
- GLSA 200910-02 Pidgin: Multiple vulnerabilities
- USN-850-1: poppler vulnerabilities
- RHSA-2009:1522-01 Moderate: kernel security and bu...
- RHSA-2009:1512-01 Important: kdegraphics security ...
- DSA 1912-1: New camlimages fix arbitrary code exec...
- DSA 1913-1: New bugzilla packages fix SQL injectio...
- DSA 1911-1: New pygresql packages provide secure e...
- RHSA-2009:1499-01 Critical: acroread security upda...
- RHSA-2009:1501-01 Important: xpdf security update
- USN-848-1: Zope vulnerabilities
- RHSA-2009:1503-01 Important: gpdf security update
- RHSA-2009:1505-01 Moderate: java-1.4.2-ibm securit...
- RHSA-2009:1504-01 Important: poppler security and ...
- DSA 1910-1: New mysql-ocaml packages provide secur...
- USN-849-1: libsndfile vulnerabilities
- RHSA-2009:1502-01 Important: kdegraphics security ...
- RHSA-2009:1513-01 Moderate: cups security update
- USN-847-1: Devscripts vulnerability
- DSA 1895-2: New opensaml2 and shibboleth-sp2 packa...
- DSA 1906-1: End-of-life announcement for clamav in...
- USN-846-1: ICU vulnerability
- USN-845-1: Pan vulnerability
- RHSA-2009:1484-01 Moderate: postgresql security up...
-
▼
July
(26)
- DSA 1845-1: New Linux 2.6.26 packages fix several ...
- RHSA-2009:1185-01 Critical: seamonkey security upd...
- DSA 1839-1: New gst-plugins-good0.10 packages fix ...
- RHSA-2009:1162-01 Critical: firefox security updat...
- GLSA 200907-16 Python: Integer overflows
- DSA 1837-1: New dbus packages fix denial of servic...
- DSA 1836-1: New fckeditor packages fix arbitrary c...
- GLSA 200907-14 Rasterbar libtorrent: Directory tr...
- RHSA-2009:1157-01 Important: kernel-rt security an...
- RHSA-2009:1156-01 Important: httpd security update...
- RHSA-2009:1136-01 Critical: dhcp security update
- DSA 1835-1: New tiff packages fix several vulnerab...
- GLSA 200907-10 Syslog-ng: Chroot escape
- GLSA 200907-12 ISC DHCP: dhcpclient Remote execut...
- USN-799-1: D-Bus vulnerability
- DSA 1753-2: End-of-life announcement for icedove i...
- GLSA 200907-04 Apache: Multiple vulnerabilities
- DSA 1753-2: End-of-life announcement for icedove i...
- DSA 1828-1: New ocsinventory-agent packages fix ar...
- RHSA-2009:1140-02 Moderate: ruby security update
- RHSA-2009:1138-01 Important: openswan security upd...
- USN-797-1: tiff vulnerability
- GLSA 200907-03 APR Utility Library: Multiple vuln...
- RHSA-2009:1139-01 Moderate: pidgin security and bu...
- DSA 1826-1: New eggdrop packages fix several vulne...
- USN-795-1: Nagios vulnerability
-
►
November
(20)
0 comments