|
|
| Problem Description |
The NSS plugin in libpurple in Pidgin 2.4.1 does not verify SSL
certificates, which makes it easier for remote attackers to trick
a user into accepting an invalid server certificate for a spoofed
service. (CVE-2008-3532)
Pidgin 2.4.1 allows remote attackers to cause a denial of service
(crash) via a long filename that contains certain characters, as
demonstrated using an MSN message that triggers the crash in the
msn_slplink_process_msg function. (CVE-2008-2955)
The UPnP functionality in Pidgin 2.0.0, and possibly other versions,
allows remote attackers to trigger the download of arbitrary files
and cause a denial of service (memory or disk consumption) via a UDP
packet that specifies an arbitrary URL. (CVE-2008-2957)
The updated packages have been patched to fix these issues.
| Updated Packages |
Mandriva Linux 2008.1
8d986cf90ce366f40da1ed22f99227e2 2008.1/i586/finch-2.4.1-2.3mdv2008.1.i586.rpm 1591abeaedbde92f9e851fc163ecbc14 2008.1/i586/libfinch0-2.4.1-2.3mdv2008.1.i586.rpm 81b2f07e1a3e82683dd761e913630ae8 2008.1/i586/libpurple0-2.4.1-2.3mdv2008.1.i586.rpm bc958e4178ea9037b2faef5e46fdc367 2008.1/i586/libpurple-devel-2.4.1-2.3mdv2008.1.i586.rpm 9ad56f8214068aa578c74de4476b6a21 2008.1/i586/pidgin-2.4.1-2.3mdv2008.1.i586.rpm 97e7beb6d69c8cd48427845537cd7092 2008.1/i586/pidgin-bonjour-2.4.1-2.3mdv2008.1.i586.rpm 4bc7839dba2efbe27fb814be39c0e2d3 2008.1/i586/pidgin-client-2.4.1-2.3mdv2008.1.i586.rpm 551a0888b40c5b234f14d9814a9249d2 2008.1/i586/pidgin-gevolution-2.4.1-2.3mdv2008.1.i586.rpm 86ccded472fa0974e1a28be7d559ff4a 2008.1/i586/pidgin-i18n-2.4.1-2.3mdv2008.1.i586.rpm 37869e45dee88264c183faf4f4ad5140 2008.1/i586/pidgin-meanwhile-2.4.1-2.3mdv2008.1.i586.rpm 0c424324da44beb62b61243106fc3599 2008.1/i586/pidgin-mono-2.4.1-2.3mdv2008.1.i586.rpm c61e9c1cd651abcc805970df7dcae18a 2008.1/i586/pidgin-perl-2.4.1-2.3mdv2008.1.i586.rpm fbc16077149cff9111bda6ada529ef5f 2008.1/i586/pidgin-silc-2.4.1-2.3mdv2008.1.i586.rpm f97215d6643336a155e298a404386d7e 2008.1/i586/pidgin-tcl-2.4.1-2.3mdv2008.1.i586.rpm a7816e51fd0c35798accad228aa67be9 2008.1/SRPMS/pidgin-2.4.1-2.3mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64
63ba74e6aeae1f940cdd4b5d6af3128b 2008.1/x86_64/finch-2.4.1-2.3mdv2008.1.x86_64.rpm c9cbed1c7267fd449e6c26ad8454e438 2008.1/x86_64/lib64finch0-2.4.1-2.3mdv2008.1.x86_64.rpm 739eeb3e632023f89acd9e4baf826590 2008.1/x86_64/lib64purple0-2.4.1-2.3mdv2008.1.x86_64.rpm e63ce782ee2e8b9e157fa85ccd7f4511 2008.1/x86_64/lib64purple-devel-2.4.1-2.3mdv2008.1.x86_64.rpm e80d06d3e544b29f406c291a23b005b8 2008.1/x86_64/pidgin-2.4.1-2.3mdv2008.1.x86_64.rpm 5aa3f2383fd83b025efa28bf9b6d817d 2008.1/x86_64/pidgin-bonjour-2.4.1-2.3mdv2008.1.x86_64.rpm cea0458cbf8fb2e16131e33a7f1e2587 2008.1/x86_64/pidgin-client-2.4.1-2.3mdv2008.1.x86_64.rpm 54327daad8ed2658fe9c9bbe8482f388 2008.1/x86_64/pidgin-gevolution-2.4.1-2.3mdv2008.1.x86_64.rpm 08d375b245f16b41077e6e9baf82c6df 2008.1/x86_64/pidgin-i18n-2.4.1-2.3mdv2008.1.x86_64.rpm 536edfbb015f173dcc09a7c4481b20cd 2008.1/x86_64/pidgin-meanwhile-2.4.1-2.3mdv2008.1.x86_64.rpm 6747c3d56d317d3733bea26a2d18fe9a 2008.1/x86_64/pidgin-mono-2.4.1-2.3mdv2008.1.x86_64.rpm ae3767379a0ccbcc577d8521fbed8432 2008.1/x86_64/pidgin-perl-2.4.1-2.3mdv2008.1.x86_64.rpm 5e8b1bfd757e596536e0c0fa8f680aea 2008.1/x86_64/pidgin-silc-2.4.1-2.3mdv2008.1.x86_64.rpm 9b2f9b0732f14981423f57454e68b3b1 2008.1/x86_64/pidgin-tcl-2.4.1-2.3mdv2008.1.x86_64.rpm a7816e51fd0c35798accad228aa67be9 2008.1/SRPMS/pidgin-2.4.1-2.3mdv2008.1.src.rpm
| References |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3532
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2957
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2955
| Upgrade |
To upgrade automatically, use MandrivaUpdate.
| Verification |
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command :
rpm --checksig package.rpm
You can get the GPG public key of the Mandriva Security Team to verify the GPG signature of each RPM.
If you use MandrivaUpdate, the verification of md5 checksum and GPG signature is performed automatically for you.