[Backports-security-announce] Security Update for pidgin

2010-01-2907:06:11

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.072

Percentile

94.1%

JSON

Jan Wagner uploaded a new package for pidgin which fixed the following
security problem:

CVE-2010-0013[1] and Debian Bug #563206[2]

It was discovered that Pidgin did not properly handle custom smiley
requests in the MSN protocol handler. A remote attacker could send a
specially crafted filename in a custom smiley request and obtain arbitrary
files via directory traversal.

For the lenny distribution the problem has been fixed soon in
version 2.4.3-4lenny5.

For the sid distribution the problem has been fixed in
version 2.6.5-2.

Upgrade instructions

If you don't use pinning (see [1]) you have to update nagios3
manually via "apt-get -t etch-backports install nagios".
[1] <http://backports.org/dokuwiki/doku.php?id=instructions>

We recommend to pin the backports repository to 200 so that new versions
of installed backports will be installed automatically:

Package: *
Pin: release a=lenny-backports
Pin-Priority: 200

[1] http://security-tracker.debian.org/tracker/CVE-2010-0013
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=563206

Attachment:
signature.asc
Description: This is a digitally signed message part.

OSVersionArchitecturePackageVersionFilename
Debian5allpidgin-data< 2.4.3-4lenny5pidgin-data_2.4.3-4lenny5_all.deb
Debian999mipslibpurple0< 2.6.5-2libpurple0_2.6.5-2_mips.deb
Debian999mipselpidgin-dbg< 2.6.5-2pidgin-dbg_2.6.5-2_mipsel.deb
Debian5hppafinch< 2.4.3-4lenny5finch_2.4.3-4lenny5_hppa.deb
Debian5i386finch< 2.4.3-4lenny5finch_2.4.3-4lenny5_i386.deb
Debian5mipsellibpurple0< 2.4.3-4lenny5libpurple0_2.4.3-4lenny5_mipsel.deb
Debian5allfinch-dev< 2.4.3-4lenny5finch-dev_2.4.3-4lenny5_all.deb
Debian999ia64libpurple0< 2.6.5-2libpurple0_2.6.5-2_ia64.deb
Debian5armelfinch< 2.4.3-4lenny5finch_2.4.3-4lenny5_armel.deb
Debian5ia64pidgin< 2.4.3-4lenny5pidgin_2.4.3-4lenny5_ia64.deb

OS	Version	Architecture	Package	Version	Filename
Debian	5	all	pidgin-data	< 2.4.3-4lenny5	pidgin-data_2.4.3-4lenny5_all.deb
Debian	999	mips	libpurple0	< 2.6.5-2	libpurple0_2.6.5-2_mips.deb
Debian	999	mipsel	pidgin-dbg	< 2.6.5-2	pidgin-dbg_2.6.5-2_mipsel.deb
Debian	5	hppa	finch	< 2.4.3-4lenny5	finch_2.4.3-4lenny5_hppa.deb
Debian	5	i386	finch	< 2.4.3-4lenny5	finch_2.4.3-4lenny5_i386.deb
Debian	5	mipsel	libpurple0	< 2.4.3-4lenny5	libpurple0_2.4.3-4lenny5_mipsel.deb
Debian	5	all	finch-dev	< 2.4.3-4lenny5	finch-dev_2.4.3-4lenny5_all.deb
Debian	999	ia64	libpurple0	< 2.6.5-2	libpurple0_2.6.5-2_ia64.deb
Debian	5	armel	finch	< 2.4.3-4lenny5	finch_2.4.3-4lenny5_armel.deb
Debian	5	ia64	pidgin	< 2.4.3-4lenny5	pidgin_2.4.3-4lenny5_ia64.deb