Pidgin IM client 2.10.2 closes DoS holes
Version 2.10.2 of the open source Pidgin instant messaging program has been released. According to its developers, the maintenance and security update brings a number of changes and addresses two denial-of-service (DoS) vulnerabilities that could be exploited by an attacker to cause the application to be terminated.
These remote crashes are caused when the MSN server sends messages that are not UTF-8 encoded and also when some types of nickname changes occur in chat rooms using the XMPP protocol. Versions up to and including 2.10.1 are affected. Pidgin 2.10.2 fixes these issues and all users are advised to upgrade.
Non-security-related changes include support for a new version of the MSN protocol (MSNP18), fixes for the Bonjour protocol plugin on Windows systems, and the addition of support for the GNOME3 Network and Default Application dialog. The libpurple library, used by Pidgin and other IM clients such as Adium and Meebo, has also been updated to support new connection states and signals for NetworkManager 0.9+.
Further information about the update, including a full list of changes, can be found in the security advisories and in the change log. Pidgin 2.10.2 is available to download from the project's site. Hosted on SourceForge, Pidgin is licensed under the GPLv2.
See also:
- XMPP remote crash, Pidgin security advisory.
- Possible MSN remote crash, Pidgin security advisory.
(crve)