Pidgin IM client 2.10.1 fixes crashing vulnerabilities
The Pidgin developers have released version 2.10.1 of their open source instant messenger application to fix several bugs and close security holes found in previous builds. The maintenance and security update addresses a total of four denial-of-service (DoS) vulnerabilities that could be exploited by an attacker to cause the application to be terminated.
According to the developers, three of these issues were caused by incoming strings not being validated as UTF-8, while the fourth was due to a bug in the XMPP protocol plug-in that made it fail if certain required fields were missing in an incoming message. Previous versions up to and including 2.10.0 are affected; upgrading to 2.10.1 fixes these issues – all users are advised to upgrade. Other changes include fixes for Bonjour and IPv6, fetching Yahoo! IM buddy icons, and Gadu-Gadu linking against GnuTLS.
More details about the release, including a full list of changes, can be found in the change log and in the security advisories. Pidgin 2.10.1 is available to download for Windows, Mac OS X and Linux. Hosted on SourceForge, Pidgin is licensed under the GPLv2.
See also:
- SILC remote crash, Pidgin security advisory.
- AIM and ICQ remote crash, Pidgin security advisory.
- XMPP remote crash, Pidgin security advisory.
- SILC remote crash, Pidgin security advisory.
(crve)