Pidgin update fixes security vulnerabilities
The Pidgin developers have released version 2.6.6 of their open source instant messenger application. In addition to the usual changes and bug fixes, the maintenance and security update addresses a total of three vulnerabilities in the the multi-platform instant messaging client.
A vulnerability in Finch, caused by certain nicknames in group chat rooms, can lead to a remote crash, however, the developers note that they "do not believe there is a possibility of remote code execution". The developers have set a maximum number of 'smileys' (emoticons) allowed in an individual conversation to address an exploit in Pidgin that could lead to a potential denial of service (DoS) situation when displaying a large number of emoticons. A third vulnerability in the MSN protocol plug-in that could cause a possible remote crash when parsing an incoming SLP message has also been fixed. The developers advise all users to update to the latest release.
More details about the release can be found in the change log. Pidgin 2.6.6 is available to download for Windows, Mac OS X and Linux. Pidgin is released under the GNU General Public License (GPL).
See also:
- Smiley denial of service, Pidgin security advisory.
- Finch XMPP MUC crash, Pidgin security advisory.
- MSN malformed SLP message crash, Pidgin security advisory.
(crve)