Oval Definition:oval:com.redhat.rhsa:def:20171854
Revision Date:2017-08-01Version:643
Title:RHSA-2017:1854: pidgin security, bug fix, and enhancement update (Moderate)
Description:Pidgin is an instant messaging program which can log in to multiple accounts on multiple instant messaging networks simultaneously.

  • The following packages have been upgraded to a later upstream version: pidgin (2.10.11). (BZ#1369526)

    Security Fix(es):

  • A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emoticons. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to crash Pidgin by sending a specially crafted emoticon. (CVE-2014-3695)

  • A denial of service flaw was found in the way Pidgin parsed Groupwise server messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to cause Pidgin to consume an excessive amount of memory, possibly leading to a crash, by sending a specially crafted message. (CVE-2014-3696)

  • An information disclosure flaw was discovered in the way Pidgin parsed XMPP messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to disclose a portion of memory belonging to the Pidgin process by sending a specially crafted XMPP message. (CVE-2014-3698)

  • An out-of-bounds write flaw was found in the way Pidgin processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process. (CVE-2017-2640)

  • It was found that Pidgin's SSL/TLS plug-ins had a flaw in the certificate validation functionality. An attacker could use this flaw to create a fake certificate, that Pidgin would trust, which could be used to conduct man-in-the-middle attacks against Pidgin. (CVE-2014-3694)

    Red Hat would like to thank the Pidgin project for reporting these issues. Upstream acknowledges Yves Younan (Cisco Talos) and Richard Johnson (Cisco Talos) as the original reporters of CVE-2014-3695 and CVE-2014-3696; Thijs Alkemade and Paul Aurich as the original reporters of CVE-2014-3698; and Jacob Appelbaum and Moxie Marlinspike as the original reporters of CVE-2014-3694.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.4 Release Notes linked from the References section.
    • Family:unixClass:patch
    Status:Reference(s):CVE-2014-3694
    CVE-2014-3695
    CVE-2014-3696
    CVE-2014-3698
    CVE-2017-2640
    RHSA-2017:1854
    RHSA-2017:1854-01
    Platform(s):Red Hat Enterprise Linux 7
    Red Hat Enterprise Linux 7 (please do not use for >= RHEL-7.5)
    		Product(s):
    Definition Synopsis
  • Red Hat Enterprise Linux must be installed
  • OR Package Information
  • Red Hat Enterprise Linux 7 is installed
  • AND
  • finch is earlier than 0:2.10.11-5.el7
  • AND finch is signed with Red Hat redhatrelease2 key
  • finch-devel is earlier than 0:2.10.11-5.el7
  • AND finch-devel is signed with Red Hat redhatrelease2 key
  • libpurple is earlier than 0:2.10.11-5.el7
  • AND libpurple is signed with Red Hat redhatrelease2 key
  • libpurple-devel is earlier than 0:2.10.11-5.el7
  • AND libpurple-devel is signed with Red Hat redhatrelease2 key
  • libpurple-perl is earlier than 0:2.10.11-5.el7
  • AND libpurple-perl is signed with Red Hat redhatrelease2 key
  • libpurple-tcl is earlier than 0:2.10.11-5.el7
  • AND libpurple-tcl is signed with Red Hat redhatrelease2 key
  • pidgin is earlier than 0:2.10.11-5.el7
  • AND pidgin is signed with Red Hat redhatrelease2 key
  • pidgin-devel is earlier than 0:2.10.11-5.el7
  • AND pidgin-devel is signed with Red Hat redhatrelease2 key
  • pidgin-perl is earlier than 0:2.10.11-5.el7
  • AND pidgin-perl is signed with Red Hat redhatrelease2 key
    • Definition Synopsis
  • Release Information
  • Red Hat Enterprise Linux 7 Client is installed
  • OR Red Hat Enterprise Linux 7 Server is installed
  • OR Red Hat Enterprise Linux 7 Workstation is installed
  • OR Red Hat Enterprise Linux 7 ComputeNode is installed
  • AND Package Information
  • finch-devel is earlier than 0:2.10.11-5.el7
  • AND finch-devel is signed with Red Hat redhatrelease2 key
  • OR
  • libpurple-devel is earlier than 0:2.10.11-5.el7
  • AND libpurple-devel is signed with Red Hat redhatrelease2 key
  • OR
  • libpurple-tcl is earlier than 0:2.10.11-5.el7
  • AND libpurple-tcl is signed with Red Hat redhatrelease2 key
  • OR
  • pidgin-devel is earlier than 0:2.10.11-5.el7
  • AND pidgin-devel is signed with Red Hat redhatrelease2 key
  • OR
  • libpurple-perl is earlier than 0:2.10.11-5.el7
  • AND libpurple-perl is signed with Red Hat redhatrelease2 key
  • OR
  • pidgin-perl is earlier than 0:2.10.11-5.el7
  • AND pidgin-perl is signed with Red Hat redhatrelease2 key
  • OR
  • finch is earlier than 0:2.10.11-5.el7
  • AND finch is signed with Red Hat redhatrelease2 key
  • OR
  • libpurple is earlier than 0:2.10.11-5.el7
  • AND libpurple is signed with Red Hat redhatrelease2 key
  • OR
  • pidgin is earlier than 0:2.10.11-5.el7
  • AND pidgin is signed with Red Hat redhatrelease2 key
    • BACK