Synopsis: Moderate: pidgin security, bug fix, and enhancement Advisory ID: SLSA-2017:1854-1 Issue Date: 2017-08-01 CVE Numbers: CVE-2014-3694 CVE-2014-3695 CVE-2014-3696 CVE-2014-3698 CVE-2017-2640 -- The following packages have been upgraded to a later upstream version: pidgin (2.10.11). Security Fix(es): * A denial of service flaw was found in the way Pidgin's Mxit plug-in handled emoticons. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to crash Pidgin by sending a specially crafted emoticon. (CVE-2014-3695) * A denial of service flaw was found in the way Pidgin parsed Groupwise server messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to cause Pidgin to consume an excessive amount of memory, possibly leading to a crash, by sending a specially crafted message. (CVE-2014-3696) * An information disclosure flaw was discovered in the way Pidgin parsed XMPP messages. A malicious remote server or a man-in-the-middle attacker could potentially use this flaw to disclose a portion of memory belonging to the Pidgin process by sending a specially crafted XMPP message. (CVE-2014-3698) * An out-of-bounds write flaw was found in the way Pidgin processed XML content. A malicious remote server could potentially use this flaw to crash Pidgin or execute arbitrary code in the context of the pidgin process. (CVE-2017-2640) * It was found that Pidgin's SSL/TLS plug-ins had a flaw in the certificate validation functionality. An attacker could use this flaw to create a fake certificate, that Pidgin would trust, which could be used to conduct man-in-the-middle attacks against Pidgin. (CVE-2014-3694) -- SL7 x86_64 libpurple-2.10.11-5.el7.i686.rpm libpurple-2.10.11-5.el7.x86_64.rpm pidgin-2.10.11-5.el7.x86_64.rpm pidgin-debuginfo-2.10.11-5.el7.i686.rpm pidgin-debuginfo-2.10.11-5.el7.x86_64.rpm finch-2.10.11-5.el7.i686.rpm finch-2.10.11-5.el7.x86_64.rpm finch-devel-2.10.11-5.el7.i686.rpm finch-devel-2.10.11-5.el7.x86_64.rpm libpurple-devel-2.10.11-5.el7.i686.rpm libpurple-devel-2.10.11-5.el7.x86_64.rpm libpurple-perl-2.10.11-5.el7.x86_64.rpm libpurple-tcl-2.10.11-5.el7.x86_64.rpm pidgin-devel-2.10.11-5.el7.i686.rpm pidgin-devel-2.10.11-5.el7.x86_64.rpm pidgin-perl-2.10.11-5.el7.x86_64.rpm - Scientific Linux Development Team