Trac is being migrated to new services! Issues can be found in our new YouTrack instance and WIKI pages can be found on our website.

Changes between Version 102 and Version 103 of ChangeLog


Ignore:
Timestamp:
Oct 22, 2014, 2:17:09 PM (9 years ago)
Author:
MarkDoliner
Comment:

Updates for 2.10.10

Legend:

Unmodified
Added
Removed
Modified
  • ChangeLog

    v102 v103  
    11= !ChangeLog: Pidgin and Finch - The Pimpin' Penguin IM Clients That're Good For The Soul! =
     2
     3== version 2.10.10 (10/22/2014) ==
     4[/query?status=closed&milestone=2.10.10 View all closed tickets for this release.]
     5  * '''General'''
     6    * Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694)
     7    * Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL. (Elrond and Ashish Gupta) (#15909)
     8
     9  * '''libpurple3 compatibility'''
     10    * Encrypted account passwords are preserved until the new one is set.
     11    * Fix loading Google Talk and Facebook XMPP accounts.
     12
     13  * '''Windows-Specific Changes'''
     14    * Don't allow overwriting arbitrary files on the file system when the
     15          user installs a smiley theme via drag-and-drop. (Discovered by Yves
     16          Younan of Cisco Talos) (CVE-2014-3697)
     17    * Updates to dependencies
     18      * NSS 3.17.1 and NSPR 4.10.7
     19
     20  * '''Finch'''
     21    * Fix build against Python 3. (Ed Catmur) (#15969)
     22
     23  * '''Gadu-Gadu'''
     24    * Updated internal libgadu to version 1.12.0.
     25
     26  * '''Groupwise'''
     27    * Fix potential remote crash parsing server message that indicates that a large amount of memory should be allocated. (Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3696)
     28
     29  * '''IRC'''
     30    * Fix a possible leak of unencrypted data when using /me command with OTR. (Thijs Alkemade) (#15750)
     31
     32  * '''MXit'''
     33    * Fix potential remote crash parsing a malformed emoticon response. (Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3695)
     34
     35  * '''XMPP'''
     36    * Fix potential information leak where a malicious XMPP server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory. (Discovered and fixed by Thijs Alkemade and Paul Aurich) (CVE-2014-3698)
     37    * Fix Facebook XMPP roster quirks. (#15041, #15957)
     38
     39  * '''Yahoo'''
     40    * Fix login when using the GnuTLS library for TLS connections. (#16172)
     41
    242
    343== version 2.10.9 (2/2/2014) ==
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!