Critical security vunerability: Update to pidgin-otr to version 4.0.2

Project:Trisquel
Version:8.0
Component:Packages
Category:bug report
Priority:critical
Assigned:Unassigned
Status:closed
Description

Trisquel currently has v4.0.0 packaged. http://packages.trisquel.info/search?keywords=pidgin-otr&searchon=names&suite=all&section=all

See below for security vulnerability:
-----------------------
9 Mar 2016

Security update: libotr version 4.1.1

Versions 4.1.0 and earlier of libotr in 64-bit builds contain an integer overflow security flaw. This flaw could potentially be exploited by a remote attacker to cause a heap buffer overflow and subsequently for arbitrary code to be executed on the user's machine.

CVE-2016-2851 has been assigned to this issue.

Please upgrade to libotr version 4.1.1 immediately.

Users of libotr packages in Linux and *BSD distributions should see updated packages shortly.

This security release includes the following updates:

Fix an integer overflow bug that can cause a heap buffer overflow (and from there remote code execution) on 64-bit platforms
Fix possible free() of an uninitialized pointer
Be stricter about parsing v3 fragments
Add a testsuite ("make check" to run it), but only on Linux for now, since it uses Linux-specific features such as epoll
Fix a memory leak when reading a malformed instance tag file
Protocol documentation clarifications

pidgin-otr version 4.0.2 released

This point release includes the following updates:

Fix use-after-free issue during SMP
Updated Spanish, German, Norwegian Bokmål translations
New Danish translation
The Windows binary has been linked with updated versions of libotr, libgcrypt, libgpg-error, and other supporting libraries

Sun, 10/02/2016 - 20:54

Trisquel periodically mirrors Ubuntu servers. I don't know the time interval. Or, maybe the package has some build problems on Trisquel servers.

Sat, 01/15/2022 - 04:13
Status:patch (ready)» closed

Trisquel 8.0 support ended in April 2021.
Please open a new issue in case it remains on the current supported release.

Cheers!