Critical security vunerability: Update to pidgin-otr to version 4.0.2
Project: | Trisquel |
Version: | 8.0 |
Component: | Packages |
Category: | bug report |
Priority: | critical |
Assigned: | Unassigned |
Status: | closed |
Jump to:
Trisquel currently has v4.0.0 packaged. http://packages.trisquel.info/search?keywords=pidgin-otr&searchon=names&suite=all§ion=all
See below for security vulnerability:
-----------------------
9 Mar 2016
Security update: libotr version 4.1.1
Versions 4.1.0 and earlier of libotr in 64-bit builds contain an integer overflow security flaw. This flaw could potentially be exploited by a remote attacker to cause a heap buffer overflow and subsequently for arbitrary code to be executed on the user's machine.
CVE-2016-2851 has been assigned to this issue.
Please upgrade to libotr version 4.1.1 immediately.
Users of libotr packages in Linux and *BSD distributions should see updated packages shortly.
This security release includes the following updates:
Fix an integer overflow bug that can cause a heap buffer overflow (and from there remote code execution) on 64-bit platforms
Fix possible free() of an uninitialized pointer
Be stricter about parsing v3 fragments
Add a testsuite ("make check" to run it), but only on Linux for now, since it uses Linux-specific features such as epoll
Fix a memory leak when reading a malformed instance tag file
Protocol documentation clarifications
pidgin-otr version 4.0.2 released
This point release includes the following updates:
Fix use-after-free issue during SMP
Updated Spanish, German, Norwegian Bokmål translations
New Danish translation
The Windows binary has been linked with updated versions of libotr, libgcrypt, libgpg-error, and other supporting libraries
Trisquel periodically mirrors Ubuntu servers. I don't know the time interval. Or, maybe the package has some build problems on Trisquel servers.
Trisquel 8.0 support ended in April 2021.
Please open a new issue in case it remains on the current supported release.
Cheers!