[Tails-dev] Please review & merge bugfix/disable-flawed-Pidg…

Delete this message

Reply to this message
Autore: intrigeri
Data:  
To: tails-dev
Oggetto: [Tails-dev] Please review & merge bugfix/disable-flawed-Pidgin-features
Hi,

A few security issues were discovered in Pidgin recently
(CVE-2013-0271, CVE-2013-0272, CVE-2013-0273, CVE-2013-0274).

Three of those affect specific protocols (mxit and sametime),
and another one is about uPnP that is disabled in Tails' Pidgin
configuration by default.

The maintainer of Pidgin in Debian has no time to quickly issue
a security update for stable right now, and at first glance the
upstream patches don't trivially apply to stable's Pidgin. Given our
0.17 release schedule, I think we should workaround these issues in
the easiest and quickest way.

So, I propose we simply delete the shared libraries that implement
mxit and sametime, the same way we do it for the msn support already.

Implemented in bugfix/disable-flawed-Pidgin-features,
candidate for 0.17 => please review and merge into testing and devel.

If nobody has time to review and merge that until the time I build the
final image tomorrow, then I guess I'll take the liberty to do
it myself.

Cheers,
--
intrigeri
| GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
| OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc