-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Philipp Kern wrote: > On Mon, Aug 24, 2009 at 09:26:46AM -0400, Ari Pollak wrote: >> Bug #542891 covers a security bug that will probably be getting a CVE >> number and affects all supported versions of Debian, but the security >> team indicated that it isn't important enough to warrant a DSA. So I was >> planning on uploading an update to lenny and etch with the fix. > > That's ok. It would be cool however if you could post debdiffs for > both before you upload them to proposed-updates.
Here's the diff for lenny. Apparently etch isn't affected by this bug since it never claimed to require SSL/TLS, so I won't be updating that. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREDAAYFAkqVR6AACgkQwO+u47cOQDsQ7QCgiy/BtpNOr4bXuWycFlLqcgR1 3KUAnAlNnRmEyisdwECAfyL3X3ozaKNX =gyK9 -----END PGP SIGNATURE-----
diff -Nru pidgin-2.4.3/debian/changelog pidgin-2.4.3/debian/changelog
--- pidgin-2.4.3/debian/changelog 2009-08-26 14:31:07.000000000 +0000
+++ pidgin-2.4.3/debian/changelog 2009-08-26 14:31:08.000000000 +0000
@@ -1,3 +1,11 @@
+pidgin (2.4.3-4lenny4) stable; urgency=medium
+
+ * debian/patches/35_xmpp-require-ssl.patch:
+ - Fix XMPP not properly enforcing "Require SSL/TLS" on some older
+ servers (Closes: #542891)
+
+ -- Ari Pollak <a...@debian.org> Tue, 25 Aug 2009 09:53:14 -0400
+
pidgin (2.4.3-4lenny3) stable-security; urgency=low
* debian/patches/33_ssl-nss-self-signed-crash.patch:
diff -Nru pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch
pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch
--- pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch 1970-01-01
00:00:00.000000000 +0000
+++ pidgin-2.4.3/debian/patches/35_xmpp-require-ssl.patch 2009-08-26
14:31:08.000000000 +0000
@@ -0,0 +1,28 @@
+#
+#
+# patch "libpurple/protocols/jabber/auth.c"
+# from [c6da33813f947a747b08aec752db34db121516fd]
+# to [4846e5134fd09bde6ad21cd0b75b64693e90e5ea]
+#
+============================================================
+--- libpurple/protocols/jabber/auth.c c6da33813f947a747b08aec752db34db121516fd
++++ libpurple/protocols/jabber/auth.c 4846e5134fd09bde6ad21cd0b75b64693e90e5ea
+@@ -689,6 +689,18 @@ void jabber_auth_start_old(JabberStream
+ JabberIq *iq;
+ xmlnode *query, *username;
+
++ /* We can end up here without encryption if the server doesn't support
++ * <stream:features/> and we're not using old-style SSL. If the user
++ * is requiring SSL/TLS, we need to enforce it.
++ */
++ if (js->gsc == NULL &&
++
purple_account_get_bool(purple_connection_get_account(js->gc), "require_tls",
FALSE)) {
++ purple_connection_error_reason (js->gc,
++ PURPLE_CONNECTION_ERROR_ENCRYPTION_ERROR,
++ _("You require encryption, but it is not available on
this server."));
++ return;
++ }
++
+ #ifdef HAVE_CYRUS_SASL
+ /* If we have Cyrus SASL, then passwords will have been set
+ * to OPTIONAL for this protocol. So, we need to do our own
pidgin_2.4.3-4lenny4.debdiff.sig
Description: Binary data
