Accepting request 220556 from GNOME:Apps

Update to ver 2.10.8 (forwarded request 220401 from RBrownCCB)

OBS-URL: https://build.opensuse.org/request/show/220556
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/pidgin?expand=0&rev=100

pidgin.changes

@@ -1,3 +1,96 @@
+-------------------------------------------------------------------
+Wed Jan 29 20:55:39 UTC 2014 - zaitor@opensuse.org
+
+- Update to version 2.10.8:
+  + General: Python build scripts and example plugins are now
+    compatible with Python 3 (pidgin.im#15624).
+  + libpurple:
+    - Fix potential crash if libpurple gets an error attempting to
+      read a reply from a STUN server (CVE-2013-6484).
+    - Fix potential crash parsing a malformed HTTP response
+      (CVE-2013-6479).
+    - Fix buffer overflow when parsing a malformed HTTP response
+      with chunked Transfer-Encoding (CVE-2013-6485).
+    - Better handling of HTTP proxy responses with negative
+      Content-Lengths.
+    - Fix handling of SSL certificates without subjects when
+      using libnss.
+    - Fix handling of SSL certificates with timestamps in the
+      distant future when using libnss (pidgin.im#15586).
+    - Impose maximum download size for all HTTP fetches.
+  + Pidgin:
+    - Fix crash displaying tooltip of long URLs (CVE-2013-6478).
+    - Better handling of URLs longer than 1000 letters.
+    - Fix handling of multibyte UTF-8 characters in smiley themes
+      (pidgin.im#15756).
+  + AIM: Fix untrusted certificate error.
+  + AIM and ICQ: Fix a possible crash when receiving a malformed
+    message in a Direct IM session.
+  + Gadu-Gadu:
+    - Fix buffer overflow with remote code execution potential.
+      Only triggerable by a Gadu-Gadu server or a
+      man-in-the-middle (CVE-2013-6487).
+    - Disabled buddy list import/export from/to server.
+    - Disabled new account registration and password change
+      options.
+  + IRC:
+    - Fix bug where a malicious server or man-in-the-middle
+      could trigger a crash by not sending enough arguments with
+      various messages (CVE-2014-0020).
+    - Fix bug where initial IRC status would not be set correctly.
+    - Fix bug where IRC wasn't available when libpurple was
+      compiled with Cyrus SASL support (pidgin.im#15517).
+  + MSN:
+    - Fix NULL pointer dereference parsing headers in MSN
+      (CVE-2013-6482).
+    - Fix NULL pointer dereference parsing OIM data in MSN
+      (CVE-2013-6482).
+    - Fix NULL pointer dereference parsing SOAP data in MSN
+      (CVE-2013-6482).
+    - Fix possible crash when sending very long messages. Not
+      remotely-triggerable.
+  + MXit:
+    - Fix buffer overflow with remote code execution potential
+      (CVE-2013-6487).
+    - Fix sporadic crashes that can happen after user is
+      disconnected.
+    - Fix crash when attempting to add a contact via search
+      results.
+    - Show error message if file transfer fails.
+    - Fix compiling with InstantBird.
+    - Fix display of some custom emoticons.
+  + SILC: Correctly set whiteboard dimensions in whiteboard
+    sessions.
+  + SIMPLE: Fix buffer overflow with remote code execution
+    potential (CVE-2013-6487).
+  + XMPP:
+    - Prevent spoofing of iq replies by verifying that the
+      'from' address matches the 'to' address of the iq request
+      (CVE-2013-6483).
+    - Fix crash on some systems when receiving fake delay
+      timestamps with extreme values (CVE-2013-6477).
+    - Fix possible crash or other erratic behavior when selecting a
+      very small file for your own buddy icon.
+    - Fix crash if the user tries to initiate a voice/video session
+      with a resourceless JID.
+    - Fix login errors when the first two available auth mechanisms
+      fail but a subsequent mechanism would otherwise work when
+      using Cyrus SASL (pidgin.im#15524).
+    - Fix dropping incoming stanzas on BOSH connections when we
+      receive multiple HTTP responses at once (pidgin.im#15684).
+  + Yahoo!:
+    - Fix possible crashes handling incoming strings that are not
+      UTF-8 (CVE-2012-6152).
+    - Fix a bug reading a peer to peer message where a remote user
+      could trigger a crash (CVE-2013-6481).
+  + Plugins:
+    - Fix crash in contact availability plugin.
+    - Fix perl function Purple::Network::ip_atoi.
+    - Add Unity integration plugin.
+  + Windows specific fixes: (CVE-2013-6486, pidgin.im#15520,
+    pidgin.im#15521, bgo#668154).
+- Drop pidgin-irc-sasl.patch, fixed upstream.
+
 -------------------------------------------------------------------
 Fri Jan 24 12:56:48 UTC 2014 - dimstar@opensuse.org