{"id":"MGASA-2017-0102","summary":"Updated pidgin packages fix security vulnerability","details":"A server controlled by an attacker can send an invalid XML that can\ntrigger an out-of-bound memory access. This might lead to a crash or, in\nsome extreme cases, to remote code execution in the client-side\n(CVE-2017-2640).\n\nThe pidgin package has been updated to version 2.12.0, which fixes this\nissue and other bugs, including certificate validation for the Google Talk\nprotocol. It also removes protocol plugins for services that are no longer\navailable or supported.  See the upstream ChangeLog for details.\n","modified":"2026-04-16T06:25:46.718666490Z","published":"2017-04-04T06:44:05Z","upstream":["CVE-2017-2640"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2017-0102.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=20442"},{"type":"WEB","url":"http://pidgin.im/news/security/?id=109"},{"type":"WEB","url":"https://bitbucket.org/pidgin/www/src/tip/htdocs/ChangeLog?fileviewer=file-view-default"},{"type":"WEB","url":"https://www.debian.org/security/2017/dsa-3806"}],"affected":[{"package":{"name":"pidgin","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/pidgin?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.12.0-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2017-0102.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}