Mandrake Local Security Checks : Mandriva Security Advisory MDVSA-2010:002 (pidgin)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 145615 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.66704

Categoría: Mandrake Local Security Checks

Título: Mandriva Security Advisory MDVSA-2010:002 (pidgin)

Resumen: NOSUMMARY

Descripción: Description:
The remote host is missing an update to pidgin
announced via advisory MDVSA-2010:002.

A security vulnerability has been identified and fixed in pidgin:

Directory traversal vulnerability in slp.c in the MSN protocol
plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows
remote attackers to read arbitrary files via a .. (dot dot) in an
application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request,
a related issue to CVE-2004-0122. NOTE: it could be argued that
this is resultant from a vulnerability in which an emoticon download
request is processed even without a preceding text/x-mms-emoticon
message that announced availability of the emoticon (CVE-2010-0013).

This update provides pidgin 2.6.5, which is not vulnerable to this
issue.

Affected: 2010.0

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2010:002
http://pidgin.im/news/security/

Risk factor : Medium

CVSS Score:
5.0

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2004-0122
BugTraq ID: 9828
http://www.securityfocus.com/bid/9828
CERT/CC vulnerability note: VU#688094
http://www.kb.cert.org/vuls/id/688094
Microsoft Security Bulletin: MS04-010
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-010
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A844
XForce ISS Database: msn-ms04010-patch(15427)
https://exchange.xforce.ibmcloud.com/vulnerabilities/15427
XForce ISS Database: msn-request-view-files(15415)
https://exchange.xforce.ibmcloud.com/vulnerabilities/15415
Common Vulnerability Exposure (CVE) ID: CVE-2010-0013
1022203
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1022203.1-1
277450
http://sunsolve.sun.com/search/document.do?assetkey=1-66-277450-1
37953
http://secunia.com/advisories/37953
37954
http://secunia.com/advisories/37954
37961
http://secunia.com/advisories/37961
38915
http://secunia.com/advisories/38915
ADV-2009-3662
http://www.vupen.com/english/advisories/2009/3662
ADV-2009-3663
http://www.vupen.com/english/advisories/2009/3663
ADV-2010-1020
http://www.vupen.com/english/advisories/2010/1020
FEDORA-2010-0368
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033771.html
FEDORA-2010-0429
http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033848.html
MDVSA-2010:085
http://www.mandriva.com/security/advisories?name=MDVSA-2010:085
SUSE-SR:2010:006
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html
[oss-security] 20100102 CVE request - pidgin MSN arbitrary file upload
http://www.openwall.com/lists/oss-security/2010/01/02/1
[oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload
http://www.openwall.com/lists/oss-security/2010/01/07/1
http://www.openwall.com/lists/oss-security/2010/01/07/2
http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467
http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f
http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810
http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c
http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html
https://bugzilla.redhat.com/show_bug.cgi?id=552483
oval:org.mitre.oval:def:10333
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10333
oval:org.mitre.oval:def:17620
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17620

Copyright Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.66704
Categoría:	Mandrake Local Security Checks
Título:	Mandriva Security Advisory MDVSA-2010:002 (pidgin)
Resumen:	NOSUMMARY
Descripción:	Description: The remote host is missing an update to pidgin announced via advisory MDVSA-2010:002. A security vulnerability has been identified and fixed in pidgin: Directory traversal vulnerability in slp.c in the MSN protocol plugin in libpurple in Pidgin 2.6.4 and Adium 1.3.8 allows remote attackers to read arbitrary files via a .. (dot dot) in an application/x-msnmsgrp2p MSN emoticon (aka custom smiley) request, a related issue to CVE-2004-0122. NOTE: it could be argued that this is resultant from a vulnerability in which an emoticon download request is processed even without a preceding text/x-mms-emoticon message that announced availability of the emoticon (CVE-2010-0013). This update provides pidgin 2.6.5, which is not vulnerable to this issue. Affected: 2010.0 Solution: To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. http://www.securityspace.com/smysecure/catid.html?in=MDVSA-2010:002 http://pidgin.im/news/security/ Risk factor : Medium CVSS Score: 5.0
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2004-0122 BugTraq ID: 9828 http://www.securityfocus.com/bid/9828 CERT/CC vulnerability note: VU#688094 http://www.kb.cert.org/vuls/id/688094 Microsoft Security Bulletin: MS04-010 https://docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-010 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A844 XForce ISS Database: msn-ms04010-patch(15427) https://exchange.xforce.ibmcloud.com/vulnerabilities/15427 XForce ISS Database: msn-request-view-files(15415) https://exchange.xforce.ibmcloud.com/vulnerabilities/15415 Common Vulnerability Exposure (CVE) ID: CVE-2010-0013 1022203 http://sunsolve.sun.com/search/document.do?assetkey=1-77-1022203.1-1 277450 http://sunsolve.sun.com/search/document.do?assetkey=1-66-277450-1 37953 http://secunia.com/advisories/37953 37954 http://secunia.com/advisories/37954 37961 http://secunia.com/advisories/37961 38915 http://secunia.com/advisories/38915 ADV-2009-3662 http://www.vupen.com/english/advisories/2009/3662 ADV-2009-3663 http://www.vupen.com/english/advisories/2009/3663 ADV-2010-1020 http://www.vupen.com/english/advisories/2010/1020 FEDORA-2010-0368 http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033771.html FEDORA-2010-0429 http://lists.fedoraproject.org/pipermail/package-announce/2010-January/033848.html MDVSA-2010:085 http://www.mandriva.com/security/advisories?name=MDVSA-2010:085 SUSE-SR:2010:006 http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html [oss-security] 20100102 CVE request - pidgin MSN arbitrary file upload http://www.openwall.com/lists/oss-security/2010/01/02/1 [oss-security] 20100107 Re: CVE request - pidgin MSN arbitrary file upload http://www.openwall.com/lists/oss-security/2010/01/07/1 http://www.openwall.com/lists/oss-security/2010/01/07/2 http://d.pidgin.im/viewmtn/revision/info/3d02401cf232459fc80c0837d31e05fae7ae5467 http://d.pidgin.im/viewmtn/revision/info/4be2df4f72bd8a55cdae7f2554b73342a497c92f http://d.pidgin.im/viewmtn/revision/info/c64a1adc8bda2b4aeaae1f273541afbc4f71b810 http://developer.pidgin.im/viewmtn/revision/diff/3d02401cf232459fc80c0837d31e05fae7ae5467/with/c64a1adc8bda2b4aeaae1f273541afbc4f71b810/libpurple/protocols/msn/slp.c http://events.ccc.de/congress/2009/Fahrplan/events/3596.en.html https://bugzilla.redhat.com/show_bug.cgi?id=552483 oval:org.mitre.oval:def:10333 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10333 oval:org.mitre.oval:def:17620 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17620
Copyright	Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com