Without this patch the configure script might find gconftool-2(1) installed
on the system, and then create and install a schema anyway - and in the
wrong location.
"please commit" dholland@
version 2.10.11 (11/23/14):
General:
* Fix handling of Self-Signed SSL/TLS Certificates when using the NSS
plugin (#16412)
* Improve default cipher suites used with the NSS plugin (#16262)
* Add NSS Preferences plugin which allows the SSL/TLS Versions and
cipher suites to be configured (#8061)
Gadu-Gadu:
* Fix a bug that prevented plugin to load when compiled without GnuTLS.
(mancha) (#16431)
* Fix build for platforms without AF_LOCAL definition. (#16404)
MSN:
* Fix broken login due to server change (dx, TReKiE). (#16451, #16455)
* Fail early when buddy list is unavailable instead of wasting bandwidth
endlessly re-trying.
version 2.10.10 (10/22/14):
General:
* Check the basic constraints extension when validating SSL/TLS
certificates. This fixes a security hole that allowed a malicious
man-in-the-middle to impersonate an IM server or any other https
endpoint. This affected both the NSS and GnuTLS plugins. (Discovered
by an anonymous person and Jacob Appelbaum of the Tor Project, with
thanks to Moxie Marlinspike for first publishing about this type of
vulnerability. Thanks to Kai Engert for guidance and for some of the
NSS changes) (CVE-2014-3694)
* Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL.
(Elrond and Ashish Gupta) (#15909)
libpurple3 compatibility:
* Encrypted account passwords are preserved until the new one is set.
* Fix loading Google Talk and Facebook XMPP accounts.
Windows-Specific Changes:
* Don't allow overwriting arbitrary files on the file system when the
user installs a smiley theme via drag-and-drop. (Discovered by Yves
Younan of Cisco Talos) (CVE-2014-3697)
* Updates to dependencies:
* NSS 3.17.1 and NSPR 4.10.7
Finch:
* Fix build against Python 3. (Ed Catmur) (#15969)
Gadu-Gadu:
* Updated internal libgadu to version 1.12.0.
Groupwise:
* Fix potential remote crash parsing server message that indicates that
a large amount of memory should be allocated. (Discovered by Yves Younan
and Richard Johnson of Cisco Talos) (CVE-2014-3696)
IRC:
* Fix a possible leak of unencrypted data when using /me command
with OTR. (Thijs Alkemade) (#15750)
MXit:
* Fix potential remote crash parsing a malformed emoticon response.
(Discovered by Yves Younan and Richard Johnson of Cisco Talos)
(CVE-2014-3695)
XMPP:
* Fix potential information leak where a malicious XMPP server and
possibly even a malicious remote user could create a carefully crafted
XMPP message that causes libpurple to send an XMPP message containing
arbitrary memory. (Discovered and fixed by Thijs Alkemade and Paul
Aurich) (CVE-2014-3698)
* Fix Facebook XMPP roster quirks. (#15041, #15957)
Yahoo:
* Fix login when using the GnuTLS library for TLS connections. (#16172)
finch does not compile with python-3.3. Since libpurple is not versioned
and finch pulls it in, we have to mark libpurple too, and then pidgin
because of libpurple. It's all one codebase anyway...
either because they themselves are not ready or because a
dependency isn't. This is annotated by
PYTHON_VERSIONS_INCOMPATIBLE= 33 # not yet ported as of x.y.z
or
PYTHON_VERSIONS_INCOMPATIBLE= 33 # py-foo, py-bar
respectively, please use the same style for other packages,
and check during updates.
Use versioned_dependencies.mk where applicable.
Use REPLACE_PYTHON instead of handcoded alternatives, where applicable.
Reorder Makefile sections into standard order, where applicable.
Remove PYTHON_VERSIONS_INCLUDE_3X lines since that will be default
with the next commit.
Whitespace cleanups and other nits corrected, where necessary.
John: Just a quick release for a security fix here. Elliott has not
yet had a chance to work on the MSN breakage that's been present in
the last couple releases, but we hope he can do it before 2.7.10!
Changes 2.7.8:
Elliott: OK, so I know a few things broke with the last release, and
it's too bad we had to rush it for that silly certificate thing that
the MSN people can't configure properly. I've certainly done a lot of
small fixes this time, but it's too bad we haven't been able to get the
transfers with the official client fixed yet. I promise it'll be in
the next release (barring any quick security issues).
John: So, it's been about a month since we last released. Again, we've
assembled a bugfix release for your enjoyment. While a few commonly
reported bugs remain, particularly in MSN, we're working on it for the
next release. In the meantime, Merry Christmas and enjoy!
Changes 2.7.7:
John: Well, this time around, we should finally have the certificate
issue really and fully fixed for all of you MSN users. Also, we have
a few AIM-related fixes in this release, most notably the fix for the
new "SSL Handshake Failure" message some of you got after upgrading.
That one was an oversight on our part. Enjoy the fixes!
* Lots of little incremental bug fixes and enhancements in this release.
* Finally got some fixes out there for you Yahoo users behind some
particularly annoying firewalls and proxies, among other fixes. Enjoy!
Changes 2.7.2:
* We discovered a security issue in Pidgin 2.7.0 and 2.7.1 and decided to
release a patched version quickly. This release contains the fix for that
crash, and a few other minor fixes.
Additional changes:
Fix farsight handling in libpurple.
Set LICENSE.
2.6.2 (09/05/2009):
Mark: Woo boy it's been a busy two weeks. There was a lot of new code
in 2.6.0, and with new code comes new bugs. The cadre of relentless
developers responsible for Pidgin have been hard at work, and I believe
they have fixed all the major bugs that cropped up. My thanks to all
those names listed as Current Developers in Pidgin's 'About' window.
Elliott: Well now, just as Mark said, there was a lot of new stuff that
probably came up with tons of bugs. So I can't say I wrote anything
super-awesome, but I definitely fixed quite a few of those itty-bitty
why-didn't-this-work-this-way sort of bugs.
Update:
chat/finch to 2.6.1
chat/libpurple to 2.6.1
chat/pidgin to 2.6.1
chat/pidgin-sametime to 2.6.1
chat/pidgin-silc to 2.6.1
major changes:
o addition of farsight support for voice/video chats (untested, new option on by default)
o addition of dependency on devel/libidn
o addition of gstreamer option for libpurple (on by default)
