Bug 13298

Summary: [CVE 21] pidgin 2.14.6 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: VERIFIED FIXED QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: a.proklov, i.gaptrakhmanov, pastordidi, s.matveev, v.potapov, y.tumanov
Version: AllFlags: v.potapov: qa_verified+
y.tumanov: secteam_verified+
a.proklov: published+
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2022-26491,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-05-03 18:01:55 MSK 
Please patch CVEs for package pidgin version 2.14.6
  
INFO (CVEs are): pidgin 2.14.6
 cves found
CVE-2022-26491
Desc: An issue was discovered in Pidgin before 2.14.9. A remote attacker who can spoof DNS responses can redirect a client connection to a malicious server. The client will perform TLS certificate verification of the malicious domain name instead of the original XMPP service domain, allowing the attacker to take over control over the XMPP connection and to obtain user credentials and all communication content. This is similar to CVE-2022-24968.
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-26491
Severity: MEDIUM
Comment 1 ilfat 2023-05-24 17:59:55 MSK 
********** QA ADVISORY **********

CVEs closed by project update

Updated to 2.14.12

https://abf.io/build_lists/4443718 i686
https://abf.io/build_lists/4443717 aarch64
https://abf.io/build_lists/4443716 x86_64
Comment 2 Dmitry Postnikov 2023-05-25 11:19:46 MSK 
***************************
The update sent to testings
Comment 3 Vladimir Potapov 2023-05-31 09:32:17 MSK 
pidgin-2.14.12-1
https://abf.io/build_lists/4443718 i686
https://abf.io/build_lists/4443717 aarch64
https://abf.io/build_lists/4443716 x86_64
************************ Advisory ************************
CVEs closed by project update

Updated to 2.14.12
**********************************************************
QA Verified
Comment 4 Yury 2023-07-11 10:00:37 MSK 
Secteam verified