ChangeLog: Pidgin and Finch - The Pimpin' Penguin IM Clients That're Good For The Soul!

Version 2.11.0 (20160621)

The ChangeLog is now available via our repository.

​Changes for 2.11.0 and newer

version 2.10.12 (01/02/16)

View all closed tickets for this release.

General purple-url-handler now works with Python 3.x (Daniël van Eeden) Fixed an issue where transient startup statuses could be deleted (Jakub Adam) (#16762)



Pidgin The shout smile now matches the default theme (Steve Vaught)



Windows-Specific Changes Updates to dependencies: Cyrus SASL 2.1.26 libxml2 2.9.2 NSS 3.20.1 and NSPR 4.10.10 Perl 5.20.1 SILC 1.1.12 Remove support for Tcl plugins



Gadu-Gadu Updated internal libgadu to version 1.12.1.



Voice / Video GStreamer 1.0 support Bump farstream02 requirement to 0.2.7 Other VV related changes required for the third-party SIPE plugin (David Woodhouse, Jakub Adam, Youness Alaoui)



AIM Fix for AIM when using gateway proxies (like smarsh) (Youness Alaoui, #14917)



Plugins Don't render smileys in the History plugin's headers. (mmcc, #16747)



version 2.10.11 (11/23/14)

View all closed tickets for this release.

General Fix handling of Self-Signed SSL/TLS Certificates when using the NSS plugin (#16412) Improve default cipher suites used with the NSS plugin (#16262) Add NSS Preferences plugin which allows the SSL/TLS Versions and cipher suites to be configured (#8061)



Gadu-Gadu Fix a bug that prevented plugin to load when compiled without GnuTLS. (mancha) (#16431) Fix build for platforms without AF_LOCAL definition. (#16404)



MSN Fix broken login due to server change (dx, TReKiE). (#16451, #16455) Fail early when buddy list is unavailable instead of wasting bandwidth endlessly re-trying.



version 2.10.10 (10/22/2014)

View all closed tickets for this release.

General Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694) Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL. (Elrond and Ashish Gupta) (#15909)



libpurple3 compatibility Encrypted account passwords are preserved until the new one is set. Fix loading Google Talk and Facebook XMPP accounts.



Windows-Specific Changes Don't allow overwriting arbitrary files on the file system when the user installs a smiley theme via drag-and-drop. (Discovered by Yves Younan of Cisco Talos) (CVE-2014-3697) Updates to dependencies NSS 3.17.1 and NSPR 4.10.7



Finch Fix build against Python 3. (Ed Catmur) (#15969)



Gadu-Gadu Updated internal libgadu to version 1.12.0.



Groupwise Fix potential remote crash parsing server message that indicates that a large amount of memory should be allocated. (Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3696)



IRC Fix a possible leak of unencrypted data when using /me command with OTR. (Thijs Alkemade) (#15750)



MXit Fix potential remote crash parsing a malformed emoticon response. (Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3695)



XMPP Fix potential information leak where a malicious XMPP server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory. (Discovered and fixed by Thijs Alkemade and Paul Aurich) (CVE-2014-3698) Fix Facebook XMPP roster quirks. (#15041, #15957)



Yahoo Fix login when using the GnuTLS library for TLS connections. (#16172)



version 2.10.9 (2/2/2014)

View all closed tickets for this release.

XMPP Fix problems logging into some servers including jabber.org and chat.facebook.com. (#15879)



version 2.10.8 (01/28/2014)

View all closed tickets for this release.

General Python build scripts and example plugins are now compatible with Python 3. (Ashish Gupta) (#15624)



libpurple Fix potential crash if libpurple gets an error attempting to read a reply from a STUN server. (Discovered by Coverity static analysis) (CVE-2013-6484) Fix potential crash parsing a malformed HTTP response. (Discovered by Jacob Appelbaum of the Tor Project) (CVE-2013-6479) Fix buffer overflow when parsing a malformed HTTP response with chunked Transfer-Encoding. (Discovered by Matt Jones, Volvent) (CVE-2013-6485) Better handling of HTTP proxy responses with negative Content-Lengths. (Discovered by Matt Jones, Volvent) Fix handling of SSL certificates without subjects when using libnss. Fix handling of SSL certificates with timestamps in the distant future when using libnss. (#15586) Impose maximum download size for all HTTP fetches.



Pidgin Fix crash displaying tooltip of long URLs. (CVE-2013-6478) Better handling of URLs longer than 1000 letters. Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)



Windows-Specific Changes When clicking file:// links, show the file in Explorer rather than attempting to run the file. This reduces the chances of a user clicking on a link and mistakenly running a malicious file. (Originally discovered by James Burton, Insomnia Security. Rediscovered by Yves Younan of Sourcefire VRT.) (CVE-2013-6486) Fix Tcl scripts. (#15520) Fix crash-on-startup when ASLR is always on. (#15521) Updates to dependencies: NSS 3.15.4 and NSPR 4.10.2 Pango 1.29.4-1daa. Patched for ​ https://bugzilla.gnome.org/show_bug.cgi?id=668154



AIM Fix untrusted certificate error.



AIM and ICQ Fix a possible crash when receiving a malformed message in a Direct IM session.



Gadu-Gadu Fix buffer overflow with remote code execution potential. Only triggerable by a Gadu-Gadu server or a man-in-the-middle. (Discovered by Yves Younan and Ryan Pentney of Sourcefire VRT) (CVE-2013-6487) Disabled buddy list import/export from/to server (it didn't work anymore). Buddy list synchronization will be implemented in 3.0.0. Disabled new account registration and password change options, as it didn't work either. Account registration also caused a crash. Both functions are available using official Gadu-Gadu website.



IRC Fix bug where a malicious server or man-in-the-middle could trigger a crash by not sending enough arguments with various messages. (Discovered by Daniel Atallah) (CVE-2014-0020) Fix bug where initial IRC status would not be set correctly. Fix bug where IRC wasn't available when libpurple was compiled with Cyrus SASL support. (#15517)



MSN Fix NULL pointer dereference parsing headers in MSN. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen) (CVE-2013-6482) Fix NULL pointer dereference parsing OIM data in MSN. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen) (CVE-2013-6482) Fix NULL pointer dereference parsing SOAP data in MSN. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen) (CVE-2013-6482) Fix possible crash when sending very long messages. Not remotely-triggerable. (Discovered by Matt Jones, Volvent)



MXit Fix buffer overflow with remote code execution potential. (Discovered by Yves Younan and Pawel Janic of Sourcefire VRT) (CVE-2013-6489) Fix sporadic crashes that can happen after user is disconnected. Fix crash when attempting to add a contact via search results. Show error message if file transfer fails. Fix compiling with InstantBird. Fix display of some custom emoticons.



SILC Correctly set whiteboard dimensions in whiteboard sessions.



SIMPLE Fix buffer overflow with remote code execution potential. (Discovered by Yves Younan of Sourcefire VRT) (CVE-2013-6490)



XMPP Prevent spoofing of iq replies by verifying that the 'from' address matches the 'to' address of the iq request. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen, fixed by Thijs Alkemade) (CVE-2013-6483) Fix crash on some systems when receiving fake delay timestamps with extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477) Fix possible crash or other erratic behavior when selecting a very small file for your own buddy icon. Fix crash if the user tries to initiate a voice/video session with a resourceless JID. Fix login errors when the first two available auth mechanisms fail but a subsequent mechanism would otherwise work when using Cyrus SASL. (#15524) Fix dropping incoming stanzas on BOSH connections when we receive multiple HTTP responses at once. (Issa Gorissen) (#15684)



Yahoo! Fix possible crashes handling incoming strings that are not UTF-8. (Discovered by Thijs Alkemade and Robert Vehse) (CVE-2012-6152) Fix a bug reading a peer to peer message where a remote user could trigger a crash. (CVE-2013-6481)



Plugins Fix crash in contact availability plugin. Fix perl function Purple::Network::ip_atoi Add Ubuntu Unity UI integration plugin.



version 2.10.7 (02/13/2013)

View all closed tickets for this release.

Alien hatchery No changes



General The configure script will now exit with status 1 when specifying invalid protocol plugins using the --with-static-prpls and --with-dynamic-prpls arguments. (Michael Fiedler) (#15316)



libpurple Fix a crash when receiving UPnP responses with abnormally long values. (CVE-2013-0274) Don't link directly to libgcrypt when building with GnuTLS support. (Bartosz Brachaczek) (#15329) Fix UPnP mappings on routers that return empty <URLBase/> elements in their response. (Ferdinand Stehle) (#15373) Tcl plugin uses saner, race-free plugin loading. Fix the Tcl signals-test plugin for savedstatus-changed. (Andrew Shadura) (#15443)



Pidgin Make Pidgin more friendly to non-X11 GTK+, such as MacPorts' +no_x11 variant.



Gadu-Gadu Fix a crash at startup with large contact list. Avatar support for buddies will be disabled until 3.0.0. (#15226, #14305)



IRC Support for SASL authentication. (Thijs Alkemade, Andy Spencer) (#13270) Print topic setter information at channel join. (#13317)



MSN Fix SSL certificate issue when signing into MSN for some users. Fix a crash when removing a user before its icon is loaded. (Mark Barfield) (#15217)



MXit Fix two bugs where a remote MXit user could possibly specify a local file path to be written to. (CVE-2013-0271) Fix a bug where the MXit server or a man-in-the-middle could potentially send specially crafted data that could overflow a buffer and lead to a crash or remote code execution. (CVE-2013-0272) Display farewell messages in a different colour to distinguish them from normal messages. Add support for typing notification. Add support for the Relationship Status profile attribute. Remove all reference to Hidden Number. Ignore new invites to join a GroupChat if you're already joined, or still have a pending invite. The buddy's name was not centered vertically in the buddy-list if they did not have a status-message or mood set. Fix decoding of font-size changes in the markup of received messages. Increase the maximum file size that can be transferred to 1 MB. When setting an avatar image, no longer downscale it to 96x96.



Sametime Fix a crash in Sametime when a malicious server sends us an abnormally long user ID. (CVE-2013-0273)



Yahoo! Fix a double-free in profile/picture loading code. (Mihai Serban) (#15053) Fix retrieving server-side buddy aliases. (Catalin Salgau) (#15381)



Plugins The Voice/Video Settings plugin supports using the sndio GStreamer backends. (Brad Smith) (#14414) Fix a crash in the Contact Availability Detection plugin. (Mark) (#15327) Make the Message Notification plugin more friendly to non-X11 GTK+, such as MacPorts?' +no_x11 variant.



Windows-Specific Changes Compile with secure flags (Jurre van Bergen) (#15290) Installer downloads GTK+ Runtime and Debug Symbols more securely. Thanks goes to Jacob Appelbaum of the Tor Project for identifying this issue and suggesting solutions. (#15277) Updates to a number of dependencies, some of which have security related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen for identifying the vulnerable libraries and to Dieter Verfaillie for helping getting the libraries updated. (#14571, #15285, #15286) ATK 1.32.0-2 Cyrus SASL 2.1.25 expat 2.1.0-1 freetype 2.4.10-1 gettext 0.18.1.1-2 Glib 2.28.8-1 libpng 1.4.12-1 libxml2 2.9.0-1 NSS 3.13.6 and NSPR 4.9.2 Pango 1.29.4-1 SILC 1.1.10 zlib 1.2.5-2 Patch libmeanwhile (sametime library) to fix crash. (Jonathan Rice) (#12637)



version 2.10.6 (07/06/2012)

View all closed tickets for this release.

Pidgin Fix a bug that requires a triple-click to open a conversation window from the buddy list. (#15199)



version 2.10.5 (07/05/2012)

View all closed tickets for this release.

libpurple Add support for GNOME3 proxy settings. (Mihai Serban) (#15054)



Pidgin Fix a crash that may occur when trying to ignore a user who is not in the current chat room. (#15139)



MSN Fix building with MSVC on Windows (broken in 2.10.4). (Florian Quèze)



MXit Fix a buffer overflow vulnerability when parsing incoming messages containing inline images. Thanks to Ulf Härnhammar for reporting this! (CVE-2012-3374)



version 2.10.4 (05/06/2012)

View all closed tickets for this release.

General Support building against Farstream in addition to Farsight. (Olivier Crete) (#14936)



IRC Disable periodic WHO timer. IRC channel user lists will no longer automatically display away status, but libpurple will be much kinder to the network. Print unknown numerics to channel windows if we can associate them. Thanks to Marien Zwart. (#15090)



MSN Fix a possible crash when receiving messages with certain characters or character encodings. Thanks to Fabian Yamaguchi for reporting this!



XMPP Fix a possible crash when receiving a series of specially crafted file transfer requests. Thanks to José Valentín Gutiérrez for reporting this! (CVE-2012-2214)



Windows-Specific Changes Words added to spell check dictionaries are saved across restarts of Pidgin (#11886)



Older Changes

Changes between 2.0.0 and 2.10.3 may be found in the FullChangeLog

Changes predating 2.0.0 may be found in the ChangeLog and ChangeLog.win32 files in the source distribution.