pidgin/nest

Update the changelog for the 2.14.7 release
default tip
8 days ago, Gary Kramlich
d040bee36d7c
Update the changelog for the 2.14.7 release

Testing Done:
None

Reviewed at https://reviews.imfreedom.org/r/928/
---
title: cve-2013-6483-00
date: 2014-01-28T00:00:00.000Z
cveNumber: cve-2013-6483
summary: XMPP doesn't verify 'from' on some iq replies
discoveredBy: Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen
fixedInRelease: 2.10.8
type: security
layout: cve
hidden: true
---
### Description
The XMPP protocol plugin failed to ensure that iq replies came from the person
they were sent to. A remote user could send a spoofed iq reply and attempt to
guess the iq id. This could allow an attacker to inject fake data or trigger a
null pointer dereference.
### Mitigation
Keep track of the 'to' when sending an iq stanza and make sure replies for a
given stanza ID come from the same address it was sent to.