pidgin/nest

Add all CVEs reported in 2008

2021-02-11, Sorvival
4c756e9ef73b
Parents 51c0051875fd
Children c83367e9b2db
Add all CVEs reported in 2008

Testing Done:
Verified rendering and content with `dev-server.sh`

Bugs closed: NEST-43

Reviewed at https://reviews.imfreedom.org/r/488/
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2008-2927-00.md Thu Feb 11 02:56:40 2021 -0600
@@ -0,0 +1,20 @@
+---
+title: cve-2008-2927-00
+date: 2008-07-01T00:00:00.000Z
+cveNumber: cve-2008-2927
+summary: MSN malformed SLP message overflow
+discoveredBy: Anonymous (via TippingPoint's Zero Day Initiative)
+fixedInRelease: 2.4.3
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+Multiple integer overflows in the msn_slplink_process_msg functions in the MSN protocol handler in libpurple allow remote attackers to execute arbitrary code via a malformed SLP message.
+
+### Mitigation
+
+The affected function has been patched to fix the vulnerability.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2008-2955-00.md Thu Feb 11 02:56:40 2021 -0600
@@ -0,0 +1,20 @@
+---
+title: cve-2008-2955-00
+date: 2008-06-25T00:00:00.000Z
+cveNumber: cve-2008-2955
+summary: MSN Remote file transfer filename DoS
+discoveredBy: Juan Pablo Lopez Yacubian
+fixedInRelease: 2.4.3
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+A remote MSN user can cause a denial of service (crash) by sending a file with a file with a filename containing invalid characters. The local user must then accept the file transfer to trigger a double-free.
+
+### Mitigation
+
+A fix was applied to ensure that the double-free didn't occur.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2008-2957-00.md Thu Feb 11 02:56:40 2021 -0600
@@ -0,0 +1,20 @@
+---
+title: cve-2008-2957-00
+date: 2008-05-11T00:00:00.000Z
+cveNumber: cve-2008-2957
+summary: Remote UPnP discovery DoS
+discoveredBy: Andrew Hunt and Christian Grothoff
+fixedInRelease: 2.5.0
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+The UPnP functionality in libpurple allows remote attackers to trigger the download of arbitrary files and cause a denial of service (memory or disk consumption) via a UDP packet that specifies an arbitrary URL.
+
+### Mitigation
+
+UPnP related downloads are limited to 128kB.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/hugo/content/about/security/advisories/cve-2008-3532-00.md Thu Feb 11 02:56:40 2021 -0600
@@ -0,0 +1,20 @@
+---
+title: cve-2008-3532-00
+date: 2008-07-25T00:00:00.000Z
+cveNumber: cve-2008-3532
+summary: NSS TLS/SSL Certificates not validated
+discoveredBy: Josh Triplett
+fixedInRelease: 2.5.0
+type: security
+layout: cve
+hidden: true
+---
+
+### Description
+
+The NSS SSL implementation in libpurple does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.
+
+### Mitigation
+
+SSL/TLS Certificates are now verified in the NSS implementation in libpurple.
+