Update the date in COPYRIGHT as it was a few years behind
2 months ago, Gary Kramlich
Update the date in COPYRIGHT as it was a few years behind

Testing Done:

Reviewed at
Pidgin and Finch: The Pimpin' Penguin IM Clients That're Good for the Soul
version 2.14.14 (??/??/????):
* Nothing yet, be the first!
version 2.14.13 (02/23/2024):
* Fix compile warning (Wcast-function-type). (RR 2225) (Markus Fischer)
* Fix memory leak originating in purple_prefs_connect_callback. (RR 2226)
(Markus Fisher)
* Don't use the Real name as a candidate for the SASL username in IRC.
(RR 2535) (Gary Kramlich)
* Don't link with libgadu unnecessarily. (RR 2684) (Elliott Sales de
* Make collapsed groups searchable in the buddy list. (PIDGIN-7877)
(RR 1494) (Belgin Știrbu)
* Fix incompatible type conversion errors. (PIDGIN-17850) (RR 2944)
(Jaroslav Škarvada, Elliott Sales de Andrade)
* Stop removing -Wall from CFLAGS. (PIDGIN-16593) (RR 2946) (Elliott Sales
de Andrade)
* Updated the spell checking dictionaries on Windows. (Gary Kramlich)
* Resolved the crash on exit under Windows by reverting to the old
toolchain. (PIDGIN-17710) (Gary Kramlich)
version 2.14.12 (12/31/2022):
* Remove a string from the Romanian translation that's breaks the creation
of the Windows installer. (RR 2157) (Gary Kramlich)
version 2.14.11 (12/31/2022):
* Add Markus "ivanhoe" Fischer to the Crazy Patch Writers! Congrats Markus!
(RR 1952) (Gary Kramlich)
* Fix a crash when closing a group chat with spellchk plugin enabled. (RR
1951) (Markus Fischer)
* Fix network interface detection on Windows to fix broken file transfers.
(PIDGIN-17123, PIDGIN-17293, PIDGIN-17516, PIDGIN-17704) (RR 2018) (Gary
* Update the about box to point people to Discourse instead of the mailing
lists. (RR 2154) (Gary Kramlich)
version 2.14.10 (06/02/2022):
* Audit and correct the COPYRIGHT file. (RR 1425) (Richard Laager)
* Fix a spelling error in a debug message for proxies. (RR 1426) (Richard
* Install some emojis already in the theme but not being installed.
(RR 1428) (Richard Laager)
* Drop the QQ smileys as we don't ship QQ anymore. (PIDGIN-14385) (RR 1429)
(Richard Laager)
* Modernize the desktop file. (RR 1433) (Richard Laager)
* Modernize the appdata file. (RR 1431) (Richard Laager)
* Make privacy settings persist. (PIDGIN-17137) (RR 1463) (Belgin Știrbu)
* Fix a use after free that was introduced in 2.14.9. (RR 1488) (ivanhoe)
* Fix a crash if the server sends a short form JOIN message. (PIDGIN-17375)
(RR 1484) (Belgin Știrbu)
* Fix a regression from 2.14.9 where XMPP accounts state would get lost
after failing to connect. (PIDGIN-17621) (RR 1455) (Belgin Știrbu)
* Fix a crash when requesting your own info in an XMPP conference. (RR 1465)
(Belgin Știrbu)
* Fix hang when completing a file transfer over XMPP. (RR 1466) (Belgin
* Fix updating custom smileys. (PIDGIN-17153) (RR 1477) (Belgin Știrbu)
* Fix unblocking users. (PIDGIN-16414) (RR 1479) (Belgin Știrbu)
* Fix a crash when cancelling a file transfer. (PIDGIN-17189) (RR 1485)
(Belgin Știrbu)
version 2.14.9 (04/28/2022):
* Remove _xmppconnect support. (RR 1357) (CVE-2022-26491) (Gary Kramlich)
* Fix a GLib CRITICAL message with typing time outs. (RR 1123) (Mohammed
* Fix an issue where the unit tests for purple_str_to_time would fail.
(GENTOO-819774) (RR 1238) (Gary Kramlich)
* Fix a memory leak in pidgin_conversations_set_tab_colors. (RR 1244)
* Fixed the majority of the infinite resizing issues in the input box.
(PIDGIN-16753, PIDGIN-16999, PIDGIN-17287, PIDGIN-17413, PIDGIN-17430,
PIDGIN-17568, PIDGIN-17602) (RR 1342) (Belgin Știrbu)
* Add transient-buddy back which is used to show some context menus and
other things. (PIDGIN-17523) (RR 1381) (Belgin Știrbu)
* Fix the download of dictionaries in the Windows installer. (PIDGIN-14618,
PIDGIN-15648, PIDGIN-15540, PIDGIN-14612, PIDGIN-14893) (RR 1303) (Gary
* Fix a typo in the German translations. (PIDGIN-17575) (RR 1242) (ivanhoe)
* Synced all of the translations with Transifex.
* Fix IRC file transfers on Windows. (PIDGIN-17175) (RR 1382) (Belgin
* Fix file transfers failing at 99% on IRC. (PIDGIN-15893) (RR 1385) (Belgin
* Default realname and ident name in IRC to the username (nickname) of the
account. (PIDGIN-17610) (RR 1386) (Belgin Știrbu)
* Add an advanced account option to IRC accounts for explicitly setting the
SASL login name. (PIDGIN-15451) (RR 1388) (Belgin Știrbu)
* Added a rate limiter that should make it impossible to excess flood.
(RR 1391) (Gary Kramlich)
* Fix an issue with the CSeq numbers in SIMPLE. (PIDGIN-9675) (RR 1379)
* Fix XMPP attention messages being sent to incorrect JIDs. (PIDGIN-14714)
(RR 1387) (itsnotabigtruck, Belgin Știrbu)
version 2.14.8 (10/14/2021):
* Fix a regression in purple_str_to_time. (PIDGIN-17552) (RR 931) (Gary
* Fix a double free in jabber/message.c. (PIDGIN-17547) (RR 932) (Gary
Kramlich, pv32768)
* Fix the link to the support mailing list archive in the About Dialog.
(RR 929) (Gary Kramlich)
version 2.14.7 (09/16/2021):
* Fix leak in purple_markup_find_tag on error. (OSS-FUZZ 35816) (RR 924)
(Elliott Sales de Andrade)
* Fix an issue where the XMPP utility tests would fail if libidn was
disabled. (RR 922) (Gary Kramlich)
* Fix an assert in purple_markup_html_to_xhtml (OSS-FUZZ 35029) (RR 921)
(Elliott Sales de Andrade)
* Fix building on Haiku (RR 916) (Haiku Ports Team)
* Correctly free parse tags at end of purple_html_to_xhtml (OSS-FUZZ 34996)
(RR 913) (Elliott Sales de Andrade)
* Fix leak that may occur when xmlnode_from_str fails (OSS-FUZZ 34988)
(RR 911) (Elliott Sales de Andrade)
* Cleanup, standardize and create starting corpora for all of the fuzzers.
(RR 920) (Gary Kramlich)
* Port purple_str_to_time to use a regular expression and add additional
unit tests for it. (RR 923) (Gary Kramlich)
version 2.14.6 (07/08/2021):
* Update references to point to our current websites. (RR 766) (Gary
* Add a donate link to the help menu. (RR 749) (Gary Kramlich)
* Check pkg-config for ncurses before looking for it manually. (RR 729)
(Justin Lecher)
* Replace newlines in topics with spaces. (PIDGIN-16704) (RR 730) (Gary
* Added support for the no_proxy environment variable. (PIDGIN-17518)
(RR #667) (Alynx Zhou and Gary Kramlich)
* Added infrastructure for fuzzing as well as some initial fuzzers.
(RR #760) (Jordy Zomer)
* Fix an out of bounds write in purple_markup_linkify. (RR 781) (Thomas
Roth, Dominik Maier, and Fabian Freyer)
* Enable session management after binding a resource. (PIDGIN-17520) (RR
759) (defanor)
* Fix a clang logical-not-parentheses warning. (PIDGIN-17528) (RR 731)
(Gary Kramlich)
version 2.14.5 (06/03/2021):
* Updated our bundled certificates to the latest version from Mozilla.
(RR #722) (PIDGIN-17535) (Gary Kramlich)
* Made the project scan-build clean. (RR #692-705, #707-714, #716-#719)
(Gary Kramlich)
* Fixed some of Gary's scan-build fixes that were a bit verbose. (RR #715)
(Elliott Sales de Andrade)
* Disabled UPnP and NAT-PMP by default for new user. (RR #706) (Gary
* Changed the default server to (RR #675) (Gary Kramlich)
Windows Specific Changes:
* Fixed the installer not running when Mandatory ASLR was turned on.
(RR #721) (PIDGIN-17524) (Gary Kramlich)
version 2.14.4 (04/29/2021):
* Use LT_LIB_M to find the math library. This should simplify things for
various distros including the BSD's. (RR #608) (and, Justin Lechner)
* Removed a dangling reference to oscar that was causing the unit tests
to fail. (RR #605) (Gary Kramlich)
* Update purple-remote and purple-url-handler to have a Python 3 shebang.
(RR #609) (Richard Laager)
* Install our AppData file into the $prefix/share/metainfo. (RR 607)
(Lars Wendler)
* Re-enable the Gevolution plugin and set the evolution-data-server
requirement to >= 3.6. (RR #610) (Ed Catmur, Lars Wendler)
Windows-Specific Changes:
* Output pkg-config files so that our Windows builds can be seen by meson.
Grim owes a blog post on how this works. (RR #615) (Gary Kramlich)
* Update the debug symbols download in the installer to the inetc plugin.
(RR #627) (Gary Kramlich)
* Make sure the uninstaller removes all files that we install. (RR #612)
(Gary Kramlich)
version 2.14.3 (04/08/2021):
* Removed the AIM protocol plugin. AIM has been shut down since December
15th of 2017. We left it around because of a third party server, but our
plugin no longer works with it. (RR #598) (Gary Kramlich)
Windows-Specific Changes:
* Standardize on wprintf in pidgin/win32/winpidgin.c (RR #593) (Gary
* Use the inetc nsis plugin that supports https (RR #593, #594)
(PIDGIN-17511) (Gary Kramlich)
* If building under msys2 copy libgcc_s_dw2-1.dll and libwinpthread to the
install directory. (RR #593) (PIDGIN-17511) (Gary Kramlich)
version 2.14.2 (04/01/2021):
* Fix a build issue when compiling with gstreamer but without voice and
video. (RR #25)
* Enable cyrus-sasl by default. (RR #26)
* Fix an issue with opening link in Firefox. (RR #503) (PIDGIN-16589)
* Fix a regression from 2.14.0 where extra whitespace would be displayed
when pasting <p> elements from HTML. (RR #504) (PIDGIN-17437)
* Require Python 3 for generating the D-Bus bindings. (RR #550)
* Fix an issue where pasting <hr>'s and other HTML elements would
eventually lead to a crash. (RR #514) (PIDGIN-17446)
version 2.14.1 (11/06/2020):
* Fixed issues with Windows installer that always thought Pidgin was
running. (Eion Robb)
* Fixed an issue where the Windows installer was not using Unicode while
doing checksums which made it fail. (Eion Robb)
* Fixed an issue in the released source code that caused the Mercurial
revision in the About box to be "unknown". (Gary Kramlich)
version 2.14.0 (10/06/2020):
* Fixed a memory leak in search results. (#17292 PR #320 David Woodhouse)
* Support SNI with GNUTLS. (#17300 tiagosalem) (PR #659 Mihai Moldovan)
* Add additional error handling to NSS and GNUTLS. (PR #679 Samuel Thibault)
* Add invisible buddy support to support presence/name/photos for non
buddies. (#17295 PR 321 David Woodhouse)
* Make purple-remote compatible with both Python 2 and Python 3. (Jan
Synacek of RedHat)
* Fixed some leaky deprecation warnings. (PR #586 Gary Kramlich)
* Fixed HTML logs which were writing invalid HTML. (#17280 stars PR #312
Daniel Kamil Kozar)
* Fixed a use after free in purple_smiley_set_data_impl. (PR #694 Gary
* Added the chat_send_file ability to protocol plugins. (PR #701 David
* Treat <p> tags as line breaks when pasting. (PR #678 Colin Xu)
* Reverted Ticket #17232/PR #695. It caused more harm than good and a new
solution needs to be found. (PR #695 Gary Kramlich)
* Always use port fallback for IPv4 addresses. (PR #382 Michael Osborne)
* Support for XEP-0198 Stream Management (PR #309 defanor)
* Decrease delay for file transfer using streamhosts (PR #464 #627 Evert
Voice & Video:
* Improve webcam failure handling. (PR #322 David Woodhouse)
* Show error when creating media pipeline fails. (#17290 PR 322 David
* Clip audio level reporting. (#14426 PR #322 David Woodhouse)
* Keep track of devices managed by GstDeviceMonitor. (PR #322 David
* Ignore PulseAudio monitors. (PR #322 David Woodhouse)
* Backport native Voice & Video prefs from 3.0. (PR #322 David Woodhouse)
* Fixed building against GStreamer 0.10 (PR #325 David Woodhouse)
* Fixed initial delay on incoming audio (PR #379 David Woodhouse)
* Properly cleanup timeouts. (PR #383 Jakub Adam)
* Added an audio mixer so mixed sources don't cause a pipe failure. (PR #522
Fabrice Bellet)
* Added screen share support for Wayland via XDP Portal. (PR #337 David
* Handle unplug and replug events of selected media device. (PR #699 David
version 2.13.0 (03/08/2018):
* Unified string comparison. (PR #186) (Arkadiy Illarionov)
* Properlly shell escape URI's when opening them. (PR #271 Daniel Kamil Kozar)
* Fix a one byte buffer overread in function purple_markup_linkify
* Fix an issue were utf8 was incorrectly truncated which could lead to
crashes as we were potentially feeding garbage into glib/gtk.
* Fixed build against curses 6.0 with opaque structs set. (#16764 dimstar)
(PR #268 Daniel Kamil Kozar)
* Fixed a crash when resizing the window. (#16680 marcus) (PR #269 Daniel Kamil Kozar)
* Fixed bashism in autotools. (#16836 lameventanas) (PR #267 Daniel Kamil Kozar)
* Show XEP-0066 OOB URLs in any message, not just headlines
* Fix a user after free (#17200 debarshiray) (PR #266 Ethan Blanton)
* Removed pipelining from BOSH connections (#17025 PR #295 Tom Li)
* Don't try to TLS already secured BOSH connections (#17270 PR #293 Tom Li)
* Fix "Registration timeout" on SASL auth with InspIRCd servers
(and possibly others not based on charybdis/ratbox/ircd-seven)
* Fix issues with plugins that modify outgoing messages
(such as the custom PART/QUIT feature of the IRC More plugin)
* Fix IRC buffer handling. (#12562 PR #272 Shivaram Lingamneni)
* Properly handle AUTHENTICATE as a normal command with server prefix.
(PR #316 dx)
* Fix a crash caused by a use after free of the MOTD.
* Fix an out of bounds read in irc_nick_skip_mode.
* Fix a write of a single byte before the start of a buffer in
* Better support for dark themes. (#12572 Alyssa Rosenzweig and Gary Kramlich)
* Fixed IPv6 links by not escaping []'s. (#16391 cyisfor) (PR #270 Daniel Kamil Kozar)
* Only write buddy icons to the cache if they're not already cached. (PR #276 David Woodhouse)
* Rejoin persistent chats after reconnect. (#15687 PR #285 Christof Meerwald)
* Made the WIN32 Transparency plugin work on all platforms. (#3124 PR #287 Daniel Kamil Kozar)
* Ensure search results buttons are labeled (Backport from de2d88e575ee)
* Fix matching unicode smilies. (#17232 gnubfx PR #262 Daniel Kamil Kozar)
* Correctly update mute/unmute status when the remote side mutes/unmutes us. (#17273 PR #302 David Woodhouse)
* Rework the status icon blinking to not used deprecated API. (#17174 zelch PR #264 Daniel Kamil Kozar)
* Don't allow adding a buddy to protocols that don't have an add_buddy callback. (#4061 Paradox)
* Fix handling of search results (#17238 David Woodhouse)
Voice & Video:
* Port backend-fs to newer api for farstream relay-info property (#17274 bellet)
version 2.12.0 (03/09/2017):
* Fix an out of bounds memory write in purple_markup_unescape_entity.
* Fix use of uninitialised memory if running non-debug-enabled versions of glib
* Updated AIM dev and dist ID's to new ones that were assigned by AOL.
* TLS certificate verification now uses SHA-256 checksums.
* Fixed SASL external auth for Freenode.
* Removed the MSN protocol plugin. It has been unusable and dormant for some
time. MSNP18 has been discontinued and the protocol plugin would require a
large update to start working again. See: The
third-party Pidgin SkypeWeb plugin, however, should provide enough
functionality as a replacement if people still want to use MSN:
* Removed Mxit protocol plugin. The service was closed at the end of
September 2016. See
* Removed the MySpaceIM protocol plugin. The service has been defunct for a
long time. (#15356)
* Remove the Yahoo! protocol plugin. Yahoo has completely
reimplemented their protocol, so this version is no longer operable as
of August 5th, 2016:
A new protocol plugin has been written to support the new protocol.
It can be found here:
This also removes support for Yahoo! Japan. According to the service ended March 26th, 2014.
* Remove the Facebook (XMPP) account option. According to the XMPP Chat API service
ended April 30th, 2015. A new protocol plugin has been written,
using a different method, to support Facebook. It can be found at
* Fixed gnutls certificate validation errors that mainly affected google (Dequis)
* Replaced instances of with and updated the
urls to use https. (#17036)
* Fixed issue of messages being silently cut off at 500 characters. Large
messages are now split into parts and sent one by one. (#4753)
version 2.11.0 (06/21/2016):
* 2.10.12 was accidentally released with new additions to the API and
should have been released as 2.11.0. Unfortunately, we did not catch
the mistake until after 2.10.12 was released, but we're fixing it now.
See ChangeLog.API for more information.
* Include the Mozilla certificate bundle. This fixes connecting to servers
with certificates from Let's Encrypt.
* Remove all 1024-bit CAs
* media: fix an issue with ximagesink displaying only a corner cut-out of
a larger webcam video (Jakub Adam)
* mediamanager: update output window destruction so that it reflects recent
changes in the media pipeline structure (Jakub Adam)
* Ported Instantbird's CommandUiOps to libpurple (Dequis)
* Fixed #14962
* Fixed alignment of incoming right-to-left messages in protocols that
don't support rich text
* Fix a potential crash while exiting pidgin
Windows-Specific Changes:
* Use getaddrinfo for DNS to enable IPv6 (#1075)
* Updates to dependencies:
* NSS 3.24 and NSPR 4.12.
* Add support for the newer kerberos-based authentication of AIM 8.x
* Fixed building on Mac OSX (Patrick Cloke) (#16883)
* Stop truncating passwords to 8 characters like old ICQ clients did.
(#16692). If you actually needed this, truncate your password
manually by pressing backspace a few times.
* Base64-decode SASL messages before passing to libsasl (#16268)
* Fixed a buffer overflow. Discovered by Yves Younan of Cisco Talos.
* Fixed a remote out-of-bounds read. Discovered by Yves Younan of Cisco
Talos. (TALOS-CAN-0140)
* Fixed a remote out-of-band read. Discovered by Yves Younan of Cisco
Talos. (TALOS-CAN-0138, TALOS-CAN-0135)
* Fixed an invalid read. Discovered by Yves Younan of Cisco Talos
* Fixed a remote buffer overflow vulnerability. Discovered by Yves
Younan of Cisco Talos. (TALOS-CAN-0119)
* Fixed an out-of-bounds read discovered by Yves Younan of Cisco Talos.
* Fixed a directory traversal issue. Discovered by Yves Younan of Cisco
Talos (TALOS-CAN-0128)
* Fixed a remote denial of service vulnerability that could result in
a null pointer dereference. Discovered by Yves Younan of Cisco Talos.
* Fixed a remote denial of service that could result in an out-of-bounds
read. Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0134)
* Fixed multiple remote buffer overflows. Discovered by Yves Younan of
Cisco Talos. (TALOS-CAN-0136)
* Fixed a remote NULL pointer dereference. Discovered by Yves Younan of
Cisco Talos (TALOS-CAN-0137)
* Fixed a remote code execution issue discovered by Yves Younan of Cisco
Talos. (TALOS-CAN-0142)
* Fixed a remote denial of service vulnerability in contact mood
handling. Discovered by Yves Younan of Cisco Talos (TALOS-CAN-0141)
* Fixed a remote out-of-bounds write vulnerability. Discovered by Yves
Younan of Cisco Talos. (TALOS-CAN-0139)
* Fix a remote out-of-bounds read. Discovered by Yves Younan of Cisco
Talos. (TALOS-CAN-0143)
version 2.10.12 (12/31/2015):
* purple-url-handler now works with Python 3.x (Daniël van Eeden)
* Fixed an issue where transient startup statuses could be deleted
(Jakub Adam) (#16762)
* The shout smile now matches the default theme (Steve Vaught)
Windows-Specific Changes:
* Updates to dependencies:
* Cyrus SASL 2.1.26
* libxml2 2.9.2
* NSS 3.20.1 and NSPR 4.10.10
* Perl 5.20.1
* SILC 1.1.12
* Remove support for Tcl plugins
* Updated internal libgadu to version 1.12.1.
version 2.10.11 (11/23/2014):
* Fix handling of Self-Signed SSL/TLS Certificates when using the NSS
plugin (#16412)
* Improve default cipher suites used with the NSS plugin (#16262)
* Add NSS Preferences plugin which allows the SSL/TLS Versions and
cipher suites to be configured (#8061)
* Fix a bug that prevented plugin to load when compiled without GnuTLS.
(mancha) (#16431)
* Fix build for platforms without AF_LOCAL definition. (#16404)
* Fix broken login due to server change (dx, TReKiE). (#16451, #16455)
* Fail early when buddy list is unavailable instead of wasting bandwidth
endlessly re-trying.
version 2.10.10 (10/22/2014):
* Check the basic constraints extension when validating SSL/TLS
certificates. This fixes a security hole that allowed a malicious
man-in-the-middle to impersonate an IM server or any other https
endpoint. This affected both the NSS and GnuTLS plugins. (Discovered
by an anonymous person and Jacob Appelbaum of the Tor Project, with
thanks to Moxie Marlinspike for first publishing about this type of
vulnerability. Thanks to Kai Engert for guidance and for some of the
NSS changes) (CVE-2014-3694)
* Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL.
(Elrond and Ashish Gupta) (#15909)
libpurple3 compatibility:
* Encrypted account passwords are preserved until the new one is set.
* Fix loading Google Talk and Facebook XMPP accounts.
Windows-Specific Changes:
* Don't allow overwriting arbitrary files on the file system when the
user installs a smiley theme via drag-and-drop. (Discovered by Yves
Younan of Cisco Talos) (CVE-2014-3697)
* Updates to dependencies:
* NSS 3.17.1 and NSPR 4.10.7
* Fix build against Python 3. (Ed Catmur) (#15969)
* Updated internal libgadu to version 1.12.0.
* Fix potential remote crash parsing server message that indicates that
a large amount of memory should be allocated. (Discovered by Yves Younan
and Richard Johnson of Cisco Talos) (CVE-2014-3696)
* Fix a possible leak of unencrypted data when using /me command
with OTR. (Thijs Alkemade) (#15750)
* Fix potential remote crash parsing a malformed emoticon response.
(Discovered by Yves Younan and Richard Johnson of Cisco Talos)
* Fix potential information leak where a malicious XMPP server and
possibly even a malicious remote user could create a carefully crafted
XMPP message that causes libpurple to send an XMPP message containing
arbitrary memory. (Discovered and fixed by Thijs Alkemade and Paul
Aurich) (CVE-2014-3698)
* Fix Facebook XMPP roster quirks. (#15041, #15957)
* Fix login when using the GnuTLS library for TLS connections. (#16172)
version 2.10.9 (2/2/2014):
* Fix problems logging into some servers including and (#15879)
version 2.10.8 (1/28/2014):
* Python build scripts and example plugins are now compatible with
Python 3. (Ashish Gupta) (#15624)
* Fix potential crash if libpurple gets an error attempting to read a
reply from a STUN server. (Discovered by Coverity static analysis)
* Fix potential crash parsing a malformed HTTP response. (Discovered by
Jacob Appelbaum of the Tor Project) (CVE-2013-6479)
* Fix buffer overflow when parsing a malformed HTTP response with
chunked Transfer-Encoding. (Discovered by Matt Jones, Volvent)
* Better handling of HTTP proxy responses with negative Content-Lengths.
(Discovered by Matt Jones, Volvent)
* Fix handling of SSL certificates without subjects when using libnss.
* Fix handling of SSL certificates with timestamps in the distant future
when using libnss. (#15586)
* Impose maximum download size for all HTTP fetches.
* Fix crash displaying tooltip of long URLs. (CVE-2013-6478)
* Better handling of URLs longer than 1000 letters.
* Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)
Windows-Specific Changes:
* When clicking file:// links, show the file in Explorer rather than
attempting to run the file. This reduces the chances of a user
clicking on a link and mistakenly running a malicious file.
(Originally discovered by James Burton, Insomnia Security. Rediscovered
by Yves Younan of Sourcefire VRT.) (CVE-2013-6486)
* Fix Tcl scripts. (#15520)
* Fix crash-on-startup when ASLR is always on. (#15521)
* Updates to dependencies:
* NSS 3.15.4 and NSPR 4.10.2
* Pango 1.29.4-1daa
Patched for
* Fix untrusted certificate error.
AIM and ICQ:
* Fix a possible crash when receiving a malformed message in a Direct IM
* Fix buffer overflow with remote code execution potential. Only
triggerable by a Gadu-Gadu server or a man-in-the-middle.
(Discovered by Yves Younan and Ryan Pentney of Sourcefire VRT)
* Disabled buddy list import/export from/to server (it didn't work
anymore). Buddy list synchronization will be implemented in 3.0.0.
* Disabled new account registration and password change options, as it
didn't work either. Account registration also caused a crash. Both
functions are available using official Gadu-Gadu website.
* Fix bug where a malicious server or man-in-the-middle could trigger
a crash by not sending enough arguments with various messages.
(Discovered by Daniel Atallah) (CVE-2014-0020)
* Fix bug where initial IRC status would not be set correctly.
* Fix bug where IRC wasn't available when libpurple was compiled with
Cyrus SASL support. (#15517)
* Fix NULL pointer dereference parsing headers in MSN.
(Discovered by Fabian Yamaguchi and Christian Wressnegger of the
University of Goettingen) (CVE-2013-6482)
* Fix NULL pointer dereference parsing OIM data in MSN.
(Discovered by Fabian Yamaguchi and Christian Wressnegger of the
University of Goettingen) (CVE-2013-6482)
* Fix NULL pointer dereference parsing SOAP data in MSN.
(Discovered by Fabian Yamaguchi and Christian Wressnegger of the
University of Goettingen) (CVE-2013-6482)
* Fix possible crash when sending very long messages. Not
remotely-triggerable. (Discovered by Matt Jones, Volvent)
* Fix buffer overflow with remote code execution potential.
(Discovered by Yves Younan and Pawel Janic of Sourcefire VRT)
* Fix sporadic crashes that can happen after user is disconnected.
* Fix crash when attempting to add a contact via search results.
* Show error message if file transfer fails.
* Fix compiling with InstantBird.
* Fix display of some custom emoticons.
* Correctly set whiteboard dimensions in whiteboard sessions.
* Fix buffer overflow with remote code execution potential.
(Discovered by Yves Younan of Sourcefire VRT) (CVE-2013-6490)
* Prevent spoofing of iq replies by verifying that the 'from' address
matches the 'to' address of the iq request. (Discovered by Fabian
Yamaguchi and Christian Wressnegger of the University of Goettingen,
fixed by Thijs Alkemade) (CVE-2013-6483)
* Fix crash on some systems when receiving fake delay timestamps with
extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477)
* Fix possible crash or other erratic behavior when selecting a very
small file for your own buddy icon.
* Fix crash if the user tries to initiate a voice/video session with a
resourceless JID.
* Fix login errors when the first two available auth mechanisms fail but
a subsequent mechanism would otherwise work when using Cyrus SASL.
* Fix dropping incoming stanzas on BOSH connections when we receive
multiple HTTP responses at once. (Issa Gorissen) (#15684)
* Fix possible crashes handling incoming strings that are not UTF-8.
(Discovered by Thijs Alkemade and Robert Vehse) (CVE-2012-6152)
* Fix a bug reading a peer to peer message where a remote user could
trigger a crash. (CVE-2013-6481)
* Fix crash in contact availability plugin.
* Fix perl function Purple::Network::ip_atoi
* Add Unity integration plugin.
version 2.10.7 (02/13/2013):
Alien hatchery:
* No changes
* The configure script will now exit with status 1 when specifying
invalid protocol plugins using the --with-static-prpls and
--with-dynamic-prpls arguments. (Michael Fiedler) (#15316)
* Fix a crash when receiving UPnP responses with abnormally long values.
* Don't link directly to libgcrypt when building with GnuTLS support.
(Bartosz Brachaczek) (#15329)
* Fix UPnP mappings on routers that return empty <URLBase/> elements
in their response. (Ferdinand Stehle) (#15373)
* Tcl plugin uses saner, race-free plugin loading.
* Fix the Tcl signals-test plugin for savedstatus-changed.
(Andrew Shadura) (#15443)
* Make Pidgin more friendly to non-X11 GTK+, such as MacPorts' +no_x11
* Fix a crash at startup with large contact list. Avatar support for
buddies will be disabled until 3.0.0. (#15226, #14305)
* Support for SASL authentication. (Thijs Alkemade, Andy Spencer)
* Print topic setter information at channel join. (#13317)
* Fix SSL certificate issue when signing into MSN for some users.
* Fix a crash when removing a user before its icon is loaded. (Mark
Barfield) (#15217)
* Fix two bugs where a remote MXit user could possibly specify a local
file path to be written to. (CVE-2013-0271)
* Fix a bug where the MXit server or a man-in-the-middle could
potentially send specially crafted data that could overflow a buffer
and lead to a crash or remote code execution. (CVE-2013-0272)
* Display farewell messages in a different colour to distinguish
them from normal messages.
* Add support for typing notification.
* Add support for the Relationship Status profile attribute.
* Remove all reference to Hidden Number.
* Ignore new invites to join a GroupChat if you're already joined, or
still have a pending invite.
* The buddy's name was not centered vertically in the buddy-list if they
did not have a status-message or mood set.
* Fix decoding of font-size changes in the markup of received messages.
* Increase the maximum file size that can be transferred to 1 MB.
* When setting an avatar image, no longer downscale it to 96x96.
* Fix a crash in Sametime when a malicious server sends us an abnormally
long user ID. (CVE-2013-0273)
* Fix a double-free in profile/picture loading code. (Mihai Serban)
* Fix retrieving server-side buddy aliases. (Catalin Salgau) (#15381)
* The Voice/Video Settings plugin supports using the sndio GStreamer
backends. (Brad Smith) (#14414)
* Fix a crash in the Contact Availability Detection plugin. (Mark)
* Make the Message Notification plugin more friendly to non-X11 GTK+,
such as MacPorts' +no_x11 variant.
Windows-Specific Changes:
* Compile with secure flags (Jurre van Bergen) (#15290)
* Installer downloads GTK+ Runtime and Debug Symbols more securely.
Thanks goes to Jacob Appelbaum of the Tor Project for identifying
this issue and suggesting solutions. (#15277)
* Updates to a number of dependencies, some of which have security
related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen
for identifying the vulnerable libraries and to Dieter Verfaillie
for helping getting the libraries updated. (#14571, #15285, #15286)
* ATK 1.32.0-2
* Cyrus SASL 2.1.25
* expat 2.1.0-1
* freetype 2.4.10-1
* gettext
* Glib 2.28.8-1
* libpng 1.4.12-1
* libxml2 2.9.0-1
* NSS 3.13.6 and NSPR 4.9.2
* Pango 1.29.4-1
* SILC 1.1.10
* zlib 1.2.5-2
* Patch libmeanwhile (sametime library) to fix crash. (Jonathan Rice)
version 2.10.6 (07/06/2012):
* Fix a bug that requires a triple-click to open a conversation
window from the buddy list. (#15199)
version 2.10.5 (07/05/2012):
* Add support for GNOME3 proxy settings. (Mihai Serban) (#15054)
* Fix a crash that may occur when trying to ignore a user who is
not in the current chat room. (#15139)
* Fix building with MSVC on Windows (broken in 2.10.4). (Florian
* Fix a buffer overflow vulnerability when parsing incoming messages
containing inline images. Thanks to Ulf Härnhammar for reporting
this! (CVE-2012-3374)
version 2.10.4 (05/06/2012):
* Support building against Farstream in addition to Farsight.
(Olivier Crete) (#14936)
* Disable periodic WHO timer. IRC channel user lists will no
longer automatically display away status, but libpurple will be
much kinder to the network.
* Print unknown numerics to channel windows if we can associate
them. Thanks to Marien Zwart. (#15090)
* Fix a possible crash when receiving messages with certain characters
or character encodings. Thanks to Fabian Yamaguchi for reporting
this! (CVE-2012-2318)
* Fix a possible crash when receiving a series of specially crafted
file transfer requests. Thanks to José Valentín Gutiérrez for
reporting this! (CVE-2012-2214)
Windows-Specific Changes:
* Words added to spell check dictionaries are saved across restarts of
Pidgin (#11886)
version 2.10.3 (03/26/2012):
* Fix buddies not going offline. (#14997)
version 2.10.2 (03/14/2012):
* Fix compilation when using binutils 2.22 and new GDK pixbuf. (#14799)
* Fix compilation of the MXit protocol plugin with GLib 2.31. (#14773)
* Add support for the GNOME3 Network dialog. (#13882)
* Fix rare crash. (#14392)
* Add support for the GNOME3 Default Application dialog for configuring
the Browser.
* Support new connection states and signals for NetworkManager 0.9+.
(Dan Williams) (#13859)
AIM and ICQ:
* Fix a possible crash when receiving an unexpected message
from the server. (Thijs Alkemade) (#14983)
* Allow signing on with usernames containing periods and
underscores. (#13500)
* Allow adding buddies containing periods and underscores. (#13500)
* Don't try to format ICQ usernames entered as email addresses.
Gets rid of an "Unable to format username" error at login. (#13883)
* Fix possible crashes caused by not validating incoming messages as
UTF-8. (Thijs Alkemade) (#14884)
* Support new protocol version MSNP18. (#14753)
* Fix messages to offline contacts. (#14302)
Windows-Specific Changes:
* Fix the installer downloading of spell-checking dictionaries (#14612)
* Fix compilation of the Bonjour protocol plugin. (#14802)
* The autoaccept plugin will no longer reset the preference for unknown
buddies to "Auto Reject" in certain cases. (#14964)
version 2.10.1 (12/06/2011):
* Fix compilation on OpenBSD.
AIM and ICQ:
* Fix remotely-triggerable crashes by validating strings in a few
messages related to buddy list management. Thanks to Evgeny Boger
for reporting this! (#14682)
* IPv6 fixes (Linus Lüssing)
* Fix problems linking against GnuTLS. (#14544)
* Fix a memory leak when admitting UTF-8 text with a non-UTF-8 primary
encoding. (#14700)
* Fix crashes and memory leaks when receiving malformed voice
and video requests. Thanks to Thijs Alkemade for reporting this!
* Separate "username" and "server" when adding new Sametime accounts.
* Fix compilation in Visual C++. (#14608)
* Fix CVE-2011-3594, by UTF-8 validating incoming messages before
passing them to glib or libpurple. Identified by Diego Bauche
Madero from IOActive. (#14636)
* Fetch buddy icons in some cases where we previously weren't. (#13050)
Windows-Specific Changes:
* Fix compilation
version 2.10.0 (08/18/2011):
* Make the max size of incoming smileys a pref instead of hardcoding it.
(Quentin Brandon) (#5231)
* Added a plugin information dialog to show information for plugins
that aren't otherwise visible in the plugins dialog.
* Fix building with GTK+ earlier than 2.14.0 (GTK+ 2.10 is still the
minimum supported) (#14261)
* Fix a potential crash in the Log Reader plugin when reading QIP logs.
* Fix a large number of strcpy() and strcat() invocations to use
strlcpy() and strlcat(), etc., forestalling an entire class of
string buffer overrun bugs.
(The Electronic Frontier Foundation, Dan Auerbach, Chris Palmer,
Jacob Appelbaum)
* Change some filename manipulations in filectl.c to use MAXPATHLEN
instead of arbitrary length constants. (The Electronic Frontier
Foundation, Dan Auerbach, Chris Palmer, Jacob Appelbaum)
* Fix endianness-related crash in NTLM authentication (Jon Goldberg)
* Fixed searching for buddies in public directory. (Tomasz Wasilczyk)
* Better status message handling. (Tomasz Wasilczyk) (#14314)
* Merged two buddy blocking methods. (Tomasz Wasilczyk) (#5303)
* Fix building of the bundled libgadu library with older versions
of GnuTLS. (patch plucked from upstream) (#14365)
* Fix crash selecting Tools->Set Mood when you're online with an
ICQ account that is configured as an AIM account. (#14437)
* Fix a crash when remote users have certain characters in their
nicknames. (Discovered by Djego Ibanez) (#14341)
* Fix the handling of formatting following mIRC ^O (#14436)
* Fix crash when NAMES is empty. (James McLaughlin) (#14518)
* Fix incorrect handling of HTTP 100 responses when using the HTTP
connection method. This can lead to a crash. (Discovered by Marius
* Fix seemingly random crashing. (#14307)
* Fix a crash when the account is disconnected at the time we are doing a
SB request. (Hanzz, ported by shlomif) (#12431)
* Do not generate malformed XML ("</>") when setting an empty mood.
* Fix the /join <room> behavior. (Broken when adding support for
<room>@<server>) (#14205)
Yahoo!/Yahoo! JAPAN:
* Fix coming out of idle while in an unavailable state
* Fix logging into Yahoo! JAPAN. (#14259)
Windows-Specific Changes:
* Open an explorer.exe window at the location of the file when clicking
on a file link instead of executing the file, because executing a file
can be potentially dangerous. (Discovered by James Burton of
Insomnia Security) (Fixed by Eion Robb)
version 2.9.0 (06/23/2011):
* Fix a potential remote denial-of-service bug related to displaying
buddy icons.
* Significantly improved performance of larger IRC channels (regression
introduced in 2.8.0).
* Fix Conversation->Add on AIM and MSN.
* Entries in the chat user list are sorted properly again. This was
inadvertenly broken in 2.8.0.
* Fix logging in to ICQ.
* media: Actually use the specified TCP port from the TURN configuration to
create a TCP relay candidate.
AIM and ICQ:
* Fix crashes on some non-mainstream OSes when attempting to
printf("%s", NULL). (Clemens Huebner) (#14297)
* The Evolution Integration plugin compiles again.
version 2.8.0 (06/07/2011):
* Implement simple silence suppression for voice calls, preventing
wasted bandwidth for silent periods during a call. (Jakub Adam)
(half of #13180)
* Added the DigiCert High Assurance CA-3 intermediate CA, needed for
validation of the Facebook XMPP interface's certificate.
* Removed the QQ protocol plugin. It hasn't worked in a long time and
isn't being maintained, therefore we no longer want it.
* Duplicate code cleanup. (Gabriel Schulhof) (#10599)
* Voice/Video call window adapts correctly to adding or removing
streams on the fly. (Jakub Adam) (half of #13535)
* Don't cancel an ongoing call when rejecting the addition of a
stream to the existing call. (Jakub Adam) (#13537)
* Pidgin plugins can now override tab completion and detect clicks on
usernames in the chat userlist. (kawaii.neko) (#12599)
* Fix the tooltip being destroyed when it is full of information and
cover the mouse (dliang) (#10510)
* media: Allow obtaining active local and remote candidates. (Jakub
Adam) (#11830)
* media: Allow getting/setting video capabilities. (Jakub Adam) (half
of #13095)
* Simple Silence Suppression is optional per-account. (Jakub Adam)
(half of #13180)
* Fix purple-url-handler being unable to find an account.
* media: Allow adding/removing streams on the fly. (Jakub Adam)
(half of #13535)
* Support new connection states in NetworkManager 0.9. (Dan Williams)
* When removing a buddy, delete the pounces associated with it.
(Kartik Mohta) (#1131)
* media: Allow libpurple and plugins to set SDES properties for RTP
conferences. (Jakub Adam) (#12981)
* proxy: Add new "Tor/Privacy" proxy type that can be used to
restrict operations that could leak potentially sensitive data
(e.g. DNS queries). (#11110, #13928)
* media: Add support for using TCP relaying with TURN (will only work with
libnice 0.1.0 and later).
* Fix setting icons with dimensions greater than 64x64 pixels by scaling
them down to at most 64x64. (#12874, #13165)
* Allow showing your status only to buddies. (Mateusz Piękos) (#13358)
* Updated internal libgadu to version 1.10.1. (Robert Matusewicz,
Krzysztof Klinikowski) (#13525)
* Updated internal libgadu to version 1.11.0. (Tomasz Wasilczyk)
* Suppress blank messages that happen when receiving inline
images. (Tomasz Wasilczyk) (#13554)
* Fix sending inline images to remote users, don't crash when
trying to send large (> 256kB) images. (Tomasz Wasilczyk) (#13580)
* Support typing notifications. (Jan Zachorowski, Tomasz Wasilczyk,
Krzysztof Klinikowski) (#13362, #13590)
* Require libgadu 1.11.0 to avoid using internal libgadu.
* Optional SSL connection support for GNUTLS users (not on Windows
yet!). (Tomasz Wasilczyk) (#13613, #13894)
* Don't count received messages or statuses when determining whether
to send a keepalive packet. (Jan Zachorowski) (#13699)
* Fix a crash when receiving images on Windows or an incorrect
timestamp in the log when receiving images on Linux. (Tomasz
Wasilczyk) (#10268)
* Support XML events, resulting in immediate update of other users'
buddy icons. (Tomasz Wasilczyk) (#13739)
* Accept poorly formatted URLs from other third-party clients in
the same manner as the official client. (Tomasz Wasilczyk)
* Fix setting icons with dimensions greater than 64x64 pixels by scaling
them down to at most 64x64. (#12874, #13165)
* Fix unsetting your mood when "None" is selected. (Dustin Gathmann)
* Ignore Daylight Saving Time when performing calculations related to
birthdays. (Dustin Gathmann) (#13533)
* It is now possible to specify multiple encodings on the Advanced
tab of an ICQ account's settings by using a comma-delimited list.
(Dmitry Utkin) (#13496)
* Add "authserv" service command. (tomos) (#13337)
* Fix a hard-to-exploit crash in the MSN protocol when using the
HTTP connection method (Reported by Marius Wachtler).
* Support for an Invite Message when adding a buddy.
* Fixed bug in splitting-up of messages that contain a lot of links.
* Fixed crash caused by timer not being disabled on disconnect.
(introduced in 2.7.11)
* Clearing of the conversation window now works.
* When receiving an invite you can display the sender's profile
information, avatar image, invite message.
* The Change PIN option was moved into separate action.
* New profile attributes added and shown.
* Update to protocol v6.3.
* Added the ability to view and invite your Suggested Friends,
and to search for contacts.
* Also display the Status Message of offline contacts in their
profile information.
* Remember the previously entered user directory when searching.
(Keith Moyer) (#12451)
* Correctly handle a buddy's unsetting his/her vCard-based avatar.
(Matthew W.S. Bell) (#13370)
* Squash one more situation that resulted in duplicate entries in
the roster (this one where the server reports the buddy as being
in the same (empty) group. (Reported by Danny Mayer)
* The Voice/Video Settings plugin now includes the ability to test
microphone settings. (Jakub Adam) (#13182)
* Fix a crash when handling some saved settings in the Voice/Video
Settings plugin. (Pat Erley) (13290, #13774)
Windows-Specific Changes:
* Fix building libpurple with Visual C++ .NET 2005. This was
accidentally broken in 2.7.11. (Florian Quèze)
* Build internal libgadu using packed structs, fixing several
long-standing Gadu-Gadu issues. (#11958, #6297)
version 2.7.11 (03/10/2011):
* Our bundled libgadu should now build on HP-UX.
* Fix some instances of file transfers never completing. (Cristi Posoiu)
* Sort by Status no longer causes buddies to move around when you
click them.
* Fix embedding in the system tray on older GTK+ releases (such as on
CentOS 5.5 and older Fedora).
* No longer require libstartup-notification for startup notification
support. GTK+ has included support for years, so use it instead. (David
Benjamin) (#13245)
* Fix a bug where some buddies from your buddy list might not show up.
Affected non-English ICQ users the most. (#13386)
* Send keepalives for all types of network connections. Will hopefully
make chat rooms more reliable. (#1449)
* Fix bug that prevented added buddies to your buddy list in certain
circumstances. (#13298)
* MXit plugin and reported client version now follow the libpurple
* Don't try to request profile information for non-user contacts.
* Allow Re-Invite for contacts in Deleted or Rejected state.
* Ensure we don't send packets too fast to the MXit server and trigger
its flood-detection mechanism. Also increased the internal packet queue
to 32 packets.
* Fix building on platforms with an older glib (inadvertantly broken in
2.7.10). (#13329)
* Don't treat the on-join status storms as 'new arrivals'. (Thijs
Alkemade) (#a14527)
* Extend the /join command to support room JIDs, enabling you to join
a room on any server. (Solarius, Matěj Cepl, Tirtha 'wyuka'
Chatterjee) (#4526)
* Add support for receiving a limited amount of history when joining a
room (not currently supported by Pidgin and Finch). (Thijs Alkemade)
(#10986, #a14219)
Yahoo!/Yahoo! JAPAN:
* Fix CVE-2011-1091, denials of service caused by NULL pointer
dereferences due to improper handling of malformed YMSG packets. Thanks
to Marius Wachtler for reporting this and reviewing the fix!
version 2.7.10 (02/06/2011):
* Force video sources to all have the same capabilities. This reduces the
number of times video must be scaled down, saving CPU time. (Jakub Adam)
(half of #13095)
* Starting multiple video calls and ending one no longer causes the other
calls to stop sending audio and video. (Jakub Adam) (#12758, #13237)
* Perl bindings now respect LDFLAGS. (Peter Volkov, Markos Chandras)
* Added AddTrust External Root CA. (#11554)
* Resolve some issues validating X.509 certificates signed off the CAcert
Class 3 intermediate cert when using the GnuTLS SSL/TLS plugin.
* Don't drop whole messages when text is colored. (Jan Zachorowski)
* Don't show two windows when using "Get Info" on a buddy. (Gabriel Burt;
Novell, Inc.) (#13108)
* Don't send ISON messages longer than 512 bytes. (Jeffrey Honig) (#9692)
* Stop sending audio when placing a call on hold. (Jakub Adam) (#13032)
* Stop translating gpointers to ints in the dbus API. This removes
functions from the dbus API. (The openSUSE Project) (#12507)
* Fix D-Bus introspection calls that omit the interface parameter. (Tom
Samstag) (#13073)
* Fixed bugs in purple_str_to_time() that caused the most recent 'make
check' failures. (Nader Morshed) (#13131)
* Correct an issue that caused some UIs other than Pidgin or Finch to
leave a buddy in the "is typing" state. (Jan Kaluza)
* Fix potential information disclosure issues in the Cipher code. (Julia
* Support using the Page Up and Page Down keys on the numeric keypad in
the conversation window. (Ryan Flegel) (#13127)
* Fix a few memory leaks. (Nader Morshed) (#13162)
* Support rendering strikethrough when received as in-line CSS. (#13168)
* Editable comboboxes are now more friendly to some GTK+ themes. (Hugo
Pereira Da Costa) (#13164).
* The Voice/Video Settings plugin no longer resets selected devices to
defaults. (Jakub Adam) (#13044)
* The Voice/Video Settings plugin no longer crashes when a stored device
name is not found in the list of available devices. (Jakub Adam)
* The Autoaccept plugin now allows disabling filename escaping. (Rok
Mandeljc) (half of #11459)
* The Autoaccept plugin now allows choosing Reject/Ask/Accept for
non-buddies. (Rok Mandeljc) (half of #11459)
* QQ2008 is now the default protocol version. (Michael Terry) (#11635)
* Don't crash when receiving an unexpected/invalid jingle transport type.
(Nikita Kozlov) (#13136)
* Handle Connection: Close headers for BOSH, when the server does not
terminate the connection itself. (#13008)
* Improved parsing for DIGEST-MD5, which should resolve issues
connecting to some jabberd2 servers. This corrects an issue parsing
one-character or empty elements. (Noa Resare) (#a14514)
Yahoo!/Yahoo! JAPAN:
* Fix a crash when an account disconnects before a p2p session is
completely set up. (Jan Kaluza) (#12432)
version 2.7.9 (12/26/2010):
* Fix CVE-2010-4528, a crash when receiving short packets related to
P2Pv2 messages.
version 2.7.8 (12/19/2010):
* Fix the exceptions in purple-remote on Python 2.6+. (Ari Pollak)
* When a conversation has reached the maximum limit on the number
of smileys, display the text representation of the smiley properly
when it contains HTML-escapable characters (e.g. "<3" was previously
displayed as "&lt;3").
* Drop dependency on GdkGC and use Cairo instead.
* New UI hack to assist in first-time setup of Facebook accounts with
icon from Jakub Szypulka.
* Don't hide the buddy list if there is no notification area in which
to put the icon. (#12129)
* Fix multipart parsing when '=' is included in the boundary for
purple_mime_document_parse. (Jakub Adam) (#11598)
AIM and ICQ:
* Buddies who unset their status message will now be correctly shown
without a message in your buddy list. (#12988)
* Updated our bundled libgadu and minimum requirement for external
libgadu to 1.9.0. (#12789)
* Stop showing ourselves in the list of endpoints that can be
* Allow full-size display names, by not escaping (most) non-English
characters. (#8508)
* Fix receiving messages from users on Yahoo and other federated
services. (#13022)
* Correctly remove old endpoints from the list when they sign out.
* Add option to disable connections from multiple locations. (#13017)
* Correctly update your own display name in the buddy list. (#13064)
* Correctly show ourselves as offline in the buddy list when going
invisible. (#12945)
* Correctly update your own icon in the buddy list. (#12973)
* Remove struct packing for better portability. (#12856)
* Terminate Jingle sessions with unsupported content types. (#13048)
version 2.7.7 (11/23/2010):
* Allow multiple CA certificates to share the same Distinguished Name
(DN). Partially fixes remaining MSN issues from #12906.
* The GNUTLS SSL plugin now discards any certificate (and all subsequent
certificates) in a chain if it did not sign the previous certificate.
Partially fixes remaining MSN issues from #12906.
* Open requests related to a file transfer are now closed when the request
is cancelled locally. (#11666)
AIM and ICQ:
* AIM should now connect if "Use clientLogin" is turned off and the
"Server" field is set to anything other than "" or
"". (#12948)
* Fix a crash on connection loss. (#5927)
version 2.7.6 (11/21/2010):
* Included Microsoft Internet Authority 2010 and Microsoft Secure Server
Authority 2010 intermediate CA certificates to our bundle. This fixes
the "Unable to validate certificate" error for
* Avoid a use-after-free race condition in the media code (when
there's an error reported by GStreamer). (#12806, Jakub Adam)
AIM and ICQ:
* SSL option has been changed to a tri-state menu with choices for
"Don't Use Encryption", "Use Encryption if Available", and "Require
* Fix some possible clientLogin URL issues introduced in version 2.7.5.
* Don't show a "<URL>: Ok" connection error when using clientLogin.
* Cleaned up some debug output for improved readability.
* Added support for MSNP16, including Multiple Points of Presence (MPOP)
which allows multiple simultaneous sign-ins. (#8247)
* Added extended capabilities support (none implemented).
* Merged the work done on the Google SoC (major rewrite of SLP code)
* Reworked the data transfer architecture.
* Lots of little changes.
* Don't process zero-length DC messages. (#12660)
* Fixed a bunch of memory leaks.
* Prevent a use-after-free condition.
* Avoid a double-free in the Google Relay (V/V) code.
* Avoid double error message when failing a file transfer. (#12757)
* Password-related information is printed out for SASL authentication
when the PURPLE_UNSAFE_DEBUG environment variable is set.
* Authentication mechanisms can now be added by UI's or other plugins
with some work. This is outside the API/ABI rules! (#12715)
* Fixed a few printf("%s", NULL) crashes for broken OSes.
Windows-Specific Changes:
* Build the Pidgin Theme Editor plugin (finally).
* Untarring (for themes) now works for non-ASCII destination paths.
version 2.7.5 (10/31/2010):
* Added Verisign Class 3 Public CA - G2 root CA.
* Properly differentiate between bn and bn_IN in the Translation
Information dialog.
AIM and/or ICQ:
* Display the "Authorize buddy?" minidialog when the requestor has an
empty nickname. (#12810)
* New ICQ accounts default to proper ICQ servers. Old accounts using one
of the old default servers will be silently migrated to use the proper
* ICQ accounts using clientLogin now use the correct ICQ servers. This is
separate from the server settings mentioned above.
* '<' should no longer cause ICQ status messages to be truncated in some
locations. (#11964, #12593)
* Fix sending messages to chat rooms. (#12768)
* Don't crash when attempting to log into a Bonjour account and init
Windows-Specific Changes:
* Quote the path stored in the registry when the "run at startup" option
in the Windows Pidgin Options plugin is used. (#12781)
version 2.7.4 (10/20/2010):
* Fix search path for Tk when compiling on Debian Squeeze. (#12465)
* purple-remote now expects and produces UTF-8. (Guillaume Brunerie)
* Add Deutsche Telekom, Thawte Primary, and Go Daddy Class 2 root CAs
(#12667, #12668, and #12594)
* Fix CVE-2010-3711 by properly validating return values from the
purple_base64_decode() function before using them.
* Fix two local crash bugs by properly validating return values from the
purple_base16_decode() function before using them.
* Fall back to an ordinary request if a UI does not support showing a
request with an icon. Fixes receiving MSN file transfer requests
including a thumbnail in Finch. (#12561)
* Fix an invalid memory access when removing UPnP mappings that could
cause sporadic crashes, most notably when MSN Direct Connections are
enabled. (#12387)
* Add a sentence to the certificate warning for expired certificates
suggesting the user check their computer's date and time. (#12654)
* Add support for the Gadu-Gadu protocol in the gevolution plugin to
provide Evolution integration with contacts with GG IDs. (#10709)
* Remap the "Set User Mood" shortcut to Control-D, which does not
conflict with the previous shortcut for Get Buddy Info on the
selected buddy.
* Add a plugin action menu (under Tools) for the Voice and Video
Settings plugin.
* Use GRegex for the debug window where available. This brings regex
filtering to the debug window on Windows. (Eion Robb) (#12601)
* Add Google Chrome to the list of possible browsers on non-Windows
* Add Chromium to the list of possible browsers on non-Windows systems.
* The "Manual" browser option is now stored as a string. It is no
longer necessary to specify a full path to the browser command.
(Rodrigo Tobar Carrizo) (#12024)
* The Send To menu can now be used if the active account in the
conversation becomes disabled or inactive. (Keith Moyer) (#12471)
* xdg-open is now the default browser for new users on non-Windows
platforms. (Stanislav Brabec) (#12505)
* The "Authorize buddy?" mini-dialog now shows the nickname of
the buddy requesting authorization as well as the icon of
the IM protocol he is using. (#5038)
* Add support for drop-down account options (like the SILC cipher
and HMAC options or the QQ protocol version).
* Unify the connection security-related settings into one dropdown.
* Fix a crash when multiple accounts are simultaneously performing
SASL authentication when built with Cyrus SASL support. (thanks
to Jan Kaluza) (#11560)
* Restore the ability to connect to XMPP servers that do not offer
Stream ID. (#12331)
* Added support for using Google's relay servers when making voice and
video calls to Google clients.
* Fix detecting file transfer proxies advertised by the server.
* Advertise support for Google Talk's JID Domain Discovery extension
in all cases again (changed in 2.7.0), not just when the domain
is "" or "" (it's also needed for Google
Talk used for accounts on arbitrary domains not using Google Apps
for Your Domain). (#a14153)
* Improved handling of adding oneself to your buddy list when using
Non-SASL (legacy) authentication. (#12499)
* Generate a connection error instead of just stalling when the
_xmppconnect TXT record returns results, but none of them result
in a valid BOSH URI. (#a14367, #12744)
AIM and ICQ:
* Add support for managing Visible/Invisible lists. (#10967)
* Fix a problem with receiving HTML messages from
QIP/Miranda/Trillian. (#12044)
* Hopefully fixed all encoding-related problems, both
for sending and receiving messages. (#10833 and the like)
* Fix a problem with receiving messages from pyicqt. (#12284)
* Don't set a custom status text when going Invisible to avoid
being detected as Invisible. (#10633)
Yahoo/Yahoo JAPAN:
* Stop doing unnecessary lookups of certain alias information. This
solves deadlocks when a given Yahoo account has a ridiculously large
(>500 buddies) list and may improve login speed for those on slow
connections. (#12532)
* Fix sending SMS messages. The lookup host changed on us. (Thanks to
todo) (#12688).
* Improvements for some file transfer scenarios, but not all.
* Bonjour support now requires Apple Bonjour Print Services version
2.0.0 or newer (
* Fall back to an ordinary request if a UI does not support showing a
request with an icon. Fixes receiving MSN file transfer requests
including a thumbnail in Finch.
* Add support for the Gadu-Gadu protocol in the gevolution plugin to
provide Evolution integration with contacts with GG IDs. (#10709)
* Remap the "Set User Mood" shortcut to Control-D, which does not
conflict with the previous shortcut for Get Buddy Info on the
selected buddy.
* Add a plugin action menu (under Tools) for the Voice and Video
Settings plugin.
* Add support for drop-down account options (like the SILC cipher
and HMAC options or the QQ protocol version).
* Unify the connection security-related settings into one dropdown.
* Fix a crash when multiple accounts are simultaneously performing
SASL authentication when built with Cyrus SASL support. (thanks
to Jan Kaluza) (#11560)
* Restore the ability to connect to XMPP servers that do not offer
Stream ID. (#12331)
* Added support for using Google's relay servers when making voice and
video calls to Google clients.
Yahoo/Yahoo JAPAN:
* Stop doing unnecessary lookups of certain alias information. This
solves deadlocks when a given Yahoo account has a ridiculously large
(>500 buddies) list and may improve login speed for those on slow
connections. (#12532)
version 2.7.3 (08/10/2010):
* Use silent build rules for automake >1.11. You can enable verbose
builds with the --disable-silent-rules configure option, or using
make V=1.
* Fix the TURN server settings (broken in 2.7.0).
* Re-focus the input area after clicking the attention toolbar button.
* Re-arrange media window to make it more netbook-friendly.
* Rebindable 'suggest-next-page' and 'suggest-prev-page' actions for
textboxes (GntEntry) to scroll through list of suggestions.
* Rebindable 'dropdown' action for comboboxes (GntComboBox) to show the
dropdown list of options.
* Fix non-ASCII arguments to /mode et al. (thanks to Max Ulidtko)
* Support for web-based buddy icons, used when a buddy logs in to the
messenger on the Live website.
* Fix file transfers with some clients that don't support direct
connections (e.g., papyon, telepathy-butterfly, etc.) (#12150)
* Fix filename for the Shocked emoticon. (#12364)
* Implement the new naming conventions where possible. (MXitId, etc)
* Display a message in the Groupchat window when you invite somebody.
* Birthday field in profile cannot be edited when server says it is
* If a buddy is offline, show in their profile when last they were online.
* Handle pushed profile update packets (ie, when changing your avatar via
the Gallery bot).
* If a buddy is offline and we see from their profile that they have
updated their avatar, request the new avatar image from the server.
* Fix a possible crash if a link is clicked while disconnected.
* Unescape any escaped characters in a chatroom nickname.
* Add the new MXit moods and emoticons.
* MXit emoticons added to the small emoticon theme.
* Allow connecting to servers that only advertise GSSAPI and expect
a fallback to legacy IQ authentication (broken in 2.7.0).
* Fix a crash when receiving custom emoticons that don't adhere to
the specification.
* When initiating a file transfer, don't show resources that are certain
to not support file transfers in the resource selection dialog.
* Fix connecting to servers using BOSH and authenticating with
DIGEST-MD5 when libpurple was built with Cyrus SASL support.
Yahoo/Yahoo JAPAN:
* Renamed "Use account proxy for SSL connections" to "Use account proxy
for HTTP and HTTPS requests" and tied the option to HTTP requests too.
* Properly detect HTTP proxy server use when the HTTP proxy is the
global proxy server, an account-level non-HTTP proxy server is
configured, and the "Use account proxy for HTTP and HTTPS requests"
account option is turned off. This fixes connecting for some HTTP
proxy servers.
* Fall back to connecting to (not configurable) if
the HTTP-based connect server lookup fails. This does not work for
Yahoo JAPAN accounts.
* Fix file transfers that get stuck with "Waiting for transfer to
version 2.7.2 (07/21/2010):
AIM and ICQ:
* Fix a crash bug related to X-Status messages that can be triggered by
remote users. This is CVE-2010-2528.
* Fix a rare crash bug caused by certain incoming SMS messages
(discovered by Jan Kaluza--thanks Jan!).
* Change HTML sent from ICQ accounts so that official ICQ clients
hopefully display it correctly.
* Fix a crash related to fast buddy icon transfers.
version 2.7.1 (05/29/2010):
* Build fixes on OpenSolaris. (Brian Lu)
* Add configure option --enable-trayicon-compat which installs tray
icons into directories that are compatible with older versions of
hicolor-icon-theme (0.9).
* Restore the tray icon's blinking functionality.
* Fix a crash setting moods when an account is disconnected.
* Fix a crash on disconnect.
* Fix bug that caused HTML to be displayed in incoming messages.
* Fix unnecessary bandwidth consumption for buddy icon requests when
buddies have capital letters in their passport addresses.
* Support for direct connections, enabling faster file transfers,
smiley and buddy icon loading. (Gábor Szuromi)
* Allow connecting to servers that advertise EXTERNAL (broken in
* Replace the MXit-specific mood management with the new standard Moods
* Add the standard MXit emoticons.
* Improve the handling of users being kicked from MultiMX rooms.
* MXit doesn't allow you to see your buddy's Email Address or Title,
so remove those two fields from the "Buddy Information" page.
* Show buddy's Registration Country in their profile.
* Increment protocol version to v6.0
* If an invite you sent was rejected with a reason, display that
message in the buddy tooltip.
* CAPTCHA value is a required field during account activation.
(Resolves issue on Maemo)
* When your avatar image is changed, don't forget the user's profile
Windows-Specific Changes:
* Fix a regression introduced in 2.7.0 that caused Window Flashing not
to work.
version 2.7.0 (05/12/2010):
* Changed GTK+ minimum version requirement to 2.10.0.
* Changed GLib minimum version requirement to 2.12.0.
* Using the --disable-nls argument to configure now works properly.
You will no longer be forced to have intltool to configure and build.
* Fix two related crashes in the GnuTLS and NSS plugins when they
suffer internal errors immediately upon attempting to establish
an SSL connection.
* Fix NSS to work when reinitialized after being used. (Thanks to
Ludovico Cavedon for the testcase)
* Added support for PURPLE_GNUTLS_PRIORITIES environment variable.
This can be used to specify GnuTLS priorities on a per-host basis.
The format is "host=priority;host2=priority;...". The default
priority can be overridden by using "*" as the host. See the
GnuTLS manual for documentation on the format of the priority
* Fix autoconf detection of Python. (Brad Smith)
* Fix a crash when a Windows proxy (from IE) does not have a port.
(Marten Klencke)
* Moved the "Debugging Information" section of the About box to a
"Build Information" dialog accessible on the Help menu.
* Moved the Developer and Crazy Patch Writer information from the About
box to a "Developer Information" dialog accessible on the Help menu.
* Moved the Translator information from the About box to a "Translator
Information" dialog accessible on the Help menu.
* Use GtkStatusIcon for the docklet, providing better integration in
notification area.
* Added UI for sending attentions (buzz, nudge) on supporting protocols.
* Make the search dialog unobtrusive in the conversation window (by
making it look and behave like the search dialog in Firefox)
* The Recent Log Activity sort method for the Buddy List now
distinguishes between no activity and a small amount of activity
in the distant past. (Greg McNew)
* Added a menu set mood globally for all mood-supporting accounts
(currently XMPP and ICQ).
* Default binding of Ctrl+Shift+v to 'Paste as Plain Text' in
conversation windows. This can be changed in .gtkrc-2.0. For example,
Ctrl+v can be bound to 'Paste as Plain Text' by default.
* Plugins can now handle markup in buddy names by attaching to the
"drawing-buddy" signal. (Daniele Ricci, Andrea Piccinelli)
* Be more accommodating when scaling down large images for use as
buddy icons.
* The 'Message Timestamp Formats' plugin allows changing the timestamp
format from the timestamps' context menu in conversation log.
* The 'Message Timestamp Formats' plugin allows forcing 12-hour
timestamps. (Jonathan Maltz)
* Fix pastes from Chrome (rich-text pastes and probably URLs
having garbage appended to them).
* Show file transfer thumbnails for images on supporting protocols
(currently only supported on MSN).
* Added support for IPv6. (Thanks to T_X for testing)
* Updated our bundled libgadu to 1.9.0-rc2 (many thanks to Krzysztof
Klinikowski for the work and testing put in here!)
* Minimum requirement for external libgadu is now also 1.9.0-rc2.
AIM and ICQ:
* X-Status (Custom ICQ status icon) support. Since most of the icons
available reflect moods, this is labeled "Set Mood" on the
Accounts->ICQ Account menu. (Andrew Ivanov, Tomáš Kebert,
Yuriy Yevgrafov, and trac users bob007, salieff, and nops)
* Allow setting and displaying icons between 1x1 and 100x100 pixels for
ICQ. Previously only icons between 48x48 and 52x64 were allowed.
* When using the clientLogin authentication method, prompt for a
password on reconnect when "Remember Password" is not checked and
authentication fails due to an incorrect password. (This is the same
behavior as the legacy authentication method)
* Support sending and receiving HTML-formatted messages for ICQ.
* Use the proper URL for "View web profile" link for ICQ buddies.
(Alexander Nartov)
* Support for version 9 of the MSN protocol has been removed. This
version is no longer supported on the servers.
* Support file transfer thumbnails (previews) for images.
* Fix CVE-2010-1624 (custom emoticon remote crash).
* Direct messages to a specific resource only upon receipt of a message
with content (as opposed to a typing notification, etc). (Thanks to
rjoly for testing)
* Present a better error message when authentication fails while trying
to connect to Facebook. (David Reiss, Facebook)
* When sending data using in-band-bytestreams, interpret the block-size
attribute as the size of the BASE64-encoded representation of the
* Validate the hash on incoming BoB data objects (for custom smileys
etc.), cache based per JID when the CID is not a valid hash (as
specified by the BoB XEP).
* Send whitespace keepalives if we haven't sent data in a while (2
minutes). This fixes an issue with Openfire disconnecting a
libpurple-baesd client that has just been quiet for about 6
* Only support Google Talk's JID Domain Discovery extension
(allowing a user to log in with "" or ""
interchangeably) for those two domains. This change was made
due to interoperability issues with some BOSH Connection Managers
and namespaced attributes.
Yahoo/Yahoo JAPAN:
* Attempt to better handle transparent proxies interfering with
HTTP-based login.
* Fix handling of P2P packets, thus fixing the loss of some messages.
* Retrieve the pager server address from Yahoo!'s servers directly.
* Removed the "Pager server" account option, as it is no longer needed.
* The authentication code is now less order-sensitive with the
components of the server's response.
* The authentication process now acts more like the official client.
* New action 'history-search', with default binding ctrl+r, to search
the entered string in the input history.
Windows-Specific Changes
* Updated GTK+ to 2.16.6
* Private GTK+ Runtime now used (GTK+ Installer no longer supported)
* Minimum required GTK+ version increased to 2.14.7
* Windows 95, Windows 98, Windows 98 Second Edition, Windows ME
(Millennium Edition), and Windows NT 4.0 longer supported due to GTK+
requirements changes.
* Crash Report files (pidgin.RPT) are now generated in the ~/.purple
directory instead of the installation directory.
* NSS SSL Library upgraded to 3.12.5 (thanks to Berke Viktor)
* GtkSpell upgraded to 2.0.16, changing the spellchecking backend to
enchant. This means that myspell and hunspell (OpenOffice)
dictionaries can be used (previous versions' aspell dictionaries
will not work).
version 2.6.6 (02/18/2010):
* Fix 'make check' on OS X. (David Fang)
* Fix a quirk in purple_markup_html_to_xhtml that caused some messages
to be improperly converted to XHTML.
* Set "controlling-mode" correctly when initializing a media session.
Fixes receiving voice calls from Psi.
* When looking up DNS records, use the type of record returned by the
server (instead of the type we asked for) to determine how to process
the record.
* Fix an issue with parsing XML attributes that contain "&lt;br&gt;".
See ChangeLog.API for more details.
* Correctly disable all missing dependencies when using the
--disable-missing-dependencies option. (Gabriel Schulhof)
* Fix display of avatars after a server-side change. (Krzysztof
* Allow setting and displaying icons between 1x1 and 100x100 pixels.
Previously only icons between 48x48 and 50x50 were allowed.
* Fix CVE-2010-0277, a possible remote crash when parsing an incoming
SLP message. (Discovered by Fabian Yamaguchi)
* File transfer requests will no longer cause a crash if you delete the
file before the other side accepts.
* Received files will no longer hold an extra lock after completion,
meaning they can be moved or deleted without complaints from your OS.
* Buddies who sign in from a second location will no longer cause an
unnecessary chat window to open.
* Support setting an animated GIF as a buddy icon.
* Numerous code cleanups and memory savings.
* Fix a leak and crash when retrieving buddy icons.
* Less likely to send messages to a contact's idle/inactive resource.
Previously, if a message was received from a specific resource,
responses would be sent to that resource until either it went offline
or a message is received from another resource. Now, messages are
sent to the bare JID upon receipt of any presence change from the
* Added support for the SCRAM-SHA-1 SASL mechanism. This is only
available when built without Cyrus SASL support.
* When getting info on a domain-only (server) JID, show uptime
(when given by the result of the "last query") and don't show status
as offline.
* Fix getting info on your own JID.
* Wrap XHTML messages in <p>, as described in XEP-0071, for
compatibility with some clients.
* Don't do an SRV lookup for a STUN server associated with the account
if one is already set globally in prefs.
* Don't send custom smileys larger than the recommended maximum object
size specified in the BoB XEP. This prevents a client from being
disconnected by servers that dislike overly-large stanzas.
* Fix receiving messages without markup over an Openfire BOSH
connection (forcibly put the stanzas in the jabber:client namespace).
* The default value for the file transfer proxies is automatically
updated when an account connects, if it is still the old (broken)
default (from '' to '').
* Fix an issue where libpurple created duplicate buddies if the roster
contains a buddy in two groups that differ only by case
(e.g. "XMPP" and "xmpp") (or not at all).
* Don't send <span> and </span> tags. (Fartash Faghri)
* Support PingBox. PingBoxes will appear as pbx/PingBoxName. (Kartik
* Fix CVE-2010-0423, a denial of service attack due to the parsing
of large numbers of smileys. (Discovered by Antti Hayrynen)
* Correctly size conversation and status box entries when the
interior-focus style property is diabled. (Gabriel Schulhof)
* Correctly handle a multiline text field being required in a
request form. (Thanks to Florian Zeitz for finding this problem)
* Search friends by email-addresses in the buddy list. (Luoh Ren-Shan)
* Allow dropping an image on Custom Smiley window to add a new one.
* Prompt for confirmation when clearing a whiteboard (doodle) session.
(Kartik Mohta)
* Use the "hand" cursor when hovering over usernames in chat history to
indicate that the username is an actionable item.
* Double-clicking usernames in chat history will open an IM with that
* Put an icon on the "Filter" button in the debug window.
* Don't treat "/messages/like/this " as commands.
* Explicitly mark user interaction when inserting smilies from the
toolbar so "Undo" correctly removes these smilies.
* Clicking "New" or "Saved" in the status selector menu while typing a
status message no longer keeps the status entry area stuck in "typing"
mode forever.
* Show tooltips for ellipsized conversation tabs. On older systems,
tooltips will show for all tabs.
* The File Transfers and Debug Window windows are no longer created as
dialogs. These windows should now have minimize buttons in many
environments in which they were previously missing
(including Windows).
* Smiley themes with Windows line endings no longer cause theme
descriptions not to be displayed in the theme selector.
* Fix CVE-2010-0420, a possible remote crash when handling chat room
buddy names.
* Rebindable 'move-first' and 'move-last' actions for tree widgets. So
it is possible to jump to the first or last entry in the buddy list
(and other such lists) by pressing home or end key (defaults)
version 2.6.5 (01/08/2010):
* TLS certificates are actually stored to the local cache once again
(accepting a name mismatch on a certificate should now be remembered)
* Build-time fixes for Solaris. (Paul Townsend)
AIM and ICQ:
* Messages from some mobile clients are no longer displayed as
Chinese characters (broken in 2.6.4)
* Fix an issue allowing a remote user to download arbitrary files from
a libpurple client. (CVE-2010-0013)
* Do not crash when attempting to register for a new account on Windows.
* Fix file transfer with clients that do not support Entity Capabilities
(e.g. Spark)
version 2.6.4 (11/29/2009):
* Actually emit the hold signal for media calls.
* Fix building the GnuTLS plugin with older versions of GnuTLS.
* Fix DNS TXT query resolution.
* Don't send Proxy-Authorization headers to HTTP proxy servers until
we've received a "407 Proxy Authentication Required" response from
the server. (thecrux)
* Added "MXit" protocol plugin, supported and maintained by the MXit
folks themselves (MXit Lifestyle (Pty) Ltd.)
* New 'plugins' sub-command to 'debug' command (i.e. '/debug plugins')
to announce the list of loaded plugins (in both Finch and Pidgin).
* Always rejoin open chats after an account reconnects.
AIM and ICQ:
* Better rate limit calculations and other improvements. (Aman Gupta)
* More detailed error messages when messages fail to send. (Aman Gupta)
* The simultaneous login account option is respected when using
the clientLogin authentication method.
* Fix offline message retrieval (broken in 2.6.3)
* Fix handling of markup on some messages (broken in 2.6.2)
* Fix SSL when clientLogin is enabled.
* Fix sending and receiving Unicode characters in a Direct IM
* Don't forget display names for buddies.
* Fix a random crash that might occur when idle.
* Fix more FQY 240 connection errors.
* Fix a crash that could occur when adding a buddy.
* Fix an occasional crash when sending message to an offline user.
* Fix a random crash that might occur when idle.
* Fix a crash when logging in with some long non-ASCII passwords.
(Shaun Lindsay)
* Cache our own friendly name as the server no longer does that for
us. Users of older versions may need to re-set their friendly name
as it has probably been reset.
* Users connecting to Google Talk now have an "Initiate Chat" context
menu option for their buddies. (Eion Robb)
* Fix a crash when attempting to validate an invalid JID.
* Resolve an issue when connecting to iChat Server when no resource
is specified.
* Try to automatically find a STUN server by using an SRV lookup on the
account's domain, and use that for voice and video if found and the
user didn't set one manually in prefs.
* Fix a crash when adding a buddy without an '@'.
* Don't show the option to send a file to a buddy if we know for certain
they don't support any file transfer method supported by libpurple.
* Keep the avatar on the server if one is not set locally.
* Fix sending /buzz.
* Fix blocking behavior for federated (MSN/OCS/Sametime) service users.
(Jason Cohen)
* Add support for adding OCS and Sametime buddies. OCS users are added
as "ocs/user@domain.tld" and Sametime users are added as
"ibm/sametime_id". (Jason Cohen)
* The TinyURL plugin now creates shorter URLs for long non-conversation
URLs, e.g. URLs to open Inbox in Yahoo/MSN protocols, or the Yahoo
Captcha when joining chat rooms.
* Fix displaying umlauts etc. in non-utf8 locale (fix in libgnt).
* The userlist in a multiuser chat can be styled via gtkrc by using the
widget name "pidgin_conv_userlist". (Heiko Schmitt)
* Add a hold button to the media window.
* Fix a bug where the conversation backlog stops scrolling in a very
busy chat room.
* In the Conversation "Send To" menu, offline buddies appear grayed
out (but are still selectable). Previously, only offline buddies on
accounts that do not support offline messaging appeared grayed out.
Pidgin Preference and Preference Window Changes:
* Removed the "Use font from theme" and "Conversation Font" preferences
for everyone except Windows users. The font can be controlled from
the Pidgin GTK+ Theme Control plugin.
* Tabs in the Preferences window are now on the left side.
* The Browser tab is now visible for GNOME users.
* Added a Proxy tab shown no matter what environment Pidgin runs in.
* The Browser and Proxy tabs show appropriate GNOME-specific messages
and allow launching the correct applications to change the relevant
GNOME preferences if found. These were previously together on the
Network tab.
* Moved the port range spin buttons on the Network tab to be beside the
checkbox that enables/disables them.
* Reorganized preferences on the Status/Idle tab to have one less
* Reorganized preferences on the Sounds tab to have one less "section."
* Renamed Smiley Themes tab to Themes.
* Moved Buddy List Theme and Status Icon Theme selectors from Interface
tab to Themes tab.
* Moved Sound Theme selector from Sounds tab to Themes tab.
* Changed the Smiley Theme selector to be consistent with the other
theme selectors.
* Rearranged tabs such that Interface is first and all remaining tabs
are alphabetized in English.
version 2.6.3 (10/16/2009):
* Fix a crash when performing DNS queries on Unixes that use the
blocking DNS lookups. (Brian Lu)
AIM and ICQ:
* Fix a crash when some clients send contacts in a format we don't
* Fix blocking and other privacy lists. (Thanks to AOL)
version 2.6.2 (09/05/2009):
* Fix --disable-avahi to actually disable it in configure, as opposed
to just making the warning non-fatal.
* Fix using GNOME proxy settings properly. (Erik van Pienbroek)
* Fix parsing of invalid TOPIC messages. (CVE-2009-2703)
* Sending custom smileys in chats is now supported.
* Ink messages are now saved when using the HTML logger.
* Fix a crash when receiving some handwritten messages.
* Fix a crash when receiving certain SLP invite messages.
* Chats with multiple people should no longer spontaneously
* Prompt the user before cancelling a presence subscription.
* Escape status messages that have HTML entities in the Get Info dialog.
* Fix connecting to XMPP domains with no SRV records from Pidgin on
* Fix typing notifications with Pidgin 2.5.9 or earlier.
* Fix connecting using BOSH and legacy authentication (XEP-0078).
* Adding buddies of the form "" are handled
properly. In addition, it is no longer possible to add buddies of
the form "", where is a MUC.
* Don't crash when receiving "smileyfied" XHTML-IM from clients that
don't support bits of binary (ie. when getting an empty <data/> in
* Fix bug where SSL/TLS was not required even though the
"require SSL/TLS" preference checked when connecting to servers
that use the older iq-based authentication. (CVE-2009-3026)
Yahoo!/Yahoo! JAPAN:
* Accounts now have "Use account proxy for SSL connections" option.
This option force-overrides the account specific proxy settings for
SSL connections only and instead uses the global proxy configuration.
* Properly detect libpanel on OpenBSD. (Brad Smith)
* Remove IO watches in gnt_quit. (Tomasz Mon)
* Fix the auto-personize functionality in the Buddy List.
* Set the window icon for the media window to an icon corresponding to
the type of call (headphone or webcam).
* Customized sound files are no longer reset whenever opening the
Preferences dialog.
* The buddy list should now immediately refresh upon changing the icon
version 2.6.1 (08/18/2009):
* Fix a crash when some users send you a link in a Yahoo IM
* Fix compilation with GTK+ < 2.6.0
* Fix compilation on Windows
version 2.6.0 (08/18/2009):
* Theme support in libpurple thanks to Justin Rodriguez's summer of code
project, with some minor additions and cleanups from Paul Aurich.
* Voice & Video framework in libpurple, thanks to Mike Ruprecht's summer
of code project in 2008.
* It should no longer be possible to end up with duplicates of buddies
in a group on the buddy list.
* Removed the unmaintained and unneeded toc protocol plugin.
* Fixed NTLM authentication on big-endian systems.
* Various memory cleanups when unloading libpurple. (Nick Hebner and
Stefan Becker)
* Report idle time 'From last message sent' should work properly.
* Better handling of corrupt certificates in the TLS Peers cache.
* More efficient buddy list and conversation search functions.
(Jan Kaluza and Aman Gupta)
* Install scalable versions of the main Pidgin icon, the protocol icons,
the dialog icons, and the Buddy List emblems.
* Build properly on Hurd. (Marc Dequènes)
* Various memory leaks fixed as reported by Josh Mueller.
* Properly handle an IRC buddy appearing in multiple groups.
* Escape HTML entities in usernames when written with the HTML logger.
* Do not display MySpace status changes as incoming IMs. (Mark Doliner
and Justin Williams)
* DNS servers are re-read when DNS queries fail in case the system has
moved to a new network and the old servers are not accessible.
* DNS SRV records with equal priority are sorted with respect to their
weight as specified in RFC 2782. (Vijay Raghunathan)
* Don't do IPv6 address lookups if the computer does not have an IPv6
address configured.
* Fix a leak when the UI provides its own DNS resolving UI op.
(Aman Gupta)
* Don't fork a DNS resolver process to resolve IP addresses.
(Aman Gupta)
* Internationalized Domain Names are supported when libpurple is
compiled against the GNU IDN library.
Environment Variables:
* GnuTLS logging (disabled by default) can be controlled through the
PURPLE_GNUTLS_DEBUG environment variable, which is an integer between
0 and 9 (higher is more verbose). Higher values may reveal sensitive
* PURPLE_VERBOSE_DEBUG environment variable. Currently, this is an "on"
or "off" variable. Set it to any value to turn it on and unset it to
turn it off. This will optionally be used to only show less useful
debug information on an as-needed basis.
* PURPLE_LEAKCHECK_HELP environment variable. Currently, this is an
"on" or "off" variable. Set it to any value to turn it on and unset
it to turn it off. This will be used to perform various actions
that are useful when running libpurple inside of Valgrind or similar
programs. Currently, it keeps plugins in memory, allowing Valgrind
to perform symbol resolution of leak traces at shutdown.
AIM and ICQ:
* Preliminary support for a new authentication scheme called
* Fixed a bug where your away message sometimes would not get set when
you first sign on.
* Make sure links in your away messages show up as links to other
* For ICQ, Never change the privacy setting specified by the user.
* Accounts can specify a server to which to connect.
(Krzysztof "kreez" Tobola)
* Correctly show tooltip status for contacts with status messages.
(Krzysztof "kkszysiu" Klinikowski)
* Support for fetching buddy icons. (Krzysztof "kkszysiu" Klinikowski)
* Support connection progress steps in Gadu-Gadu. (Krzysztof "kkszysiu"
* Add support for receiving handwritten (ink) messages on MSN. (Chris
Stafford, Gal Topper, and Elliott Sales de Andrade)
* Add support for receiving audio clips on MSN. (Chris Stafford, Gal
Topper, and Elliott Sales de Andrade)
* Show the invite message for buddies that requested authorization
from you on MSN.
* Support sending an invite message to buddies when requesting
authorization from them on MSN.
* Timeout switchboard connections after 60 seconds (msn-pecan devs).
* Voice & Video support with Jingle (XEP-0166, 0167, 0176, & 0177),
voice support with GTalk and voice and video support with the GMail
web client. (Mike "Maiku" Ruprecht)
* Added a Service Discovery Browser plugin for Pidgin.
(Andrei Mozzhuhin)
* Support for in-band bytestreams for file transfers (XEP-0047). (Marcus
* Support for sending and receiving attentions (equivalent to "buzz"
and "nudge") using the command /buzz. (XEP-0224)
* Support for connecting using BOSH. (Tobias Markmann)
* A buddy's local time is displayed in the Get Info dialog if the remote
client supports it.
* The set_chat_topic function can unset the chat topic.
* The Ad-Hoc commands associated with our server are now always shown at
* Support showing and reporting idle times in the buddy list. (XEP-0256)
* Support most recent version of User Avatar. (XEP-0084 v1.1)
* Updated Entity Capabilities support. (Tobias Markmann)
* Better support for receiving remote users' nicknames.
* /affiliate and /role will now list the room members with the specified
affiliation/role if possible. (Andrei Mozzhuhin)
* Put section breaks between resources in "Get Info" to improve
* Silently remove invalid XML 1.0 entities (e.g. ASCII control
characters) from sent messages.
* XHTML markup is only included in outgoing messages when the message
contains formatting.
* Show when the user was last logged in when doing "Get Info" on an
offline buddy, provided the server supports it.
* Support custom smileys in MUCs (only when all participants support the
"Bits of Binary" extension, and a maximum of 10 participants are in
the chat to avoid getting too many fetch requests).
* Fix an issue with Jabber (pre-XMPP) servers and the user's preference
to require SSL not being respected.
* Fix an issue where Cyrus SASL DIGEST MD5 authentication might fail if
the username, password, or realm (the JID domain) contain non-ASCII
* Show emblem for mobile, handheld, and web clients and bots (if the
other client supports it).
* Google Talk mail notifications should now work for people for whom
they inexplicably did not. (Thanks to yukam for determining the
* New XMPP and Google Talk accounts require SSL by default.
* Display kicks (and the reasons given) in chat rooms when an occupant
is kicked.
* Fix issues with case-sensitivity of XMPP roster and case-insensitive
Purple groups.
* For contacts who advertise Entity Capabilities, only send rich text
markup if they support it.
* Removed support for obsoleted XEP-0022 (Message Events) and XEP-0091
(Legacy Entity Time).
* When the GNU IDN library (libidn) is available, it is used for
normalization of Jabber IDs. When unavailable, internal routines are
used (as in previous versions).
* Topics that contain '<' followed by a non-whitespace character can now
be set properly.
Yahoo!/Yahoo! JAPAN:
* P2P file transfers. (Sulabh Mahajan)
* Sending text messages (address to +<countrycode><phone number>).
(Sulabh Mahajan)
* Addition of MSN buddies to Yahoo accounts by adding them as
'msn/' is now supported. (Sulabh Mahajan)
* Further fixes for buddy pictures, aliases, etc.
* Yahoo! and Yahoo! JAPAN are now two separate protocol plugins that share
common protocol code. You can now have the same account on both
networks. Accounts should be seamlessly migrated to the new
* Ability to set personal details for an account and for buddies in the
* Added -f command line option to tell Pidgin to ignore NetworkManager
and assume it has a valid network connection.
* Allow plugins to specify custom link types to the GtkIMHtml widget.
* The status message input box at the bottom of the buddy list expands
correctly when starting a new line of text.
* Pressing the Enter key in the message entry box of the New Status
dialog and various other dialogs now causes the cursor to move to
the next line.
* Created a unified Buddy Pounce notification window for all pounces
where "Pop up a notification" is selected, which avoids having a
new dialog box every time a pounce is triggered. (Jorge Villaseñor)
* The New Account dialog is now broken into three tabs. Proxy
configuration has been moved from the Advanced tab to the new tab.
* Dragging a buddy onto a chat pops up a chat-invitation dialog.
(Carlos Bederian)
* The nicks of the persons who leave the chatroom are italicized in the
chat's conversation history. The nicks are un-italicized when they
* Always set unseen-count and unseen-state on conversations.
(Joshua Stein)
* Fix a bug in 'Conversation Colors' plugin for RTL messages.
* Pressing the Left and Right arrow keys in the buddy list will expand and
collapse buddy groups or contacts. (Peter Ruibal)
* Support saving animated custom smileys as animated images or animated
custom smileys. (Andrea Piccinelli)
* Support for keyboard navigation on the status icon. (Li Yuan)
* IMG tags without 'id' attributes are turned into links to the image URL.
(Dmitry Petroff)
* Draw the user's buddy icon at the bottom of the Buddy List with rounded
corners for visual consistency with the actual icons in the Buddy List.
(Kosta Arvanitis)
* When file transfers are complete, the received file name written to the
conversation window is now linked to the file.
* Fix a crash when closing a conversation tab that has unread messages
when the Message Notification plugin is loaded.
* Fix a crash when closing the New Mail dialog if an account with new
mail was previously disconnected while the dialog was open.
* Fix incorrect unread message counts for the new mail notifications.
* Do not lose unread messages with a hidden conversation window when
new IM conversations are hidden and "Close IMs immediately when the tab
is closed" is unset.
* The hardware cursor is updated correctly. This will be useful
especially for users of braille terminals, screen readers etc.
* Added a TinyURL plugin, which aids copying longer URLs.
* Fixed UTF-8 compatibility problems which could cause exits or other
unrequested behaviour.
Pidgin GTK+ Theme Control Plugin:
* Removed mouse cursor color preferences.
* Added "Typing Notification Color" preference.
* Added "Disable Typing Notification Text" preference.
* Preferences have been reorganized into three tabs for Colors, Fonts, and
Miscellaneous categories.
version 2.5.9 (08/18/2009):
* Fix a crash via a specially crafted MSN message (CVE-2009-2694,
thanks to Core Security Technologies for discovering this and
notifying us privately before announcing it).
* Fix a crash in Bonjour, MSN, and XMPP when trying to transfer files with
NULL names.
version 2.5.8 (06/27/2009):
* Fix misparsing a web message as an SMS message. (Yuriy Kaminskiy)
* Increase NS command history size to prevent crashes on buddy lists that
have a lot of buddies on other networks like Yahoo!.
* Accounts with empty buddy lists are now properly marked as connected.
* Fix receiving messages from users of MySpace's web IM client.
* Fixed phantom online buddies. They should now properly disappear when
signing out.
* Fixed the crashes some users were seeing with in
* Fixed compiling on systems with glib 2.4.x or older.
* Fixed an issue with file transfers. This may not resolve all issues,
but it should resolve at least some of the most common ones.
* The pager server will automatically update to if the
user empties the field or if it is This should ease
the pain of transition to the new login method.
* Fix an incompatibility betweeen Prosody and libpurple clients.
version 2.5.7 (06/20/2009):
* Yahoo Protocol 16 support, including new HTTPS login method; this should
fix a number of login problems that have recently cropped up. (Sulabh
Mahajan, Mike "Maiku" Ruprecht)
* Only display the AIM "Unable to Retrieve Buddy List" message once per
connection. (Rob Taft)
* Blocking MSN users not on your buddy list no longer disconnects you.
* When performing operations on MSN, assume users are on the MSN/Passport
network if we don't get network ID's for them.
version 2.5.6 (05/19/2009):
* Improve sleep behavior by aggregation of longer timeouts on second
boundaries to allow better power saving. (Arunan Balasubramaniam)
* Fix various crashes on exit.
* Make XML parsing more resilient to interactions with other libraries.
This, along with the fix for libxml2 bug 564217, fixes the crashes
on connect in XMPP with recent gst-plugins-bad (see #8830 for details).
* Many security related fixes.
* Correctly handle WHOIS for users who are joined to a large number of
* Notify the user if a /nick command fails, rather than trying
fallback nicks.
* Fix a race condition causing occasional Pidgin crashes.
* Fix some errors about the friendly name changing too fast caused
by MSN/Yahoo integration buddies.
* Less likely to pop up a new conversation window in disregard of
the "Hide new IM conversations" preference.
* Fix a crash when sending very long messages.
* Fix a bug where UTF-8 status messages get garbled when going idle.
version 2.5.5 (03/01/2009):
* Fix a crash when removing an account with an unknown protocol id.
* Beta support for SSL connections for AIM and ICQ accounts. To
enable, check the "Use SSL" option from the Advanced tab when
editing your AIM or ICQ account. (Paul Aurich)
* Fix a memory leak in SILC. (Luke Petre)
* Fix some string handling in the SIMPLE prpl, which fixes some buddy name
handling and other issues. (Paul Aurich, Marcus Sundberg)
* Implement support for resolving DNS via the SOCKS4 proxy (SOCKS4a).
* Fix retrieval of status messages from users of ICQ 6.x, Miranda, and
other libpurple clients. (Daniel Ljungborg)
* Change client ID to match ICQ Basic 14.34.3096. This fixes publishing
of buddy icons and available messages.
* Properly publish status messages for statuses other than Available.
ICQ 6.x users can now see these status messages. (Daniel Ljungborg)
* Fix receipt of messages from the mobile client Slick. (David Jedelsky)
* Fix transfer of buddy icons, custom smileys, and files from the
latest Windows Live Messenger 9 official client. (Thomas
* Large (multi-part) messages are now correctly re-combined.
* Federated/Yahoo! buddies should now stop creating sync issues at
every signin. You may need to remove duplicates in the Address
Book. See the FAQ for more information. Thanks to Jason Lingohr
for lots of debugging and testing.
* Messages from Yahoo! buddies are no longer silently dropped.
* We now save and use the CacheKey for ABCH SOAP requests.
* Don't try to parse Personal Status Messages or Current Media if they
don't exist.
* Convert from ISO-8859-1 encoding to UTF-8 when no charset is specified
on incoming messages. This should fix some issues with messages from
older clients.
* Force sending the font "Segoe UI" if outgoing formatting doesn't specify
a font already.
* Queue callbacks when token updates are in progress to prevent two token
update attempts from trampling each other.
* Fixed a crash on Windows when removing a buddy's alias.
* Update the Address Book when buddies' friendly names change. This
prevents seeing an outdated alias or not seeing an alias at all for
buddies who are offline when you sign in.
* Update tokens for FindMembership and ABFindAll SOAP requests.
* We no longer try to send empty messages. This could happen when a
message contained only formatting and that formatting was not supported
on MSN.
* Buddies on both the Allow and Block list are now automatically
removed from the Allow list. Users with this problem will now no
longer receive an ADL 241 error. The problematic buddy should now
appear on the buddy list and can be removed or unblocked as desired.
* Resources using __HOSTNAME__ substitution will now grab only the short
hostname instead of the FQDN on systems which put the FQDN in the
hostname. (Matěj Cepl)
* No longer send a 'to' attribute on an outgoing stanza when we haven't
received one. This fixes a registration bug as described in ticket
* Tooltip windows now appear below the mouse cursor. (Kosta Arvanitis)
* Tooltip windows now disappear on keypress events. (Kosta Arvanitis)
* Tooltip windows no longer linger when scrolling the buddy list. (Kosta
* Allow rebinding keys to change the focused widget (details in the
man-page, look for GntBox::binding)
version 2.5.4 (01/12/2009):
* Fix a connection timeout with empty Gadu-Gady buddy lists. (Martin
* Don't ignore namespace information when parsing XMPP data. (Michal
* Fix a crash that occurred when retrieving certain Offline Messages
on MSN.
* Extended purple-url-handler to handle "gtalk" URI's. (Paul Aurich)
* Fix the hang on exit in Network Location Awareness for Windows XP
and Windows Vista. (Paul Aurich)
* Change Contact Server to temporarily fix connection problems.
(Thanks to Youness Alaoui)
* Support for XEP-0191 blocking. (Vijay Raghunathan)
* Don't put SASL PLAIN or IQ Auth passwords in debug logs. (Paul Aurich)
* Fix removal of avatars (both PEP and vCard), we weren't removing
them correctly before. (Paul Aurich)
* Fix a crash in the Add Account dialog when changing protocols under
certain circumstances.
* Redirect stderr outputs to the debug window.
* Fix rebinding actions with the arrow-keys and tab.
version 2.5.3 (12/20/2008):
* The Buddy State Notification plugin no longer prints duplicate
notifications when the same buddy is in multiple groups. (Florian
* The Buddy State Notification plugin no longer turns JID's, MSN
Passport ID's, etc. into links. (Florian Quèze)
* purple-remote now has a "getstatusmessage" command to retrieve
the text of the current status message.
* Various fixes to the nullprpl. (Paul Aurich)
* Fix a crash when accessing the roomlist for an account that's not
connected. (Paul Aurich)
* Fix a crash in purple_accounts_delete that happens when this
function is called before the buddy list is initialized.
(Florian Quèze)
* Fix use of av_len in perl bindings to fix some off-by-one bugs
(Paul Aurich)
* On ICQ, advertise the ICQ 6 typing capability. This should fix
the reports of typing notifications not working with third-party
clients. (Jaromír Karmazín)
* Many QQ fixes and improvements, including the ability to connect
using QQ2008 protocol and sending/receiving of long messages.
The recommended version to use is still QQ2005.
* Fix a crash with DNS SRV lookups. (Florian Quèze)
* Fix a crash caused by authorization requests. (Florian Quèze)
* Add support for IM images. (Tomasz Sałaciński, Adam Strzelecki)
* Gadu-Gadu now checks that UID's are valid. (Adam Strzelecki)
* Gadu-Gadu now does proper charset translations where needed. (Adam
* Fix an error with offline messages by shipping the *new*
"Microsoft Secure Server Authority" and the "Microsoft Internet
Authority" certificates. These are now always installed even when
using --with-system-ssl-certs because most systems don't ship
those intermediate certificates.
* The Games and Office media can now be set and displayed (in
addition to the previous Music media). The Media status text now
shows the album, if possible.
* Messages sent from a mobile device while you were offline are now
correctly received.
* Server transfers after you've been connected for a long time
should now be handled correctly.
* Many improvements to handling of "federated" buddies, such as those
on the Yahoo network.
* Several known crashes have been resolved.
* Many other fixes and code cleanup.
* Respect your privacy settings set using the official MySpace client.
* Add support for blocking buddies.
* Fix a bug where buddies didn't appear in their correct groups the
first time you sign into your account.
* Properly disconnect and sign out of the service when logging off.
* Support for foreground and background font colors in outgoing IMs.
* Support for background font colors in incoming IMs.
* Many other fixes and code cleanup.
* Fix insanely long idle times for Sametime 7.5 buddies by a