version 2.6.5 (01/08/2010):
libpurple:
* TLS certificates are actually stored to the local cache once again
(accepting a name mismatch on a certificate should now be remembered)
General:
* Build-time fixes for Solaris. (Paul Townsend)
AIM and ICQ:
* Messages from some mobile clients are no longer displayed as
Chinese characters (broken in 2.6.4)
MSN:
* Fix an issue allowing a remote user to download arbitrary files from
a libpurple client. (CVE-2010-0013)
XMPP:
* Do not crash when attempting to register for a new account on Windows.
* Fix file transfer with clients that do not support Entity Capabilities
(e.g. Spark)version 2.6.6 (02/18/2010):
libpurple:
* Fix 'make check' on OS X. (David Fang)
* Fix a quirk in purple_markup_html_to_xhtml that caused some messages
to be improperly converted to XHTML.
* Set "controlling-mode" correctly when initializing a media session.
Fixes receiving voice calls from Psi.
* When looking up DNS records, use the type of record returned by the
server (instead of the type we asked for) to determine how to process
the record.
* Fix an issue with parsing XML attributes that contain "<br>".
See ChangeLog.API for more details.
General:
* Correctly disable all missing dependencies when using the
--disable-missing-dependencies option. (Gabriel Schulhof)
Gadu-Gadu:
* Fix display of avatars after a server-side change. (Krzysztof
Klinikowski)
AIM:
* Allow setting and displaying icons between 1x1 and 100x100 pixels.
Previously only icons between 48x48 and 50x50 were allowed.
MSN:
* Fix CVE-2010-0277, a possible remote crash when parsing an incoming
SLP message. (Discovered by Fabian Yamaguchi)
* File transfer requests will no longer cause a crash if you delete the
file before the other side accepts.
* Received files will no longer hold an extra lock after completion,
meaning they can be moved or deleted without complaints from your OS.
* Buddies who sign in from a second location will no longer cause an
unnecessary chat window to open.
* Support setting an animated GIF as a buddy icon.
* Numerous code cleanups and memory savings.
MySpace:
* Fix a leak and crash when retrieving buddy icons.
XMPP:
* Less likely to send messages to a contact's idle/inactive resource.
Previously, if a message was received from a specific resource,
responses would be sent to that resource until either it went offline
or a message is received from another resource. Now, messages are sent
to the bare JID upon receipt of any presence change from the contact.
* Added support for the SCRAM-SHA-1 SASL mechanism. This is only
available when built without Cyrus SASL support.
* When getting info on a domain-only (server) JID, show uptime
(when given by the result of the "last query") and don't show status as
offline.
* Fix getting info on your own JID.
* Wrap XHTML messages in <p>, as described in XEP-0071, for compatibility
with some clients.
* Don't do an SRV lookup for a STUN server associated with the account
if one is already set globally in prefs.
* Don't send custom smileys larger than the recommended maximum object size
specified in the BoB XEP. This prevents a client from being
disconnected by servers that dislike overly-large stanzas.
* Fix receiving messages without markup over an Openfire BOSH connection
(forcibly put the stanzas in the jabber:client namespace).
* The default value for the file transfer proxies is automatically
updated when an account connects, if it is still the old (broken)
default (from 'proxy.jabber.org' to 'proxy.eu.jabber.org').
* Fix an issue where libpurple created duplicate buddies if the roster
contains a buddy in two groups that differ only by case
(e.g. "XMPP" and "xmpp") (or not at all).
Yahoo:
* Don't send <span> and </span> tags. (Fartash Faghri)
* Support PingBox. PingBoxes will appear as pbx/PingBoxName. (Kartik
Mohta)
Pidgin:
* Fix CVE-2010-0423, a denial of service attack due to the parsing
of large numbers of smileys. (Discovered by Antti Hayrynen)
* Correctly size conversation and status box entries when the
interior-focus style property is diabled. (Gabriel Schulhof)
* Correctly handle a multiline text field being required in a
request form. (Thanks to Florian Zeitz for finding this problem)
* Search friends by email-addresses in the buddy list. (Luoh Ren-Shan)
* Allow dropping an image on Custom Smiley window to add a new one.
* Prompt for confirmation when clearing a whiteboard (doodle) session.
(Kartik Mohta)
* Use the "hand" cursor when hovering over usernames in chat history to
indicate that the username is an actionable item.
* Double-clicking usernames in chat history will open an IM with that
user.
* Put an icon on the "Filter" button in the debug window.
* Don't treat "/messages/like/this " as commands.
* Explicitly mark user interaction when inserting smilies from the
toolbar so "Undo" correctly removes these smilies.
* Clicking "New" or "Saved" in the status selector menu while typing a
status message no longer keeps the status entry area stuck in "typing"
mode forever.
* Show tooltips for ellipsized conversation tabs. On older systems,
tooltips will show for all tabs.
* The File Transfers and Debug Window windows are no longer created as
dialogs. These windows should now have minimize buttons in many
environments in which they were previously missing (including Windows).
* Smiley themes with Windows line endings no longer cause theme
descriptions not to be displayed in the theme selector.
Finch:
* Fix CVE-2010-0420, a possible remote crash when handling chat room
buddy names.
* Rebindable 'move-first' and 'move-last' actions for tree widgets. So
it is possible to jump to the first or last entry in the buddy list
(and other such lists) by pressing home or end key (defaults)
respectively.version 2.7.0 (05/12/2010):
* Updated GTK+ to 2.16.6
* Private GTK+ Runtime now used (GTK+ Installer no longer supported)
* Minimum required GTK+ version increased to 2.14.7
* Win9x no longer supported.
* Crash Report files (pidgin.RPT) are now generated in the ~/.purple
directory instead of the installation directory.
* NSS SSL Library upgraded to 3.12.5 (thanks to Berke Viktor)
* GtkSpell upgraded to 2.0.16, changing the spellchecking backend to
enchant. This means that myspell and hunspell (OpenOffice)
dictionaries can be used (previous versions' aspell dictionaries
will not work).version 2.7.1 (05/30/2010)
* General
o Build fixes on OpenSolaris. (Brian Lu)
o Add configure option --enable-trayicon-compat which installs tray icons into directories that are compatible with older versions of hicolor-icon-theme (0.9).
* Pidgin
o Restore the tray icon's blinking functionality.
o Fix a crash setting moods when an account is disconnected.
* Bonjour
o Fix a crash on disconnect.
* ICQ
o Fix bug that caused HTML to be displayed in incoming messages.
* MSN
o Fix unnecessary bandwidth consumption for buddy icon requests when buddies have capital letters in their passport addresses.
o Support for direct connections, enabling faster file transfers, smiley and buddy icon loading. (Gábor Szuromi)
* XMPP
o Allow connecting to servers that advertise EXTERNAL (broken in 2.7.0)
* MXit
o Replace the MXit-specific mood management with the new standard Moods API.
o Add the standard MXit emoticons.
o Improve the handling of users being kicked from MultiMX rooms.
o MXit doesn't allow you to see your buddy's Email Address or Title, so remove those two fields from the "Buddy Information" page.
o Show buddy's Registration Country in their profile.
o Increment protocol version to v6.0
o If an invite you sent was rejected with a reason, display that message in the buddy tooltip.
o CAPTCHA value is a required field during account activation. (Resolves issue on Maemo)
o When your avatar image is changed, don't forget the user's profile information.
* Windows-Specific Changes
o Fix a regression introduced in 2.7.0 that caused Window Flashing not to work. version 2.7.3 (08/10/2010)
View all closed tickets for this release.
* General
o Use silent build rules for automake >1.11. You can enable verbose builds with the --disable-silent-rules configure option, or using make V=1.
* libpurple
o Fix the TURN server settings (broken in 2.7.0).
* Pidgin
o Re-focus the input area after clicking the attention toolbar button.
o Re-arrange media window to make it more netbook-friendly.
* Finch
o Rebindable 'suggest-next-page' and 'suggest-prev-page' actions for textboxes (GntEntry) to scroll through list of suggestions.
o Rebindable 'dropdown' action for comboboxes (GntComboBox?) to show the dropdown list of options.
* IRC
o Fix non-ASCII arguments to /mode et al. (thanks to Max Ulidtko)
* MSN
o Support for web-based buddy icons, used when a buddy logs in to the messenger on the Live website.
o Fix file transfers with some clients that don't support direct connections (e.g., papyon, telepathy-butterfly, etc.) (#12150)
* MXit
o Fix filename for the Shocked emoticon. (#12364)
o Implement the new naming conventions where possible. (MXitId, etc)
o Display a message in the Groupchat window when you invite somebody.
o Birthday field in profile cannot be edited when server says it is locked.
o If a buddy is offline, show in their profile when last they were online.
o Handle pushed profile update packets (ie, when changing your avatar via the Gallery bot).
o If a buddy is offline and we see from their profile that they have updated their avatar, request the new avatar image from the server.
o Fix a possible crash if a link is clicked while disconnected.
o Unescape any escaped characters in a chatroom nickname.
o Add the new MXit moods and emoticons.
o MXit emoticons added to the small emoticon theme.
* XMPP
o Allow connecting to servers that only advertise GSSAPI and expect a fallback to legacy IQ authentication (broken in 2.7.0).
o Fix a crash when receiving custom emoticons that don't adhere to the specification.
o When initiating a file transfer, don't show resources that are certain to not support file transfers in the resource selection dialog.
o Fix connecting to servers using BOSH and authenticating with DIGEST-MD5 when libpurple was built with Cyrus SASL support.
* Yahoo/Yahoo JAPAN
o Renamed "Use account proxy for SSL connections" to "Use account proxy for HTTP and HTTPS requests" and tied the option to HTTP requests too.
o Properly detect HTTP proxy server use when the HTTP proxy is the global proxy server, an account-level non-HTTP proxy server is configured, and the "Use account proxy for HTTP and HTTPS requests" account option is turned off. This fixes connecting for some HTTP proxy servers.
o Fall back to connecting to scsa.msg.yahoo.com (not configurable) if the HTTP-based connect server lookup fails. This does not work for Yahoo JAPAN accounts.
o Fix file transfers that get stuck with "Waiting for transfer to begin". version 2.7.4 (10/20/2010)
View all closed tickets for this release.
* General:
o Fix search path for Tk when compiling on Debian Squeeze. (#12465)
o purple-remote now expects and produces UTF-8. (Guillaume Brunerie)(#12049)
o Add Deutsche Telekom, Thawte Primary, and Go Daddy Class 2 root CAs (#12667, #12668, and #12594)
o Fix CVE-2010-3711 by properly validating return values from the purple_base64_decode() function before using them.
o Fix two local crash bugs by properly validating return values from the purple_base16_decode() function before using them.
* libpurple:
o Fall back to an ordinary request if a UI does not support showing a request with an icon. Fixes receiving MSN file transfer requests including a thumbnail in Finch. (#12561)
o Fix an invalid memory access when removing UPnP mappings that could cause sporadic crashes, most notably when MSN Direct Connections are enabled. (#12387)
o Add a sentence to the certificate warning for expired certificates suggesting the user check their computer's date and time. (#12654)
* Pidgin:
o Add support for the Gadu-Gadu protocol in the gevolution plugin to provide Evolution integration with contacts with GG IDs. (#10709)
o Remap the "Set User Mood" shortcut to Control-D, which does not conflict with the previous shortcut for Get Buddy Info on the selected buddy.
o Add a plugin action menu (under Tools) for the Voice and Video Settings plugin.
o Use GRegex for the debug window where available. This brings regex filtering to the debug window on Windows. (Eion Robb) (#12601)
o Add Google Chrome to the list of possible browsers on non-Windows systems.
o Add Chromium to the list of possible browsers on non-Windows systems.
o The "Manual" browser option is now stored as a string. It is no longer necessary to specify a full path to the browser command. (Rodrigo Tobar Carrizo) (#12024)
o The Send To menu can now be used if the active account in the conversation becomes disabled or inactive. (Keith Moyer) (#12471)
o xdg-open is now the default browser for new users on non-Windows platforms. (Stanislav Brabec) (#12505)
* Finch:
o Add support for drop-down account options (like the SILC cipher and HMAC options or the QQ protocol version).
* XMPP:
o Unify the connection security-related settings into one dropdown.
o Fix a crash when multiple accounts are simultaneously performing SASL authentication when built with Cyrus SASL support. (thanks to Jan Kaluza) (#11560)
o Restore the ability to connect to XMPP servers that do not offer Stream ID. (#12331)
o Added support for using Google's relay servers when making voice and video calls to Google clients.
o Fix detecting file transfer proxies advertised by the server.
o Advertise support for Google Talk's JID Domain Discovery extension in all cases again (changed in 2.7.0), not just when the domain is "gmail.com" or "googlemail.com" (it's also needed for Google Talk used for accounts on arbitrary domains not using Google Apps for Your Domain). (#a14153)
o Improved handling of adding oneself to your buddy list when using Non-SASL (legacy) authentication. (#12499)
o Generate a connection error instead of just stalling when the _xmppconnect TXT record returns results, but none of them result in a valid BOSH URI. (#a14367, #12744)
* Yahoo/Yahoo JAPAN:
o Stop doing unnecessary lookups of certain alias information. This solves deadlocks when a given Yahoo account has a ridiculously large (>500 buddies) list and may improve login speed for those on slow connections. (#12532)
o Fix sending SMS messages. The lookup host changed on us. (Thanks to todo) (#12688).
o Improvements for some file transfer scenarios, but not all.
* Windows:
o Bonjour support now requires Apple Bonjour Print Services version 2.0.0 or newer (http://support.apple.com/kb/dl999). version 2.7.5 (10/31/2010)
View all closed tickets for this release.
* General:
o Added Verisign Class 3 Public CA - G2 root CA.
* Pidgin:
o Properly differentiate between bn and bn_IN in the Translation Information dialog.
* AIM and/or ICQ:
o Display the "Authorize buddy?" minidialog when the requestor has an empty nickname. (#12810)
o New ICQ accounts default to proper ICQ servers. Old accounts using one of the old default servers will be silently migrated to use the proper servers.
o ICQ accounts using clientLogin now use the correct ICQ servers. This is separate from the server settings mentioned above.
o '<' should no longer cause ICQ status messages to be truncated in some locations. (#11964, #12593)
o Fix sending messages to chat rooms. (#12768)
* Bonjour:
o Don't crash when attempting to log into a Bonjour account and init failed.
* Windows-Specific Changes:
o Quote the path stored in the registry when the "run at startup" option in the Windows Pidgin Options plugin is used. (#12781) version 2.7.6 (11/21/2010)
View all closed tickets for this release.
* General:
o Included Microsoft Internet Authority 2010 and Microsoft Secure Server Authority 2010 intermediate CA certificates to our bundle. This fixes the "Unable to validate certificate" error for omega.contacts.msn.com. (#12906)
* Pidgin:
o Avoid a use-after-free race condition in the media code (when there's an error reported by GStreamer). (#12806, Jakub Adam)
* AIM and ICQ:
o SSL option has been changed to a tri-state menu with choices for "Don't Use Encryption", "Use Encryption if Available", and "Require Encryption".
o Fix some possible clientLogin URL issues introduced in version 2.7.5.
o Don't show a "<URL>: Ok" connection error when using clientLogin.
o Cleaned up some debug output for improved readability.
* MSN:
o Added support for MSNP16, including Multiple Points of Presence (MPOP) which allows multiple simultaneous sign-ins. (#8247)
o Added extended capabilities support (none implemented).
o Merged the work done on the Google SoC (major rewrite of SLP code)
o Reworked the data transfer architecture. (SlpArchitecture)
o Lots of little changes.
o Don't process zero-length DC messages. (#12660)
o Fixed a bunch of memory leaks.
o Prevent a use-after-free condition.
* XMPP:
o Avoid a double-free in the Google Relay (V/V) code.
o Avoid double error message when failing a file transfer. (#12757)
o Password-related information is printed out for SASL authentication when the PURPLE_UNSAFE_DEBUG environment variable is set.
o Authentication mechanisms can now be added by UI's or other plugins with some work. This is outside the API/ABI rules! (#12715)
o Fixed a few printf("%s", NULL) crashes for broken OSes.
* Windows-Specific Changes:
o Build the Pidgin Theme Editor plugin (finally).
o Untarring (for themes) now works for non-ASCII destination paths. version 2.7.10 (02/06/2011)
View all closed tickets for this release.
* General:
o Force video sources to all have the same capabilities. This reduces the number of times video must be scaled down, saving CPU time. (Jakub Adam) (half of #13095)
o Starting multiple video calls and ending one no longer causes the other calls to stop sending audio and video. (Jakub Adam) (#12758, #13237)
o Perl bindings now respect LDFLAGS. (Peter Volkov, Markos Chandras) (#12638)
o Added AddTrust External Root CA. (#11554)
o Resolve some issues validating X.509 certificates signed off the CAcert Class 3 intermediate cert when using the GnuTLS SSL/TLS plugin.
* Gadu-Gadu:
o Don't drop whole messages when text is colored. (Jan Zachorowski) (#13259)
* Groupwise:
o Don't show two windows when using "Get Info" on a buddy. (Gabriel Burt; Novell, Inc.) (#13108)
* IRC:
o Don't send ISON messages longer than 512 bytes. (Jeffrey Honig) (#9692)
* libpurple:
o Stop sending audio when placing a call on hold. (Jakub Adam) (#13032)
o Stop translating gpointers to ints in the dbus API. This removes functions from the dbus API. (The openSUSE Project) (#12507)
o Fix D-Bus introspection calls that omit the interface parameter. (Tom Samstag) (#13073)
o Fixed bugs in purple_str_to_time() that caused the most recent 'make check' failures. (Nader Morshed) (#13131)
o Correct an issue that caused some UIs other than Pidgin or Finch to leave a buddy in the "is typing" state. (Jan Kaluza)
o Fix potential information disclosure issues in the Cipher code. (Julia Lawall)
* Pidgin:
o Support using the Page Up and Page Down keys on the numeric keypad in the conversation window. (Ryan Flegel) (#13127)
o Fix a few memory leaks. (Nader Morshed) (#13162)
o Support rendering strikethrough when received as in-line CSS. (#13168)
o Editable comboboxes are now more friendly to some GTK+ themes. (Hugo Pereira Da Costa) (#13164).
* Plugins:
o The Voice/Video Settings plugin no longer resets selected devices to defaults. (Jakub Adam) (#13044)
o The Voice/Video Settings plugin no longer crashes when a stored device name is not found in the list of available devices. (Jakub Adam) (#13238)
o The Autoaccept plugin now allows disabling filename escaping. (Rok Mandeljc) (half of #11459)
o The Autoaccept plugin now allows choosing Reject/Ask/Accept for non-buddies. (Rok Mandeljc) (half of #11459)
* QQ:
o QQ2008 is now the default protocol version. (Michael Terry) (#11635)
* XMPP:
o Don't crash when receiving an unexpected/invalid jingle transport type. (Nikita Kozlov) (#13136)
o Handle Connection: Close headers for BOSH, when the server does not terminate the connection itself. (#13008)
o Improved parsing for DIGEST-MD5, which should resolve issues connecting to some jabberd2 servers. This corrects an issue parsing one-character or empty elements. (Noa Resare) (#a14514)
* Yahoo!/Yahoo! JAPAN:
o Fix a crash when an account disconnects before a p2p session is completely set up. (Jan Kaluza) (#12432) version 2.7.11 (03/10/2011)
View all closed tickets for this release.
* General:
o Our bundled libgadu should now build on HP-UX.
o Fix some instances of file transfers never completing. (Cristi Posoiu) (#12472)
* Pidgin:
o Sort by Status no longer causes buddies to move around when you click them.
o Fix embedding in the system tray on older GTK+ releases (such as on CentOS 5.5 and older Fedora).
o No longer require libstartup-notification for startup notification support. GTK+ has included support for years, so use it instead. (David Benjamin) (#13245)
* AIM:
o Fix a bug where some buddies from your buddy list might not show up. Affected non-English ICQ users the most. (#13386)
o Send keepalives for all types of network connections. Will hopefully make chat rooms more reliable. (#1449)
* MSN:
o Fix bug that prevented added buddies to your buddy list in certain circumstances. (#13298)
* XMPP:
o Fix building on platforms with an older glib (inadvertantly broken in 2.7.10). (#13329)
o Don't treat the on-join status storms as 'new arrivals'. (Thijs Alkemade) (#a14527)
o Extend the /join command to support room JIDs, enabling you to join a room on any server. (Solarius, Matěj Cepl, Tirtha 'wyuka' Chatterjee) (#4526)
o Add support for receiving a limited amount of history when joining a room (not currently supported by Pidgin and Finch). (Thijs Alkemade) (#10986, #a14219)
* Yahoo!/Yahoo! JAPAN:
o Fix CVE-2011-1091, denials of service caused by NULL pointer dereferences due to improper handling of malformed YMSG packets. Thanks to Marius Wachtler for reporting this and reviewing the fix! General:
Implement simple silence suppression for voice calls, preventing wasted bandwidth for silent periods during a call. (Jakub Adam) (half of #13180)
Added the DigiCert? High Assurance CA-3 intermediate CA, needed for validation of the Facebook XMPP interface's certificate.
Removed the QQ protocol plugin. It hasn't worked in a long time and isn't being maintained, therefore we no longer want it.
Pidgin:
Duplicate code cleanup. (Gabriel Schulhof) (#10599)
Voice/Video call window adapts correctly to adding or removing streams on the fly. (Jakub Adam) (half of #13535)
Don't cancel an ongoing call when rejecting the addition of a stream to the existing call. (Jakub Adam) (#13537)
Pidgin plugins can now override tab completion and detect clicks on usernames in the chat userlist. (kawaii.neko) (#12599)
Fix the tooltip being destroyed when it is full of information and cover the mouse (dliang) (#10510)
libpurple:
media: Allow obtaining active local and remote candidates. (Jakub Adam) (#11830)
media: Allow getting/setting video capabilities. (Jakub Adam) (half of #13095)
Simple Silence Suppression is optional per-account. (Jakub Adam) (half of #13180)
Fix purple-url-handler being unable to find an account.
media: Allow adding/removing streams on the fly. (Jakub Adam) (half of #13535)
Support new connection states in NetworkManager 0.9. (Dan Williams) (#13505)
When removing a buddy, delete the pounces associated with it. (Kartik Mohta) (#1131)
media: Allow libpurple and plugins to set SDES properties for RTP conferences. (Jakub Adam) (#12981)
proxy: Add new "Tor/Privacy" proxy type that can be used to restrict operations that could leak potentially sensitive data (e.g. DNS queries). (#11110, #13928)
media: Add support for using TCP relaying with TURN (will only work with libnice 0.1.0 and later).
AIM:
Fix setting icons with dimensions greater than 64x64 pixels by scaling them down to at most 64x64. (#12874, #13165)
Gadu-Gadu:
Allow showing your status only to buddies. (Mateusz Piękos) (#13358)
Updated internal libgadu to version 1.10.1. (Robert Matusewicz, Krzysztof Klinikowski) (#13525)
Updated internal libgadu to version 1.11.0. (Tomasz Wasilczyk) (#14248)
Suppress blank messages that happen when receiving inline images. (Tomasz Wasilczyk) (#13554)
Fix sending inline images to remote users, don't crash when trying to send large (> 256kB) images. (Tomasz Wasilczyk) (#13580)
Support typing notifications. (Jan Zachorowski, Tomasz Wasilczyk, Krzysztof Klinikowski) (#13362, #13590)
Require libgadu 1.11.0 to avoid using internal libgadu.
Optional SSL connection support for GNUTLS users (not on Windows yet!). (Tomasz Wasilczyk) (#13613, #13894)
Don't count received messages or statuses when determining whether to send a keepalive packet. (Jan Zachorowski) (#13699)
Fix a crash when receiving images on Windows or an incorrect timestamp in the log when receiving images on Linux. (Tomasz Wasilczyk) (#10268)
Support XML events, resulting in immediate update of other users' buddy icons. (Tomasz Wasilczyk) (#13739)
Accept poorly formatted URLs from other third-party clients in the same manner as the official client. (Tomasz Wasilczyk) (#13886)
ICQ:
Fix setting icons with dimensions greater than 64x64 pixels by scaling them down to at most 64x64. (#12874, #13165)
Fix unsetting your mood when "None" is selected. (Dustin Gathmann) (#11895)
Ignore Daylight Saving Time when performing calculations related to birthdays. (Dustin Gathmann) (#13533)
It is now possible to specify multiple encodings on the Advanced tab of an ICQ account's settings by using a comma-delimited list. (Dmitry Utkin (#13496))
IRC:
Add "authserv" service command. (tomos) (#13337)
MSN:
Fix a hard-to-exploit crash in the MSN protocol when using the HTTP connection method (Reported by Marius Wachtler).
MXit:
Support for an Invite Message when adding a buddy.
Fixed bug in splitting-up of messages that contain a lot of links.
Fixed crash caused by timer not being disabled on disconnect. (introduced in 2.7.11)
Clearing of the conversation window now works.
When receiving an invite you can display the sender's profile information, avatar image, invite message.
The Change PIN option was moved into separate action.
New profile attributes added and shown.
Update to protocol v6.3.
Added the ability to view and invite your Suggested Friends, and to search for contacts.
Also display the Status Message of offline contacts in their profile information.
XMPP:
Remember the previously entered user directory when searching. (Keith Moyer) (#12451)
Correctly handle a buddy's unsetting his/her vCard-based avatar. (Matthew W.S. Bell) (#13370)
Squash one more situation that resulted in duplicate entries in the roster (this one where the server reports the buddy as being in the same (empty) group. (Reported by Danny Mayer)
Plugins:
The Voice/Video Settings plugin now includes the ability to test microphone settings. (Jakub Adam) (#13182)
Fix a crash when handling some saved settings in the Voice/Video Settings plugin. (Pat Erley) (13290, #13774)
Windows-Specific Changes:
Fix building libpurple with Visual C++ .NET 2005. This was accidentally broken in 2.7.11. (Florian Quèze)
Build internal libgadu using packed structs, fixing several long-standing Gadu-Gadu issues. (#11958, #6297) version 2.9.0 (06/23/2011)
View all closed tickets for this release.
Pidgin
Fix a potential remote denial-of-service bug related to displaying buddy icons.
Significantly improved performance of larger IRC channels (regression introduced in 2.8.0).
Fix Conversation->Add on AIM and MSN.
Entries in the chat user list are sorted properly again. This was inadvertenly broken in 2.8.0.
Finch
Fix logging in to ICQ.
libpurple
media: Actually use the specified TCP port from the TURN configuration to create a TCP relay candidate.
AIM and ICQ
Fix crashes on some non-mainstream OSes when attempting to printf("%s", NULL). (Clemens Huebner) (#14297)
Plugins
The Evolution Integration plugin compiles again. version 2.10.0 (08/18/2011):
Pidgin:
* Make the max size of incoming smileys a pref instead of hardcoding it.
(Quentin Brandon) (#5231)
* Added a plugin information dialog to show information for plugins
that aren't otherwise visible in the plugins dialog.
* Fix building with GTK+ earlier than 2.14.0 (GTK+ 2.10 is still the
minimum supported) (#14261)
libpurple:
* Fix a potential crash in the Log Reader plugin when reading QIP logs.
* Fix a large number of strcpy() and strcat() invocations to use
strlcpy() and strlcat(), etc., forestalling an entire class of
string buffer overrun bugs.
(The Electronic Frontier Foundation, Dan Auerbach, Chris Palmer,
Jacob Appelbaum)
* Change some filename manipulations in filectl.c to use MAXPATHLEN
instead of arbitrary length constants. (The Electronic Frontier
Foundation, Dan Auerbach, Chris Palmer, Jacob Appelbaum)
* Fix endianness-related crash in NTLM authentication (Jon Goldberg)
(#14163)
Gadu-Gadu:
* Fixed searching for buddies in public directory. (Tomasz Wasilczyk)
(#5242)
* Better status message handling. (Tomasz Wasilczyk) (#14314)
* Merged two buddy blocking methods. (Tomasz Wasilczyk) (#5303)
* Fix building of the bundled libgadu library with older versions
of GnuTLS. (patch plucked from upstream) (#14365)
ICQ:
* Fix crash selecting Tools->Set Mood when you're online with an
ICQ account that is configured as an AIM account. (#14437)
IRC:
* Fix a crash when remote users have certain characters in their
nicknames. (Discovered by Djego Ibanez) (#14341)
* Fix the handling of formatting following mIRC ^O (#14436)
* Fix crash when NAMES is empty. (James McLaughlin) (#14518)
MSN:
* Fix incorrect handling of HTTP 100 responses when using the HTTP
connection method. This can lead to a crash. (Discovered by Marius
Wachtler)
* Fix seemingly random crashing. (#14307)
* Fix a crash when the account is disconnected at the time we are doing a
SB request. (Hanzz, ported by shlomif) (#12431)
XMPP:
* Do not generate malformed XML ("</>") when setting an empty mood.
(#14342)
* Fix the /join <room> behavior. (Broken when adding support for
<room>@<server>) (#14205)
Yahoo!/Yahoo! JAPAN:
* Fix coming out of idle while in an unavailable state
* Fix logging into Yahoo! JAPAN. (#14259)
Windows-Specific Changes:
* Open an explorer.exe window at the location of the file when clicking
on a file link instead of executing the file, because executing a file
can be potentially dangerous. (Discovered by James Burton of
Insomnia Security) (Fixed by Eion Robb)version 2.10.1 (12/06/2011)
View all closed tickets for this release.
Finch:
Fix compilation on OpenBSD.
AIM and ICQ:
Fix remotely-triggerable crashes by validating strings in a few messages related to buddy list management. Thanks to Evgeny Boger for reporting this! (#14682)
Bonjour:
IPv6 fixes (Linus Lüssing)
Gadu-Gadu:
Fix problems linking against GnuTLS. (#14544)
IRC:
Fix a memory leak when admitting UTF-8 text with a non-UTF-8 primary encoding. (#14700)
Jabber:
Fix crashes and memory leaks when receiving malformed voice and video requests. Thanks to Thijs Alkemade for reporting this!
Sametime:
Separate "username" and "server" when adding new Sametime accounts. (#14608)
Fix compilation in Visual C++. (#14608)
SILC:
Fix CVE-2011-3594, by UTF-8 validating incoming messages before passing them to glib or libpurple. Identified by Diego Bauche Madero from IOActive. (#14636)
Yahoo!:
Fetch buddy icons in some cases where we previously weren't. (#13050)
Windows-Specific Changes:
Fix compilation Alien hatchery
No changes
General
The configure script will now exit with status 1 when specifying invalid protocol plugins using the --with-static-prpls and --with-dynamic-prpls arguments. (Michael Fiedler) (#15316)
libpurple
Fix a crash when receiving UPnP responses with abnormally long values. (CVE-2013-0274)
Don't link directly to libgcrypt when building with GnuTLS support. (Bartosz Brachaczek) (#15329)
Fix UPnP mappings on routers that return empty <URLBase/> elements in their response. (Ferdinand Stehle) (#15373)
Tcl plugin uses saner, race-free plugin loading.
Fix the Tcl signals-test plugin for savedstatus-changed. (Andrew Shadura) (#15443)
Pidgin
Make Pidgin more friendly to non-X11 GTK+, such as MacPorts?' +no_x11 variant.
Gadu-Gadu
Fix a crash at startup with large contact list. Avatar support for buddies will be disabled until 3.0.0. (#15226, #14305)
IRC
Support for SASL authentication. (Thijs Alkemade, Andy Spencer) (#13270)
Print topic setter information at channel join. (#13317)
MSN
Fix SSL certificate issue when signing into MSN for some users.
Fix a crash when removing a user before its icon is loaded. (Mark Barfield) (#15217)
MXit
Fix two bugs where a remote MXit user could possibly specify a local file path to be written to. (CVE-2013-0271)
Fix a bug where the MXit server or a man-in-the-middle could potentially send specially crafted data that could overflow a buffer and lead to a crash or remote code execution. (CVE-2013-0272)
Display farewell messages in a different colour to distinguish them from normal messages.
Add support for typing notification.
Add support for the Relationship Status profile attribute.
Remove all reference to Hidden Number.
Ignore new invites to join a GroupChat? if you're already joined, or still have a pending invite.
The buddy's name was not centered vertically in the buddy-list if they did not have a status-message or mood set.
Fix decoding of font-size changes in the markup of received messages.
Increase the maximum file size that can be transferred to 1 MB.
When setting an avatar image, no longer downscale it to 96x96.
Sametime
Fix a crash in Sametime when a malicious server sends us an abnormally long user ID. (CVE-2013-0273)
Yahoo'''
Fix a double-free in profile/picture loading code. (Mihai Serban) (#15053)
Fix retrieving server-side buddy aliases. (Catalin Salgu) (#15381)
Plugins
The Voice/Video? Settings plugin supports using the sndio GStreamer backends. (Brad Smith) (#14414)
Fix a crash in the Contact Availability Detection plugin. (Mark) (#15327)
Make the Message Notification plugin more friendly to non-X11 GTK+, such as MacPorts?' +no_x11 variant.
Windows-Specific Changes
Compile with secure flags (Jurre van Bergen) (#15290)
Installer downloads GTK+ Runtime and Debug Symbols more securely. Thanks goes to Jacob Appelbaum of the Tor Project for identifying this issue and suggesting solutions. (#15277)
Updates to a number of dependencies, some of which have security related fixes. Thanks again to Jacob Appelbaum and Jurre van Bergen for identifying the vulnerable libraries and to Dieter Verfaillie for helping getting the libraries updated. (#14571, #15285, #15286)
ATK 1.32.0-2
Cyrus SASL 2.1.25
expat 2.1.0-1
freetype 2.4.10-1
gettext 0.18.1.1-2
Glib 2.28.8-1
libpng 1.4.12-1
libxml2 2.9.0-1
NSS 3.13.6 and NSPR 4.9.2
Pango 1.29.4-1
SILC 1.1.10
zlib 1.2.5-2
Patch libmeanwhile (sametime library) to fix crash. (Jonathan Rice) (#12637) General
Python build scripts and example plugins are now compatible with Python 3. (Ashish Gupta) (#15624)
libpurple
Fix potential crash if libpurple gets an error attempting to read a reply from a STUN server. (Discovered by Coverity static analysis) (CVE-2013-6484)
Fix potential crash parsing a malformed HTTP response. (Discovered by Jacob Appelbaum of the Tor Project) (CVE-2013-6479)
Fix buffer overflow when parsing a malformed HTTP response with chunked Transfer-Encoding. (Discovered by Matt Jones, Volvent) (CVE-2013-6485)
Better handling of HTTP proxy responses with negative Content-Lengths. (Discovered by Matt Jones, Volvent)
Fix handling of SSL certificates without subjects when using libnss.
Fix handling of SSL certificates with timestamps in the distant future when using libnss. (#15586)
Impose maximum download size for all HTTP fetches.
Pidgin
Fix crash displaying tooltip of long URLs. (CVE-2013-6478)
Better handling of URLs longer than 1000 letters.
Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)
Windows-Specific Changes
When clicking file:// links, show the file in Explorer rather than attempting to run the file. This reduces the chances of a user clicking on a link and mistakenly running a malicious file. (Originally discovered by James Burton, Insomnia Security. Rediscovered by Yves Younan of Sourcefire VRT.) (CVE-2013-6486)
Fix Tcl scripts. (#15520)
Fix crash-on-startup when ASLR is always on. (#15521)
Updates to dependencies:
NSS 3.15.4 and NSPR 4.10.2
Pango 1.29.4-1daa. Patched for https://bugzilla.gnome.org/show_bug.cgi?id=668154
AIM
Fix untrusted certificate error.
AIM and ICQ
Fix a possible crash when receiving a malformed message in a Direct IM session.
Gadu-Gadu
Fix buffer overflow with remote code execution potential. Only triggerable by a Gadu-Gadu server or a man-in-the-middle. (Discovered by Yves Younan and Ryan Pentney of Sourcefire VRT) (CVE-2013-6487)
Disabled buddy list import/export from/to server (it didn't work anymore). Buddy list synchronization will be implemented in 3.0.0.
Disabled new account registration and password change options, as it didn't work either. Account registration also caused a crash. Both functions are available using official Gadu-Gadu website.
IRC
Fix bug where a malicious server or man-in-the-middle could trigger a crash by not sending enough arguments with various messages. (Discovered by Daniel Atallah) (CVE-2014-0020)
Fix bug where initial IRC status would not be set correctly.
Fix bug where IRC wasn't available when libpurple was compiled with Cyrus SASL support. (#15517)
MSN
Fix NULL pointer dereference parsing headers in MSN. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen) (CVE-2013-6482)
Fix NULL pointer dereference parsing OIM data in MSN. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen) (CVE-2013-6482)
Fix NULL pointer dereference parsing SOAP data in MSN. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen) (CVE-2013-6482)
Fix possible crash when sending very long messages. Not remotely-triggerable. (Discovered by Matt Jones, Volvent)
MXit
Fix buffer overflow with remote code execution potential. (Discovered by Yves Younan and Pawel Janic of Sourcefire VRT) (CVE-2013-6489)
Fix sporadic crashes that can happen after user is disconnected.
Fix crash when attempting to add a contact via search results.
Show error message if file transfer fails.
Fix compiling with InstantBird.
Fix display of some custom emoticons.
SILC
Correctly set whiteboard dimensions in whiteboard sessions.
SIMPLE
Fix buffer overflow with remote code execution potential. (Discovered by Yves Younan of Sourcefire VRT) (CVE-2013-6490)
XMPP
Prevent spoofing of iq replies by verifying that the 'from' address matches the 'to' address of the iq request. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen, fixed by Thijs Alkemade) (CVE-2013-6483)
Fix crash on some systems when receiving fake delay timestamps with extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477)
Fix possible crash or other erratic behavior when selecting a very small file for your own buddy icon.
Fix crash if the user tries to initiate a voice/video session with a resourceless JID.
Fix login errors when the first two available auth mechanisms fail but a subsequent mechanism would otherwise work when using Cyrus SASL. (#15524)
Fix dropping incoming stanzas on BOSH connections when we receive multiple HTTP responses at once. (Issa Gorissen) (#15684)
Yahoo!
Fix possible crashes handling incoming strings that are not UTF-8. (Discovered by Thijs Alkemade and Robert Vehse) (CVE-2012-6152)
Fix a bug reading a peer to peer message where a remote user could trigger a crash. (CVE-2013-6481)
Plugins
Fix crash in contact availability plugin.
Fix perl function Purple::Network::ip_atoi
Add Unity integration plugin.