libpurple vulnerabilities / State of the project
Felix Dreissig
f30 at f30.me
Tue Jan 13 23:29:35 UTC 2015
Hi,
on 22 October 2014, Pidgin 2.10.10 was released, fixing several security vulnerabilities. One of those is a arbitrary memory read via XMPP (CVE-2014-3698). I can see no indication that Adium might not be vulnerable to these issues.
The latest release of Adium dates to 19 May 2014 and contains libpurple 2.10.9.
Overall project activity from the outside appears to have diminished: There is some commit activity, but the latest post on this mailing list is from September and even „Hot issues“ from the website like ticket 16834 rarely get someone working on them.
At the same time, Adium still is the common (and only?) solution for OTR on OS X and recommended to crypto novices [1] as well as journalists [2] as an anti-surveillance tool.
Is there any specific reason why development has declined or just the usual lack of time / people? How likely is this situation to persist? Can you name kinds of resources that would improve it and enable the project to get traction again?
Best regards,
Felix
[1] https://www.cryptoparty.in/overview_tools
[2] https://freedom.press/encryption-works
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://adium.im/pipermail/devel_adium.im/attachments/20150114/26fcd378/attachment.sig>
More information about the devel
mailing list