It was discovered that libpurple versions prior to 2.7.10 do not properly clear certain data structures used in libpurple/cipher.c prior to freeing. An attacker could potentially extract partial information from memory regions freed by libpurple. References: http://pidgin.im/news/security/?id=50 This is fixed in pidgin version 2.7.10
Created pidgin tracking bugs for this issue Affects: fedora-all [bug 684120]
CVE Request: [2] http://www.openwall.com/lists/oss-security/2011/03/21/6
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:0616 https://rhn.redhat.com/errata/RHSA-2011-0616.html
A CVE was finally issued (CVE-2011-4922): http://www.openwall.com/lists/oss-security/2012/01/04/13
Statement: The Red Hat Security Response Team has rated this issue as having low security impact. A future update may address this issue in Red Hat Enterprise Linux 4 or 5 (it has been addressed in Red Hat Enterprise Linux 6). For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Pidgin 2.6.6 (shipped with Red Hat Enterprise Linux 4 and 5) is affected by this.