Ian Goldberg iang.ca reports: www.openwall.com/lists/oss-security/2012/05/16/2 Off-the-Record Messaging (OTR) Security Advisory 2012-01 Format string security flaw in pidgin-otr Versions 3.2.0 and earlier of the pidgin-otr plugin contain a format string security flaw. This flaw could potentially be exploited by a remote attacker to cause arbitrary code to be executed on the user's machine. The flaw is in pidgin-otr, not in libotr. Other applications which use libotr are not affected. CVE-2012-2369 has been assigned to this issue. The recommended course of action is to upgrade pidgin-otr to version 3.2.1 immediately. The new version can be obtained here: Source code: http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz gpg signature: http://otr.cypherpunks.ca/pidgin-otr-3.2.1.tar.gz.asc git repository: git://otr.git.sourceforge.net/gitroot/otr/pidgin-otr (branch 3.2_dev) Version 4.0.0 (soon to be released) does not suffer from this flaw. Linux and *BSD vendors and package maintainers have been notified, and updated packages should be available from them.
these are all already in the updates repositories for EL6, F16 and F17