In a new record for the longest version number, we have released Adium 18.104.22.168b1, available from here. This release includes libpurple 2.12.0 to fix CVE-2017-2640, a heap buffer overflow when removing HTML markup. We have determined that this vulnerability is only exposed by the GaduGadu protocol, as this is the only protocol where the relevant function is used with untrusted input. The impact appears to be limited to a denial of service (causing Adium to crash) by writing to an invalid memory location. Users only using other protocols are unaffected. Users not yet ready to update are advised to disable their GaduGadu accounts until 22.214.171.124 is released.
In this release we have also had to remove support for a number of protocols which were known to not work anymore: MSN, Yahoo, Facebook Chat and MySpace. If you had one of these accounts they will disappear from Adium, but any chat logs you had will remain available. While some third-party Pidgin plugins exist for the new generation of some of these protocols, we currently have no plans of including those in Adium.
This release is currently not available as an auto-update, as our latest beta release is 1.5.11b3, which will not update to a lower version number. Anyone willing to try it can download it from the link above. Please report any issues you find on our bug tracker, as we hope to release 126.96.36.199 soon.