Adium

Archive for 2017

Adium 1.5.10.3b1

Saturday, March 25th, 2017

In a new record for the longest version number, we have released Adium 1.5.10.3b1, available from here. This release includes libpurple 2.12.0 to fix CVE-2017-2640, a heap buffer overflow when removing HTML markup. We have determined that this vulnerability is only exposed by the GaduGadu protocol, as this is the only protocol where the relevant function is used with untrusted input. The impact appears to be limited to a denial of service (causing Adium to crash) by writing to an invalid memory location. Users only using other protocols are unaffected. Users not yet ready to update are advised to disable their GaduGadu accounts until 1.5.10.3 is released.

In this release we have also had to remove support for a number of protocols which were known to not work anymore: MSN, Yahoo, Facebook Chat and MySpace. If you had one of these accounts they will disappear from Adium, but any chat logs you had will remain available. While some third-party Pidgin plugins exist for the new generation of some of these protocols, we currently have no plans of including those in Adium.

This release is currently not available as an auto-update, as our latest beta release is 1.5.11b3, which will not update to a lower version number. Anyone willing to try it can download it from the link above. Please report any issues you find on our bug tracker, as we hope to release 1.5.10.3 soon.