Version history for Pidgin (Gaim) Portable
<<Back to software description
Changes for v2.10.11 - v2.11.0
- fixes many security issues with MXit, an IM protocol of a South African social network.
Changes for v2.10.10 - v2.10.11
- General
- Fix handling of Self-Signed SSL/TLS Certificates when using the NSS plugin (#16412)
- Improve default cipher suites used with the NSS plugin (#16262)
- Add NSS Preferences plugin which allows the SSL/TLS Versions and cipher suites to be configured (#8061)
- Gadu-Gadu
- Fix a bug that prevented plugin to load when compiled without GnuTLS. (mancha) (#16431)
- Fix build for platforms without AF_LOCAL definition. (#16404)
- MSN
- Fix broken login due to server change (dx, TReKiE). (#16451, #16455)
- Fail early when buddy list is unavailable instead of wasting bandwidth endlessly re-trying.
Changes for v2.10.9 - v2.10.10
- General
- Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694)
- Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL. (Elrond and Ashish Gupta) (#15909)
- libpurple3 compatibility
- Encrypted account passwords are preserved until the new one is set.
- Fix loading Google Talk and Facebook XMPP accounts.
- Windows-Specific Changes
- Don't allow overwriting arbitrary files on the file system when the user installs a smiley theme via drag-and-drop. (Discovered by Yves Younan of Cisco Talos) (CVE-2014-3697)
- Updates to dependencies ?NSS 3.17.1 and NSPR 4.10.7
- Finch
- Fix build against Python 3. (Ed Catmur) (#15969)
- Gadu-Gadu
- Updated internal libgadu to version 1.12.0.
- Groupwise
- Fix potential remote crash parsing server message that indicates that a large amount of memory should be allocated. (Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3696)
- IRC
- Fix a possible leak of unencrypted data when using /me command with OTR. (Thijs Alkemade) (#15750)
- MXit
- Fix potential remote crash parsing a malformed emoticon response. (Discovered by Yves Younan and Richard Johnson of Cisco Talos) (CVE-2014-3695)
- XMPP
- Fix potential information leak where a malicious XMPP server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory. (Discovered and fixed by Thijs Alkemade and Paul Aurich) (CVE-2014-3698)
- Fix Facebook XMPP roster quirks. (#15041, #15957)
- Yahoo
- Fix login when using the GnuTLS library for TLS connections. (#16172)
Changes for v2.10.8 - v2.10.9
- XMPP: Fix problems logging into some servers including jabber.org and chat.facebook.com. (#15879)
Changes for v2.10.7 - v2.10.8
- General
- Python build scripts and example plugins are now compatible with Python 3. (Ashish Gupta) (#15624)
- libpurple
- Fix potential crash if libpurple gets an error attempting to read a reply from a STUN server. (Discovered by Coverity static analysis) (CVE-2013-6484)
- Fix potential crash parsing a malformed HTTP response. (Discovered by Jacob Appelbaum of the Tor Project) (CVE-2013-6479)
- Fix buffer overflow when parsing a malformed HTTP response with chunked Transfer-Encoding. (Discovered by Matt Jones, Volvent) (CVE-2013-6485)
- Better handling of HTTP proxy responses with negative Content-Lengths. (Discovered by Matt Jones, Volvent)
- Fix handling of SSL certificates without subjects when using libnss.
- Fix handling of SSL certificates with timestamps in the distant future when using libnss. (#15586)
- Impose maximum download size for all HTTP fetches.
- Pidgin
- Fix crash displaying tooltip of long URLs. (CVE-2013-6478)
- Better handling of URLs longer than 1000 letters.
- Fix handling of multibyte UTF-8 characters in smiley themes. (#15756)
- Windows-Specific Changes
- When clicking file:// links, show the file in Explorer rather than attempting to run the file. This reduces the chances of a user clicking on a link and mistakenly running a malicious file. (Originally discovered by James Burton, Insomnia Security. Rediscovered by Yves Younan of Sourcefire VRT.) (CVE-2013-6486)
- Fix Tcl scripts. (#15520)
- Fix crash-on-startup when ASLR is always on. (#15521)
- Updates to dependencies: ?NSS 3.15.4 and NSPR 4.10.2
- Pango 1.29.4-1daa. Patched for ?https://bugzilla.gnome.org/show_bug.cgi?id=668154
- AIM
- Fix untrusted certificate error.
- AIM and ICQ
- Fix a possible crash when receiving a malformed message in a Direct IM session.
- Gadu-Gadu
- Fix buffer overflow with remote code execution potential. Only triggerable by a Gadu-Gadu server or a man-in-the-middle. (Discovered by Yves Younan and Ryan Pentney of Sourcefire VRT) (CVE-2013-6487)
- Disabled buddy list import/export from/to server (it didn't work anymore). Buddy list synchronization will be implemented in 3.0.0.
- Disabled new account registration and password change options, as it didn't work either. Account registration also caused a crash. Both functions are available using official Gadu-Gadu website.
- IRC
- ?Fix bug where a malicious server or man-in-the-middle could trigger a crash by not sending enough arguments with various messages. (Discovered by Daniel Atallah) (CVE-2014-0020)
- ?Fix bug where initial IRC status would not be set correctly.
- ?Fix bug where IRC wasn't available when libpurple was compiled with Cyrus SASL support. (#15517)
- MSN
- Fix NULL pointer dereference parsing headers in MSN. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen) (CVE-2013-6482)
- Fix NULL pointer dereference parsing OIM data in MSN. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen) (CVE-2013-6482)
- Fix NULL pointer dereference parsing SOAP data in MSN. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen) (CVE-2013-6482)
- Fix possible crash when sending very long messages. Not remotely-triggerable. (Discovered by Matt Jones, Volvent)
- MXit
- Fix buffer overflow with remote code execution potential. (Discovered by Yves Younan and Pawel Janic of Sourcefire VRT) (CVE-2013-6489)
- Fix sporadic crashes that can happen after user is disconnected.
- Fix crash when attempting to add a contact via search results.
- Show error message if file transfer fails.
- Fix compiling with InstantBird.
- Fix display of some custom emoticons.
- SILC
- Correctly set whiteboard dimensions in whiteboard sessions.
- SIMPLE
- Fix buffer overflow with remote code execution potential. (Discovered by Yves Younan of Sourcefire VRT) (CVE-2013-6490)
- XMPP
- Prevent spoofing of iq replies by verifying that the 'from' address matches the 'to' address of the iq request. (Discovered by Fabian Yamaguchi and Christian Wressnegger of the University of Goettingen, fixed by Thijs Alkemade) (CVE-2013-6483)
- Fix crash on some systems when receiving fake delay timestamps with extreme values. (Discovered by Jaime Breva Ribes) (CVE-2013-6477)
- Fix possible crash or other erratic behavior when selecting a very small file for your own buddy icon.
- Fix crash if the user tries to initiate a voice/video session with a resourceless JID.
- Fix login errors when the first two available auth mechanisms fail but a subsequent mechanism would otherwise work when using Cyrus SASL. (#15524)
- Fix dropping incoming stanzas on BOSH connections when we receive multiple HTTP responses at once. (Issa Gorissen) (#15684)
- Yahoo!
- Fix possible crashes handling incoming strings that are not UTF-8. (Discovered by Thijs Alkemade and Robert Vehse) (CVE-2012-6152)
- Fix a bug reading a peer to peer message where a remote user could trigger a crash. (CVE-2013-6481)
- Plugins
- Fix crash in contact availability plugin.
- Fix perl function Purple::Network::ip_atoi
- Add Unity integration plugin.
Changes for v2.10.5 - v2.10.6
- Pidgin:
- Fix a bug that requires a triple-click to open a conversation window from the buddy list. (#15199)
Changes for v2.10.4 - v2.10.5
- libpurple: Add support for GNOME3 proxy settings. (Mihai Serban) (#15054)
- Pidgin: Fix a crash that may occur when trying to ignore a user who is not in the current chat room. (#15139)
- MSN: Fix building with MSVC on Windows (broken in 2.10.4). (Florian Quèze)
- MXit: Fix a buffer overflow vulnerability when parsing incoming messages containing inline images. Thanks to Ulf Härnhammar for reporting this! (CVE-2012-3374)
Changes for v2.10.3 - v2.10.4
- General: ◦Support building against Farstream in addition to Farsight. (Olivier Crete) (#14936)
- IRC: ◦Disable periodic WHO timer. IRC channel user lists will no longer automatically display away status, but libpurple will be much kinder to the network.
- Print unknown numerics to channel windows if we can associate them. Thanks to Marien Zwart. (#15090)
- MSN: ◦Fix a possible crash when receiving messages with certain characters or character encodings. Thanks to Fabian Yamaguchi for reporting this!
- XMPP: ◦Fix a possible crash when receiving a series of specially crafted file transfer requests. Thanks to José Valentín Gutiérrez for reporting this! (CVE-2012-2214)
- Windows-Specific Changes: ◦Words added to spell check dictionaries are saved across restarts of Pidgin (#11886)
Changes for v2.9.0 - v2.10.1
- Finch:
- Fix compilation on OpenBSD.
- AIM and ICQ:
- Fix remotely-triggerable crashes by validating strings in a few messages related to buddy list management. Thanks to Evgeny Boger for reporting this! (#14682)
- Bonjour:
- IPv6 fixes (Linus Lüssing)
- Gadu-Gadu:
- Fix problems linking against GnuTLS. (#14544)
- IRC:
- Fix a memory leak when admitting UTF-8 text with a non-UTF-8 primary encoding. (#14700)
- Jabber:
- Fix crashes and memory leaks when receiving malformed voice and video requests. Thanks to Thijs Alkemade for reporting this!
- Sametime:
- Separate "username" and "server" when adding new Sametime accounts. (#14608)
- Fix compilation in Visual C++. (#14608)
- SILC:
- Fix CVE-2011-3594, by UTF-8 validating incoming messages before passing them to glib or libpurple. Identified by Diego Bauche Madero from IOActive. (#14636)
- Yahoo!:
- Fetch buddy icons in some cases where we previously weren't. (#13050)
- Windows-Specific Changes:
- Fix compilation
Changes for v2.8.0 - v2.9.0
- Pidgin
- Fix a potential remote denial-of-service bug related to displaying buddy icons.
- Significantly improved performance of larger IRC channels (regression introduced in 2.8.0).
- Fix Conversation->Add on AIM and MSN.
- Entries in the chat user list are sorted properly again. This was inadvertenly broken in 2.8.0.
- Finch
- Fix logging in to ICQ.
- libpurple
- media: Actually use the specified TCP port from the TURN configuration to create a TCP relay candidate.
- AIM and ICQ
- Fix crashes on some non-mainstream OSes when attempting to printf("%s", NULL). (Clemens Huebner) (#14297)
- Plugins
- The Evolution Integration plugin compiles again.
Changes for v2.7.10 - v2.8.0
- General:
- Implement simple silence suppression for voice calls, preventing wasted bandwidth for silent periods during a call. (Jakub Adam) (half of #13180)
- Added the DigiCert? High Assurance CA-3 intermediate CA, needed for validation of the Facebook XMPP interface's certificate.
- Removed the QQ protocol plugin. It hasn't worked in a long time and isn't being maintained, therefore we no longer want it.
- Pidgin:
- Duplicate code cleanup. (Gabriel Schulhof) (#10599)
- Voice/Video call window adapts correctly to adding or removing streams on the fly. (Jakub Adam) (half of #13535)
- Don't cancel an ongoing call when rejecting the addition of a stream to the existing call. (Jakub Adam) (#13537)
- Pidgin plugins can now override tab completion and detect clicks on usernames in the chat userlist. (kawaii.neko) (#12599)
- Fix the tooltip being destroyed when it is full of information and cover the mouse (dliang) (#10510)
- libpurple:
- media: Allow obtaining active local and remote candidates. (Jakub Adam) (#11830)
- media: Allow getting/setting video capabilities. (Jakub Adam) (half of #13095)
- Simple Silence Suppression is optional per-account. (Jakub Adam) (half of #13180)
- Fix purple-url-handler being unable to find an account.
- media: Allow adding/removing streams on the fly. (Jakub Adam) (half of #13535)
- Support new connection states in NetworkManager 0.9. (Dan Williams) (#13505)
- When removing a buddy, delete the pounces associated with it. (Kartik Mohta) (#1131)
- media: Allow libpurple and plugins to set SDES properties for RTP conferences. (Jakub Adam) (#12981)
- proxy: Add new "Tor/Privacy" proxy type that can be used to restrict operations that could leak potentially sensitive data (e.g. DNS queries). (#11110, #13928)
- media: Add support for using TCP relaying with TURN (will only work with libnice 0.1.0 and later).
- AIM:
- Fix setting icons with dimensions greater than 64x64 pixels by scaling them down to at most 64x64. (#12874, #13165)
- Gadu-Gadu:
- Allow showing your status only to buddies. (Mateusz Piekos) (#13358)
- Updated internal libgadu to version 1.10.1. (Robert Matusewicz, Krzysztof Klinikowski) (#13525)
- Updated internal libgadu to version 1.11.0. (Tomasz Wasilczyk) (#14248)
- Suppress blank messages that happen when receiving inline images. (Tomasz Wasilczyk) (#13554)
- Fix sending inline images to remote users, don't crash when trying to send large (> 256kB) images. (Tomasz Wasilczyk) (#13580)
- Support typing notifications. (Jan Zachorowski, Tomasz Wasilczyk, Krzysztof Klinikowski) (#13362, #13590)
- Require libgadu 1.11.0 to avoid using internal libgadu.
- Optional SSL connection support for GNUTLS users (not on Windows yet!). (Tomasz Wasilczyk) (#13613, #13894)
- Don't count received messages or statuses when determining whether to send a keepalive packet. (Jan Zachorowski) (#13699)
- Fix a crash when receiving images on Windows or an incorrect timestamp in the log when receiving images on Linux. (Tomasz Wasilczyk) (#10268)
- Support XML events, resulting in immediate update of other users' buddy icons. (Tomasz Wasilczyk) (#13739)
- Accept poorly formatted URLs from other third-party clients in the same manner as the official client. (Tomasz Wasilczyk) (#13886)
- ICQ:
- Fix setting icons with dimensions greater than 64x64 pixels by scaling them down to at most 64x64. (#12874, #13165)
- Fix unsetting your mood when "None" is selected. (Dustin Gathmann) (#11895)
- Ignore Daylight Saving Time when performing calculations related to birthdays. (Dustin Gathmann) (#13533)
- It is now possible to specify multiple encodings on the Advanced tab of an ICQ account's settings by using a comma-delimited list. (Dmitry Utkin (#13496))
- IRC:
- Add "authserv" service command. (tomos) (#13337)
- MSN:
- Fix a hard-to-exploit crash in the MSN protocol when using the HTTP connection method (Reported by Marius Wachtler).
- MXit:
- Support for an Invite Message when adding a buddy.
- Fixed bug in splitting-up of messages that contain a lot of links.
- Fixed crash caused by timer not being disabled on disconnect. (introduced in 2.7.11)
- Clearing of the conversation window now works.
- When receiving an invite you can display the sender's profile information, avatar image, invite message.
- The Change PIN option was moved into separate action.
- New profile attributes added and shown.
- Update to protocol v6.3.
- Added the ability to view and invite your Suggested Friends, and to search for contacts.
- Also display the Status Message of offline contacts in their profile information.
- XMPP:
- Remember the previously entered user directory when searching. (Keith Moyer) (#12451)
- Correctly handle a buddy's unsetting his/her vCard-based avatar. (Matthew W.S. Bell) (#13370)
- Squash one more situation that resulted in duplicate entries in the roster (this one where the server reports the buddy as being in the same (empty) group. (Reported by Danny Mayer)
- Plugins:
- The Voice/Video Settings plugin now includes the ability to test microphone settings. (Jakub Adam) (#13182)
- Fix a crash when handling some saved settings in the Voice/Video Settings plugin. (Pat Erley) (13290, #13774)
- Windows-Specific Changes:
- Fix building libpurple with Visual C++ .NET 2005. This was accidentally broken in 2.7.11. (Florian Quèze)
- Build internal libgadu using packed structs, fixing several long-standing Gadu-Gadu issues. (#11958, #6297)
Changes for v2.7.8 - v2.7.9
- Fix a crash when receiving short packets related to P2Pv2. (CVE ID pending)
Changes for v2.7.7 - v2.7.8
- General:
- Fix the exceptions in purple-remote on Python 2.6+. (Ari Pollak) (#12151)
- Pidgin:
- When a conversation has reached the maximum limit on the number of smileys, display the text representation of the smiley properly when it contains HTML-escapable characters (e.g. "<3" was previously displayed as "<3").
- Drop dependency on GdkGC and use Cairo instead.
- New UI hack to assist in first-time setup of Facebook accounts with icon from Jakub Szypulka.
- Don't hide the buddy list if there is no notification area in which to put the icon. (#12129)
- libpurple:
- Fix multipart parsing when '=' is included in the boundary for purple_mime_document_parse. (Jakub Adam) (#11598)
- AIM and ICQ:
- Buddies who unset their status message will now be correctly shown without a message in your buddy list. (#12988)
- Gadu-Gadu:
- Updated our bundled libgadu and minimum requirement for external libgadu to 1.9.0. (#12789)
- MSN:
- Stop showing ourselves in the list of endpoints that can be disconnected.
- Allow full-size display names, by not escaping (most) non-English characters. (#8508)
- Fix receiving messages from users on Yahoo and other federated services. (#13022)
- Correctly remove old endpoints from the list when they sign out.
- Add option to disable connections from multiple locations. (#13017)
- Correctly update your own display name in the buddy list. (#13064)
- Correctly show ourselves as offline in the buddy list when going invisible. (#12945)
- Correctly update your own icon in the buddy list. (#12973)
- Remove struct packing for better portability. (#12856)
- XMPP:
- Terminate Jingle sessions with unsupported content types. (#13048)
Changes for v2.7.6 - v2.7.7
- General:
- Allow multiple CA certificates to share the same Distinguished Name (DN). Partially fixes remaining MSN issues from #12906.
- The GNUTLS SSL plugin now discards any certificate (and all subsequent certificates) in a chain if it did not sign the previous certificate. Partially fixes remaining MSN issues from #12906.
- Open requests related to a file transfer are now closed when the request is cancelled locally. (#11666)
- AIM and ICQ:
- AIM should now connect if "Use clientLogin" is turned off and the "Server" field is set to anything other than "login.oscar.aol.com" or "slogin.oscar.aol.com". (#12948)
- Fix a crash on connection loss. (#5927)
Changes for v2.7.5 - v2.7.6
- General:
- Included Microsoft Internet Authority 2010 and Microsoft Secure Server Authority 2010 intermediate CA certificates to our bundle. This fixes the "Unable to validate certificate" error for omega.contacts.msn.com. (#12906)
- Pidgin:
- Avoid a use-after-free race condition in the media code (when there's an error reported by GStreamer). (#12806, Jakub Adam)
- AIM and ICQ:
- SSL option has been changed to a tri-state menu with choices for "Don't Use Encryption", "Use Encryption if Available", and "Require Encryption".
- Fix some possible clientLogin URL issues introduced in version 2.7.5.
- Don't show a "
: Ok" connection error when using clientLogin. - Cleaned up some debug output for improved readability.
- MSN:
- Added support for MSNP16, including Multiple Points of Presence (MPOP) which allows multiple simultaneous sign-ins. (#8247)
- Added extended capabilities support (none implemented).
- Merged the work done on the Google SoC (major rewrite of SLP code)
- Reworked the data transfer architecture. (SlpArchitecture)
- Lots of little changes.
- Don't process zero-length DC messages. (#12660)
- Fixed a bunch of memory leaks.
- Prevent a use-after-free condition.
- XMPP:
- Avoid a double-free in the Google Relay (V/V) code.
- Avoid double error message when failing a file transfer. (#12757)
- Password-related information is printed out for SASL authentication when the PURPLE_UNSAFE_DEBUG environment variable is set.
- Authentication mechanisms can now be added by UI's or other plugins with some work. This is outside the API/ABI rules! (#12715)
- Fixed a few printf("%s", NULL) crashes for broken OSes.
- Windows-Specific Changes:
- Build the Pidgin Theme Editor plugin (finally).
- Untarring (for themes) now works for non-ASCII destination paths.
Changes for v2.7.4 - v2.7.5
- General:
- Added Verisign Class 3 Public CA - G2 root CA.
- Pidgin:
- Properly differentiate between bn and bn_IN in the Translation Information dialog.
- AIM and/or ICQ:
- Display the "Authorize buddy?" minidialog when the requestor has an empty nickname. (#12810)
- New ICQ accounts default to proper ICQ servers. Old accounts using one of the old default servers will be silently migrated to use the proper servers.
- ICQ accounts using clientLogin now use the correct ICQ servers. This is separate from the server settings mentioned above.
- '<' should no longer cause ICQ status messages to be truncated in some locations. (#11964, #12593)
- Fix sending messages to chat rooms. (#12768)
- Bonjour:
- Don't crash when attempting to log into a Bonjour account and init failed.
- Windows-Specific Changes:
- Quote the path stored in the registry when the "run at startup" option in the Windows Pidgin Options plugin is used. (#12781)
Changes for v2.6.5 - v2.6.6
- libpurple
- Fix 'make check' on OS X. (David Fang)
- Fix a quirk in purple_markup_html_to_xhtml that caused some messages to be improperly converted to XHTML.
- Set "controlling-mode" correctly when initializing a media session. Fixes receiving voice calls from Psi.
- When looking up DNS records, use the type of record returned by the server (instead of the type we asked for) to determine how to process the record.
- Fix an issue with parsing XML attributes that contain "<br>". See ChangeLog.API for more details.
- General
- Correctly disable all missing dependencies when using the --disable-missing-dependencies option. (Gabriel Schulhof)
- Gadu-Gadu
- Fix display of avatars after a server-side change. (Krzysztof Klinikowski)
- AIM
- Allow setting and displaying icons between 1x1 and 100x100 pixels. Previously only icons between 48x48 and 50x50 were allowed.
- MSN
- Fix CVE-2010-0277, a possible remote crash when parsing an incoming SLP message. (Discovered by Fabian Yamaguchi)
- File transfer requests will no longer cause a crash if you delete the file before the other side accepts.
- Received files will no longer hold an extra lock after completion, meaning they can be moved or deleted without complaints from your OS.
- Buddies who sign in from a second location will no longer cause an unnecessary chat window to open.
- Support setting an animated GIF as a buddy icon.
- Numerous code cleanups and memory savings.
- MySpace
- Fix a leak and crash when retrieving buddy icons.
- XMPP
- Less likely to send messages to a contact's idle/inactive resource. Previously, if a message was received from a specific resource, responses would be sent to that resource until either it went offline or a message is received from another resource. Now, messages are sent to the bare JID upon receipt of any presence change from the contact.
- Added support for the SCRAM-SHA-1 SASL mechanism. This is only available when built without Cyrus SASL support.
- When getting info on a domain-only (server) JID, show uptime (when given by the result of the "last query") and don't show status as offline.
- Fix getting info on your own JID.
- Wrap XHTML messages in
, as described in XEP-0071, for compatibility with some clients.
- Don't do an SRV lookup for a STUN server associated with the account if one is already set globally in prefs.
- Don't send custom smileys larger than the recommended maximum object size specified in the BoB XEP. This prevents a client from being disconnected by servers that dislike overly-large stanzas.
- Fix receiving messages without markup over an Openfire BOSH connection (forcibly put the stanzas in the jabber:client namespace).
- The default value for the file transfer proxies is automatically updated when an account connects, if it is still the old (broken) default (from 'proxy.jabber.org' to 'proxy.eu.jabber.org').
- Fix an issue where libpurple created duplicate buddies if the roster contains a buddy in two groups that differ only by case (e.g. "XMPP" and "xmpp") (or not at all).
- Yahoo
- Don't send and tags. (Fartash Faghri)
- Support PingBox. PingBoxes will appear as pbx/PingBoxName. (Kartik Mohta)
- Pidgin
- Fix CVE-2010-0423, a denial of service attack due to the parsing of large numbers of smileys. (Discovered by Antti Hayrynen)
- Correctly size conversation and status box entries when the interior-focus style property is diabled. (Gabriel Schulhof)
- Correctly handle a multiline text field being required in a request form. (Thanks to Florian Zeitz for finding this problem)
- Search friends by email-addresses in the buddy list. (Luoh Ren-Shan)
- Allow dropping an image on Custom Smiley window to add a new one.
- Prompt for confirmation when clearing a whiteboard (doodle) session. (Kartik Mohta)
- Use the "hand" cursor when hovering over usernames in chat history to indicate that the username is an actionable item.
- Double-clicking usernames in chat history will open an IM with that user.
- Put an icon on the "Filter" button in the debug window.
- Don't treat "/messages/like/this " as commands.
- Explicitly mark user interaction when inserting smilies from the toolbar so "Undo" correctly removes these smilies.
- Clicking "New" or "Saved" in the status selector menu while typing a status message no longer keeps the status entry area stuck in "typing" mode forever.
- Show tooltips for ellipsized conversation tabs. On older systems, tooltips will show for all tabs.
- The File Transfers and Debug Window windows are no longer created as dialogs. These windows should now have minimize buttons in many environments in which they were previously missing (including Windows).
- Smiley themes with Windows line endings no longer cause theme descriptions not to be displayed in the theme selector.
- Finch
- Fix CVE-2010-0420, a possible remote crash when handling chat room buddy names.
- Rebindable 'move-first' and 'move-last' actions for tree widgets. So it is possible to jump to the first or last entry in the buddy list (and other such lists) by pressing home or end key (defaults) respectively.