The XMPP protocol plugin in libpurple in Pidgin before 2.10.8 does not
properly determine whether the from address in an iq reply is consistent
with the to address in an iq request, which allows remote attackers to
spoof iq traffic or cause a denial of service (NULL pointer dereference and
application crash) via a crafted reply.
mdeslaur> this introduced a regression, which was fixed in 2.10.9:
Updated: 2014-02-14 14:14:54 UTC (commit 7751)