2.5.9 and 2.6.0 were both released Tuesday, August 18th addressing this security issue (CVE-2009-2694). 2.5.9 is 2.5.8 with only CVE-2009-2694 addressed and an unrelated crash bug fix. 2.6.0 contains CVE-2009-2694 in addition to many other bug fixes and the new Voice and Video support.
Unfortunately, another security issue was discovered with sending URL's over the Yahoo protocol and 2.6.1 was released on Wednesday, August 19th. According to the pidgin developers, 2.5.9 was not affected by separate bug.
Note: The Voice and Video support in pidgin-2.6.1 is a bit fragile. You MUST have the latest version of farsight2 and the stack of libraries it requires. You may also need to open ports on your firewall to allow it to connect.
Have you tried gnote yet? It is a C++ reimplementation of tomboy. gnote's binary package itself is less than 4MB with only a few standard dependencies that you might already have on a GNOME desktop, significantly smaller than Mono. I made the switch fully from tomboy to gnote a few months ago and things are working very nicely.
"You know, we've won awards for this crap." -- David Letterman