Summary: | <net-im/pidgin-2.10.10: MITM (CVE-2014-3694) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Manuel Rüger (RETIRED) <mrueg> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | net-im, polynomial-c |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 526644 | ||
Bug Blocks: |
Description
Manuel Rüger (RETIRED)
2014-10-22 19:05:35 UTC
+*pidgin-2.10.10 (22 Oct 2014) + + 22 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> pidgin-2.10.9.ebuild, + pidgin-2.10.9-r1.ebuild, +pidgin-2.10.10.ebuild: + Security bump (bug #526502). Fixes CVE-2014-3694. Adjusted perl dep in all + ebuilds. + Arches please test and mark stable =net-im/pidgin-2.10.10 with target KEYWORDS: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-freebsd ~amd64-linux ~x86-linux ~x86-macos Stable for HPPA. *** Bug 526546 has been marked as a duplicate of this bug. *** amd64 stable x86 stable sparc stable Stable on alpha. arm stable ia64 stable ppc stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. + 28 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -pidgin-2.10.9-r1.ebuild, + -files/pidgin-2.10.9-python3_fix1.patch, + -files/pidgin-2.10.9-python3_fix2.patch: + Removed vulnerable versions. + GLSA vote: no. CVE-2014-3694 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3694): The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. Arches and Maintainer(s), Thank you for your work. GLSA Vote: No |