Secunia writes: A security issue has been reported in Pidgin, which can be exploited by malicious people to conduct spoofing attacks. The problem is that the certificate presented by e.g. a Jabber server at the beginning of an SSL session is not verified. This can be exploited to spoof valid servers via a man-in-the-middle attack. Successful exploitation requires that Pidgin is configured to use the NSS plugin. The security issue is reported in version 2.4.3. Other versions may also be affected. SOLUTION: Do not rely on the application's SSL certificate verification. PROVIDED AND/OR DISCOVERED BY: Reported by Josh Triplett in a Debian bug report. ORIGINAL ADVISORY: http://developer.pidgin.im/ticket/6500 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434
This issue is fixed in 2.5.0, which is in the portage tree but currently marked unstable.
The ebuild is in. I'm a bit shy about rushing this to stable because its not a great threat and there is a whole new MSN implementation in that version and I'm not sure how good it is.
We could argue about the impact of failure to verify certificates, especially when people rely on it. Let's give it the rest of this week in ~arch to test, and we will CC arches on Aug. 24. Please mark any bugs that come up as blockers of this bug.
Arches, please test and mark stable net-im/pidgin-2.5.1. Target Keywords: "alpha amd64 hppa ia64 ppc ~ppc64 sparc x86 ~x86-fbsd"
Sparc stable for pidgin-2.5.1.
amd64/x86 stable
alpha/ia64 stable
ppc stable
Stable for HPPA.
2.5.1 is now in x86 stable and merged to Portage; if all other arch, i think you can close this bug ...
(In reply to comment #10) > 2.5.1 is now in x86 stable and merged to Portage; if all other arch, i think > you can close this bug ... > Thanks for your effort, but ... no, not really. This is a security bug, please see our policy[1]. So, ready for voting. I vote YES. [1] http://www.gentoo.org/security/en/vulnerability-policy.xml
voting yes too, request filed.
GLSA 200901-13, sorry for the delay
2.5.2 stable by now, and 2.5.4 should come in withint 24h (bump request just closed, waiting for tree to sync).