Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694)
+*pidgin-2.10.10 (22 Oct 2014)
+ 22 Oct 2014; Lars Wendler <firstname.lastname@example.org> pidgin-2.10.9.ebuild,
+ pidgin-2.10.9-r1.ebuild, +pidgin-2.10.10.ebuild:
+ Security bump (bug #526502). Fixes CVE-2014-3694. Adjusted perl dep in all
Arches please test and mark stable =net-im/pidgin-2.10.10 with target KEYWORDS:
alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-freebsd ~amd64-linux ~x86-linux ~x86-macos
Stable for HPPA.
*** Bug 526546 has been marked as a duplicate of this bug. ***
Stable on alpha.
Maintainer(s), please cleanup.
Security, please vote.
+ 28 Dec 2014; Lars Wendler <email@example.com> -pidgin-2.10.9-r1.ebuild,
+ Removed vulnerable versions.
GLSA vote: no.
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS
plugin in libpurple in Pidgin before 2.10.10 do not properly consider the
Basic Constraints extension during verification of X.509 certificates from
SSL servers, which allows man-in-the-middle attackers to spoof servers and
obtain sensitive information via a crafted certificate.
Arches and Maintainer(s), Thank you for your work.
GLSA Vote: No