Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694) See https://developer.pidgin.im/wiki/ChangeLog
+*pidgin-2.10.10 (22 Oct 2014) + + 22 Oct 2014; Lars Wendler <polynomial-c@gentoo.org> pidgin-2.10.9.ebuild, + pidgin-2.10.9-r1.ebuild, +pidgin-2.10.10.ebuild: + Security bump (bug #526502). Fixes CVE-2014-3694. Adjusted perl dep in all + ebuilds. + Arches please test and mark stable =net-im/pidgin-2.10.10 with target KEYWORDS: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 ~x86-freebsd ~amd64-linux ~x86-linux ~x86-macos
Stable for HPPA.
*** Bug 526546 has been marked as a duplicate of this bug. ***
amd64 stable
x86 stable
sparc stable
Stable on alpha.
arm stable
ia64 stable
ppc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please vote.
+ 28 Dec 2014; Lars Wendler <polynomial-c@gentoo.org> -pidgin-2.10.9-r1.ebuild, + -files/pidgin-2.10.9-python3_fix1.patch, + -files/pidgin-2.10.9-python3_fix2.patch: + Removed vulnerable versions. +
GLSA vote: no.
CVE-2014-3694 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3694): The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No