Pidgin Security Advisory

TitleInsufficient SSL certificate validation
Date2014-10-22
CVE NameCVE-2014-3694
Discovered ByAn anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability
DescriptionBoth of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it.
Fixed in Revision2e4475087f04
Fixed in Version2.10.10
FixBoth bundled plugins were changed to check the Basic Constraints extension on all intermediate CA certificates.

Return to Security Advisory Index