|
|
Subscribe / Log in / New account

Mageia alert MGASA-2014-0425 (pidgin)



From:
    	      Mageia Updates <buildsystem-daemon@mageia.org> 


To:
    	      updates-announce@ml.mageia.org 


Subject:
    	      [updates-announce] MGASA-2014-0425: Updated pidgin packages fix security vulnerabilities 


Date:
    	      Sat, 25 Oct 2014 22:23:31 +0200


Message-ID:
    	      <20141025202331.602775CD01@valstar.mageia.org>


MGASA-2014-0425 - Updated pidgin packages fix security vulnerabilities

Publication date: 25 Oct 2014
URL: http://advisories.mageia.org/MGASA-2014-0425.html
Type: security
Affected Mageia releases: 3, 4
CVE: CVE-2014-3694,
     CVE-2014-3695,
     CVE-2014-3696,
     CVE-2014-3698

Description:
In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins (one
for GnuTLS and one for NSS) failed to check that the Basic Constraints
extension allowed intermediate certificates to act as CAs. This allowed
anyone with any valid certificate to create a fake certificate for any
arbitrary domain and Pidgin would trust it (CVE-2014-3694).

In Pidgin before 2.10.10, a malicious server or man-in-the-middle could
trigger a crash in libpurple by sending an emoticon with an overly large
length value (CVE-2014-3695).

In Pidgin before 2.10.10, a malicious server or man-in-the-middle could
trigger a crash in libpurple by specifying that a large amount of memory
should be allocated in many places in the UI (CVE-2014-3696).

In Pidgin before 2.10.10, a malicious server and possibly even a malicious
remote user could create a carefully crafted XMPP message that causes
libpurple to send an XMPP message containing arbitrary memory
(CVE-2014-3698).

The pidgin package has been updated to version 2.10.10 which fixes these
issues and other bugs.

References:
- https://bugs.mageia.org/show_bug.cgi?id=14344
- http://www.pidgin.im/news/security/?id=86
- http://www.pidgin.im/news/security/?id=87
- http://www.pidgin.im/news/security/?id=88
- http://www.pidgin.im/news/security/?id=90
- https://developer.pidgin.im/wiki/ChangeLog
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3694
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3695
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3696
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3698

SRPMS:
- 4/core/pidgin-2.10.10-1.mga4
- 3/core/pidgin-2.10.10-1.mga3
to post comments


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds