Advisories ยป MGASA-2014-0425

Updated pidgin packages fix security vulnerabilities

Publication date: 25 Oct 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-3694 , CVE-2014-3695 , CVE-2014-3696 , CVE-2014-3698

Description

In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins (one
for GnuTLS and one for NSS) failed to check that the Basic Constraints
extension allowed intermediate certificates to act as CAs. This allowed
anyone with any valid certificate to create a fake certificate for any
arbitrary domain and Pidgin would trust it (CVE-2014-3694).

In Pidgin before 2.10.10, a malicious server or man-in-the-middle could
trigger a crash in libpurple by sending an emoticon with an overly large
length value (CVE-2014-3695).

In Pidgin before 2.10.10, a malicious server or man-in-the-middle could
trigger a crash in libpurple by specifying that a large amount of memory
should be allocated in many places in the UI (CVE-2014-3696).

In Pidgin before 2.10.10, a malicious server and possibly even a malicious
remote user could create a carefully crafted XMPP message that causes
libpurple to send an XMPP message containing arbitrary memory
(CVE-2014-3698).

The pidgin package has been updated to version 2.10.10 which fixes these
issues and other bugs.
                

References

SRPMS

3/core

4/core