Pidgin Security Advisory
| Title | Insufficient SSL certificate validation |
|---|
| Date | 2014-10-22 |
|---|
| CVE Name | CVE-2014-3694 |
|---|
| Discovered By | An anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability |
|---|
| Description | Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it. |
|---|
| Fixed in Revision | 2e4475087f04 |
|---|
| Fixed in Version | 2.10.10 |
|---|
| Fix | Both bundled plugins were changed to check the Basic Constraints extension on all intermediate CA certificates. |
|---|
Return to Security Advisory Index
