Request for CVEs for Pidgin
Tomas Hoger
thoger at redhat.com
Fri Oct 17 11:11:28 EDT 2014
On Tue, 14 Oct 2014 00:16:17 -0700 Mark Doliner wrote:
> 1. Insufficient SSL certificate validation. Discovered by an anonymous
> person and Jacob Appelbaum of the Tor Project.
> Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one
> for NSS) failed to check that the Basic Constraints extension allowed
> intermediate certificates to act as CAs. This allowed anyone with any
> valid certificate to create a fake certificate for any arbitrary
> domain and Pidgin would trust it.
Out of curiosity, why do this problem exist in the Pidgin code? Does
it re-implement certificate checks rather than using implementations in
NSS or GnuTLS? This is something that SSL libs should implement, and
they should not do these mistake these days.
--
Tomas Hoger / Red Hat Product Security
More information about the security
mailing list