Fwd: Vendor Notification VU#894897 - pidgin
Luke Schierer
luke at schierer.org
Thu Feb 26 08:13:13 EST 2015
Are we still using NSIS?
Luke
> Begin forwarded message:
>
> Date: February 25, 2015 at 14:14:35 EST
> Subject: Vendor Notification VU#894897 - pidgin
> To: Luke <lschiere at users.sf.net>
> Cc: CERT Coordination Center <cert at cert.org>
> From: CERT Coordination Center <cert at cert.org>
>
>
> Hello folks,
>
> In 2011, we reported to Nullsoft that the NSIS Inetc plugin fails to
> validate SSL certificates:
> <https://sourceforge.net/p/nsis/bugs/1022/>
>
> Note that this link appears to have restricted access, due to the
> security impact. However, after all of the time that has elapsed, the
> bug remains unfixed. Due to all of the attention regarding SSL
> lately, we are proceeding with publication in absence of a fix.
>
> We are contacting you because your organization is listed in the NSIS
> users list:
> <http://nsis.sourceforge.net/Users>
>
> This does not necessarily mean that you use the vulnerable Inetc
> component. However, we wanted to give you a heads-up so that you can
> check if you use Inetc. If you can confirm that you are affected or
> not affected, we'd like to know. We will also be performing our own
> independent testing.
>
> Our scheduled publication date for VU#894897 is Friday, March 20,
> 2015.
>
>
> Thank you,
> Will Dormann
>
> =============================
> Vulnerability Analyst
> CERT Coordination Center
> 4500 Fifth Ave.
> Pittsburgh, PA 15213
> 1-412-268-7090
> =============================
>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150226/dd9715fb/attachment.sig>
More information about the security
mailing list