Fwd: Vendor Notification VU#894897 - pidgin
luke at schierer.org
Thu Feb 26 08:13:13 EST 2015
Are we still using NSIS?
> Begin forwarded message:
> Date: February 25, 2015 at 14:14:35 EST
> Subject: Vendor Notification VU#894897 - pidgin
> To: Luke <lschiere at users.sf.net>
> Cc: CERT Coordination Center <cert at cert.org>
> From: CERT Coordination Center <cert at cert.org>
> Hello folks,
> In 2011, we reported to Nullsoft that the NSIS Inetc plugin fails to
> validate SSL certificates:
> Note that this link appears to have restricted access, due to the
> security impact. However, after all of the time that has elapsed, the
> bug remains unfixed. Due to all of the attention regarding SSL
> lately, we are proceeding with publication in absence of a fix.
> We are contacting you because your organization is listed in the NSIS
> users list:
> This does not necessarily mean that you use the vulnerable Inetc
> component. However, we wanted to give you a heads-up so that you can
> check if you use Inetc. If you can confirm that you are affected or
> not affected, we'd like to know. We will also be performing our own
> independent testing.
> Our scheduled publication date for VU#894897 is Friday, March 20,
> Thank you,
> Will Dormann
> Vulnerability Analyst
> CERT Coordination Center
> 4500 Fifth Ave.
> Pittsburgh, PA 15213
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 203 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the security