Vendor Notification VU#894897 - pidgin

Daniel Atallah daniel.atallah at gmail.com
Thu Feb 26 09:30:11 EST 2015


On Thu, Feb 26, 2015 at 8:13 AM, Luke Schierer <luke at schierer.org> wrote:
>
> Are we still using NSIS?

Yes, we are still using NSIS.

We aren't using the Inetc plugin though.  We are using the NSISdl built-in
plugin to download stuff (the Inetc plugin is third party).

-D

>
> Luke
>
> > Begin forwarded message:
> >
> > Date: February 25, 2015 at 14:14:35 EST
> > Subject: Vendor Notification VU#894897 - pidgin
> > To: Luke <lschiere at users.sf.net>
> > Cc: CERT Coordination Center <cert at cert.org>
> > From: CERT Coordination Center <cert at cert.org>
> >
> >
> > Hello folks,
> >
> > In 2011, we reported to Nullsoft that the NSIS Inetc plugin fails to
> > validate SSL certificates:
> > <https://sourceforge.net/p/nsis/bugs/1022/>
> >
> > Note that this link appears to have restricted access, due to the
> > security impact.  However, after all of the time that has elapsed, the
> > bug remains unfixed.  Due to all of the attention regarding SSL
> > lately, we are proceeding with publication in absence of a fix.
> >
> > We are contacting you because your organization is listed in the NSIS
> > users list:
> > <http://nsis.sourceforge.net/Users>
> >
> > This does not necessarily mean that you use the vulnerable Inetc
> > component.  However, we wanted to give you a heads-up so that you can
> > check if you use Inetc.  If you can confirm that you are affected or
> > not affected, we'd like to know.  We will also be performing our own
> > independent testing.
> >
> > Our scheduled publication date for VU#894897 is Friday, March 20,
> > 2015.
> >
> >
> > Thank you,
> >    Will Dormann
> >
> > =============================
> > Vulnerability Analyst
> > CERT Coordination Center
> > 4500 Fifth Ave.
> > Pittsburgh, PA 15213
> > 1-412-268-7090
> > =============================
> >
> >
> >
> >
> >
>
>
> _______________________________________________
> security mailing list
> security at pidgin.im
> https://pidgin.im/cgi-bin/mailman/listinfo/security
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pidgin.im/cgi-bin/mailman/private/security/attachments/20150226/eb3a2eaa/attachment.html>


More information about the security mailing list