[Pidgin] #14670: Outdated NSS included with Windows installer
Pidgin
trac at pidgin.im
Fri Oct 14 19:32:15 EDT 2011
#14670: Outdated NSS included with Windows installer
---------------------------------+------------------------------------------
Reporter: itsnotabigtruck | Owner: datallah
Type: defect | Status: new
Component: winpidgin (gtk) | Version: 2.10.0
Keywords: ssl tls nss windows |
---------------------------------+------------------------------------------
The Windows installer for Pidgin currently ships with NSS 3.12.5, released
in December 2009. This version contains a minor security vulnerability
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3170> and
recognizes DigiNotar as a trusted CA. Additionally, it disables TLS
renegotiation entirely as RFC 5746 <https://tools.ietf.org/html/rfc5746>
"safe" renegotiation hadn't been specified yet. There are also a number of
miscellaneous bugs that have been fixed since 3.12.5.
This can be resolved by building the latest NSS from
<ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/> (currently
NSS 3.12.11 w/ CKBI 1.87) and including it in the Pidgin installer.
The current build of NSS also doesn't support connecting to servers using
Elliptic Curve Cryptography (ECC). This can be fixed by setting the
NSS_ENABLE_ECC environment variable before compiling NSS; together with
the patch in #14668, ECC cipher suites can then be used for SSL/TLS
connections.
--
Ticket URL: <http://developer.pidgin.im/ticket/14670>
Pidgin <http://pidgin.im>
Pidgin
More information about the Tracker
mailing list