[Pidgin] #14670: Outdated NSS included with Windows installer

Pidgin trac at pidgin.im
Fri Oct 14 19:32:15 EDT 2011

#14670: Outdated NSS included with Windows installer
 Reporter:  itsnotabigtruck      |     Owner:  datallah
     Type:  defect               |    Status:  new     
Component:  winpidgin (gtk)      |   Version:  2.10.0  
 Keywords:  ssl tls nss windows  |  
 The Windows installer for Pidgin currently ships with NSS 3.12.5, released
 in December 2009. This version contains a minor security vulnerability
 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3170> and
 recognizes DigiNotar as a trusted CA. Additionally, it disables TLS
 renegotiation entirely as RFC 5746 <https://tools.ietf.org/html/rfc5746>
 "safe" renegotiation hadn't been specified yet. There are also a number of
 miscellaneous bugs that have been fixed since 3.12.5.

 This can be resolved by building the latest NSS from
 <ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/> (currently
 NSS 3.12.11 w/ CKBI 1.87) and including it in the Pidgin installer.

 The current build of NSS also doesn't support connecting to servers using
 Elliptic Curve Cryptography (ECC). This can be fixed by setting the
 NSS_ENABLE_ECC environment variable before compiling NSS; together with
 the patch in #14668, ECC cipher suites can then be used for SSL/TLS

Ticket URL: <http://developer.pidgin.im/ticket/14670>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list