[Pidgin] #14670: Outdated NSS included with Windows installer

Pidgin trac at pidgin.im
Sun Feb 10 19:54:14 EST 2013

#14670: Outdated NSS included with Windows installer
 Reporter:  itsnotabigtruck      |       Owner:  datallah
     Type:  defect               |      Status:  closed
Milestone:  2.10.7               |   Component:  winpidgin (gtk)
  Version:  2.10.0               |  Resolution:  fixed
 Keywords:  ssl tls nss windows  |

Comment (by datallah):

 Replying to [comment:3 DrWhax]:
 > Just to give the developers an update, your shipping DigiNotar AND
 TurkTrust certs which have been compromised?
 > And what do you *exactly* mean with;
 >     It looks like the DigiNotar issue isn't a problem as while Pidgin
 loads the NSS trusted roots DLL (nssckbi.dll), it doesn't actually trust
 those roots"
 > Are you saying those certs are not being used at all, are they not
 trusted yet being used, if so, how exactly?
 > It would be good to ship the latest release NSS 3.14.1 instead of 3.13.6
 which is outdated.
 > If these are being used, I hope the Pidgin developers will schedule an
 emergency security release to update the users to the latest version..

 We do ship `nssckbi.dll` (prior to 2.10.7), but the certificate validation
 is done against the certs in the source tree (`share/ca-certs`), so the
 fact that the cert store contains those certs is not problematic.
 Actually the way that certificate validation is done *probably* means that
 we're not affected by CVE-2010-3170, but it's not worth investing any time
 investigating that.

 NSS 3.14.1 doesn't appear to contain any vulnerability fixes that are
 relevant to us (the only issue is the CVE-2013-0743 !TurkTrust thing that
 we're not affected by because we don't use the built-ins).

 I'm sure that there will be a new NSS that we need to move to for the
 "lucky thirteen" thing, and we'll upgrade at that time.

Ticket URL: <https://developer.pidgin.im/ticket/14670#comment:4>
Pidgin <http://pidgin.im>

More information about the Tracker mailing list