The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
{ "binaries": [ { "binary_name": "finch", "binary_version": "1:2.10.9-0ubuntu3.2" }, { "binary_name": "finch-dev", "binary_version": "1:2.10.9-0ubuntu3.2" }, { "binary_name": "libpurple-bin", "binary_version": "1:2.10.9-0ubuntu3.2" }, { "binary_name": "libpurple-dev", "binary_version": "1:2.10.9-0ubuntu3.2" }, { "binary_name": "libpurple0", "binary_version": "1:2.10.9-0ubuntu3.2" }, { "binary_name": "pidgin", "binary_version": "1:2.10.9-0ubuntu3.2" }, { "binary_name": "pidgin-data", "binary_version": "1:2.10.9-0ubuntu3.2" }, { "binary_name": "pidgin-dbg", "binary_version": "1:2.10.9-0ubuntu3.2" }, { "binary_name": "pidgin-dev", "binary_version": "1:2.10.9-0ubuntu3.2" } ], "ubuntu_priority": "medium", "availability": "No subscription required" }