457907 – (CVE-2008-3532) CVE-2008-3532 pidgin: NSS plugin doesn't verify SSL certificates

Bug 457907 (CVE-2008-3532) - CVE-2008-3532 pidgin: NSS plugin doesn't verify SSL certificates

Summary: CVE-2008-3532 pidgin: NSS plugin doesn't verify SSL certificates

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-3532
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	472585 472586 472587 472588 833957
Blocks:
TreeView+	depends on / blocked

Reported:	2008-08-05 11:01 UTC by Tomas Hoger
Modified:	2019-09-29 12:26 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-11-19 15:31:09 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:1023	0	normal	SHIPPED_LIVE	Moderate: pidgin security and bug fix update	2008-12-15 13:14:14 UTC

Description Tomas Hoger 2008-08-05 11:01:40 UTC

According to upstream bug report and Debian bug report:

  http://developer.pidgin.im/ticket/6500
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434

Pidgin builds using NSS library to provide cryptography do not properly verify SSL certificates provided by SSL-secured remote server (such as Jabber server).  Pidgin accept invalid or self-signed certificates, regardless of the list of configured trusted SSL CA certificates.

Comment 1 Tomas Hoger 2008-08-27 19:59:21 UTC

Upstream advisory:
  http://www.pidgin.im/news/security/?id=28

Fixed upstream in: 2.5.0

Note You need to log in before you can comment on or make changes to this bug.