A bug [1] in libpurple has pidgin ignore the "require TLS/SSL" preference setting when connecting to very old jabber servers that do not follow the XMPP spec. When pidgin connects to this type of jabber server with TLS/SSL required, the encrypted connection fails but a non-encrypted connection will then be established rather than being refused. This has been fixed upstream with the following commit: http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279 According to the Debian bug report [2], gaim suffers from the same issue but it does not have a "require TLS/SSL" preference setting to enable. [1] http://developer.pidgin.im/ticket/8131 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3026 to the following vulnerability: Name: CVE-2009-3026 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3026 Reference: MLIST:[oss-security] 20090824 CVE id request: pidgin Reference: URL: http://www.openwall.com/lists/oss-security/2009/08/24/2 Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891 Reference: CONFIRM: http://developer.pidgin.im/ticket/8131 Reference: CONFIRM: http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279 protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
Upstream pidgin says this was fixed in 2.6.0, but not backported for the 2.5.9 security release.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2009:1453 https://rhn.redhat.com/errata/RHSA-2009-1453.html