{"id":"MGASA-2014-0425","summary":"Updated pidgin packages fix security vulnerabilities","details":"In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins (one\nfor GnuTLS and one for NSS) failed to check that the Basic Constraints\nextension allowed intermediate certificates to act as CAs. This allowed\nanyone with any valid certificate to create a fake certificate for any\narbitrary domain and Pidgin would trust it (CVE-2014-3694).\n\nIn Pidgin before 2.10.10, a malicious server or man-in-the-middle could\ntrigger a crash in libpurple by sending an emoticon with an overly large\nlength value (CVE-2014-3695).\n\nIn Pidgin before 2.10.10, a malicious server or man-in-the-middle could\ntrigger a crash in libpurple by specifying that a large amount of memory\nshould be allocated in many places in the UI (CVE-2014-3696).\n\nIn Pidgin before 2.10.10, a malicious server and possibly even a malicious\nremote user could create a carefully crafted XMPP message that causes\nlibpurple to send an XMPP message containing arbitrary memory\n(CVE-2014-3698).\n\nThe pidgin package has been updated to version 2.10.10 which fixes these\nissues and other bugs.\n","modified":"2026-04-16T01:45:23.513261792Z","published":"2014-10-25T20:23:09Z","upstream":["CVE-2014-3694","CVE-2014-3695","CVE-2014-3696","CVE-2014-3698"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2014-0425.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=14344"},{"type":"WEB","url":"http://www.pidgin.im/news/security/?id=86"},{"type":"WEB","url":"http://www.pidgin.im/news/security/?id=87"},{"type":"WEB","url":"http://www.pidgin.im/news/security/?id=88"},{"type":"WEB","url":"http://www.pidgin.im/news/security/?id=90"},{"type":"WEB","url":"https://developer.pidgin.im/wiki/ChangeLog"}],"affected":[{"package":{"name":"pidgin","ecosystem":"Mageia:3","purl":"pkg:rpm/mageia/pidgin?arch=source&distro=mageia-3"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.10.10-1.mga3"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0425.json"}},{"package":{"name":"pidgin","ecosystem":"Mageia:4","purl":"pkg:rpm/mageia/pidgin?arch=source&distro=mageia-4"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.10.10-1.mga4"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2014-0425.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}