oss-sec mailing list archives
Re: CVE Request: pidgin lack of SSL checks
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 5 Sep 2012 11:01:03 -0400 (EDT)
Hello Marcus,
Hi, Beautiful rant... needs CVE I guess. http://developer.pidgin.im/ticket/15308 Missing SSL checks in libpurples NSS SSL plugin allows MitM attacks.
Actually right now it looks there isn't an issue at all (if I got that clarification correctly): [1] http://developer.pidgin.im/ticket/15308#comment:3 Thus I would wait with CVE assignment for a bit till "water surface has had chance to quieten down".
(funny side note here is that gnutls 3.x is GPLv3 and effectively could taint any library/binary linking with it to be GPLv3 or newer.) Ciao, Marcus -- Open Linux Security Engineer Position at SUSE: http://bit.ly/Li4RbS
Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
Current thread:
- CVE Request: pidgin lack of SSL checks Marcus Meissner (Sep 05)
- Re: CVE Request: pidgin lack of SSL checks Jan Lieskovsky (Sep 05)
- Re: CVE Request: pidgin lack of SSL checks Marcus Meissner (Sep 05)
- Re: CVE Request: pidgin lack of SSL checks Jan Lieskovsky (Sep 05)