Launchpad.net

Launchpad Home
Code
Bugs
Blueprints
Translations
Answers

CVE 2009-3026

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.

Related bugs and status

CVE-2009-3026 (Candidate) is related to these bugs:

Bug #494002: [hardy] Failing to connect to MSN with 'protocol is not supported' error

		In	Importance	Status
494002	[hardy] Failing to connect to MSN with 'protocol is not supported' error	pidgin (Ubuntu)	Undecided	Fix Released
494002	[hardy] Failing to connect to MSN with 'protocol is not supported' error	Pidgin	Unknown	Unknown
494002	[hardy] Failing to connect to MSN with 'protocol is not supported' error	pidgin (Debian)	Unknown	Fix Released

See the

CVE page on Mitre.org for more details.

References

MLIST: [oss-security] 2009082...
CONFIRM: http://bugs.debian.org...
CONFIRM: http://developer.pidgi...
CONFIRM: http://developer.pidgi...
SECUNIA: 37071
BID: 36368
XF: pidgin-libpurple-weak-...
OVAL: oval:org.mitre.oval:de...
OVAL: oval:org.mitre.oval:de...