Upstream information

CVE-2008-3532 at MITRE

Description

The NSS plugin in libpurple in Pidgin 2.4.3 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 6.8
Vector AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial
SUSE Bugzilla entry: 415679 [RESOLVED / WONTFIX]

No SUSE Security Announcements cross referenced.

List of released packages

Product(s) Fixed package version(s) References
SUSE Linux Enterprise Software Development Kit 11 SP4
  • finch >= 2.6.6-0.25.2
  • finch-devel >= 2.6.6-0.25.2
  • libpurple >= 2.6.6-0.25.2
  • libpurple-devel >= 2.6.6-0.25.2
  • libpurple-lang >= 2.6.6-0.25.2
  • pidgin >= 2.6.6-0.25.2
  • pidgin-devel >= 2.6.6-0.25.2
Patchnames:
SUSE Linux Enterprise Software Development Kit 11 SP4 GA finch
SUSE Linux Enterprise SDK 10 SP2
  • finch >= 2.3.1-10.9
  • finch-devel >= 2.3.1-10.9
  • libpurple >= 2.3.1-10.9
  • libpurple-devel >= 2.3.1-10.9
  • pidgin >= 2.3.1-10.9
  • pidgin-devel >= 2.3.1-10.9
sled10-sp2.x86
sles10-sp2-debuginfo.ia64
sle10-sp2-sdk.ia64
sles10-sp2-debuginfo.ppc
sle10-sp2-sdk.s390x
sle10-sp2-sdk.x86
sles10-sp2-debuginfo.x86
sled10-sp2.x86-64
sle10-sp2-sdk.ppc
sle10-sp2-sdk.x86-64
sles10-sp2-debuginfo.x86-64
sles10-sp2-debuginfo.s390x
ZYPP Patch Nr: 5573
openSUSE 11.0
  • pidgin-debuginfo >= 2.4.1-28.4
  • pidgin-debugsource >= 2.4.1-28.4
openSUSE 11.0
  • finch >= 2.4.1-28.4
  • finch-devel >= 2.4.1-28.4
  • libpurple >= 2.4.1-28.4
  • libpurple-devel >= 2.4.1-28.4
  • libpurple-meanwhile >= 2.4.1-28.4
  • libpurple-mono >= 2.4.1-28.4
  • pidgin >= 2.4.1-28.4
  • pidgin-devel >= 2.4.1-28.4