full-disclosure-uk August 2008 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] [PLSA 2008-18] Pidgin: Spo

[Full-disclosure] [PLSA 2008-18] Pidgin: Spoofing Vulnerability

From: Pınar Yanardağ <pinar_at_nospam>
Date: Thu Aug 07 2008 - 00:27:31 GMT
To: pardus-security@pardus.org.tr



Pardus Linux Security Advisory 2008-18 security@pardus.org.tr
Date: 2008-08-07 Severity: 2 Type: Remote
------------------------------------------------------------------------

Summary


A security issue has been reported in Pidgin, which can be exploited by malicious people to conduct spoofing attacks.

Description


The problem is that the certificate presented by e.g. a Jabber server at the beginning of an SSL session is not verified. This can be exploited to spoof valid servers via a man-in-the-middle attack.

Successful exploitation requires that Pidgin is configured to use the NSS plugin.

Affected packages:

   Pardus 2008:
     pidgin, all before 2.4.3-21-3

   Pardus 2007:
     pidgin, all before 2.4.3-21-14

Resolution


There are update(s) for pidgin. You can update them via Package Manager or with a single command from console:

   Pardus 2008:
     pisi up pidgin

   Pardus 2007:
     pisi up pidgin

References


-- Pınar Yanardağ http://pinguar.org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/