Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2009-3026

Published: 31 August 2009

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.

Notes

AuthorNote
mdeslaur 
Reproducer in debian bug

Priority

Medium

Status

Package Release Status
pidgin
Launchpad, Ubuntu, Debian 		dapper Does not exist

hardy
Released (1:2.4.1-1ubuntu2.8)
intrepid
Released (1:2.5.2-0ubuntu1.6)
jaunty
Released (1:2.5.5-1ubuntu8.5)
karmic Not vulnerable
(1:2.6.2-1ubuntu7)
upstream Needs triage

Patches:
upstream: http://developer.pidgin.im/viewmtn/revision/info/55897c4ce0787edc1e7721b7f4a9b5cbc8357279

References

Bugs

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading