Summary | Insufficient SSL certificate validation |
---|---|
Date | 2014-10-22 |
CVE Number | CVE-2014-3694 |
Discovered By | An anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability |
Fixed In Release | 2.10.10 |
Both of libpurple’s bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it.
Both bundled plugins were changed to check the Basic Constraints extension on all intermediate CA certificates.