cve-2014-3694-00

Summary Insufficient SSL certificate validation
Date 2014-10-22
CVE Number CVE-2014-3694
Discovered By An anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability
Fixed In Release 2.10.10

Description

Both of libpurple’s bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it.

Mitigation

Both bundled plugins were changed to check the Basic Constraints extension on all intermediate CA certificates.

Looking to reach us via XMPP? Check out the new PidginChat service!