Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-3026

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2009-3026
Last Modified 22 Oct 2012 11:10:30
Published 31 Aug 2009 04:30:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2009-3026

Summary

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.

Vulnerable Systems

Application

  • Pidgin 2.6.0


References

CONFIRM - http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279

XF - pidgin-libpurple-weak-security(53000)

MLIST - [oss-security] 20090824 CVE id request: pidgin

SECUNIA - 37071

CONFIRM - http://developer.pidgin.im/ticket/8131

CONFIRM - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891

BID - 36368

Related Patches

Novell SUSE 2009:1604 finch security update for SLE 11 x86_64


Last Updated: 27 May 2016 10:51:45