The NSS plugin in libpurple in Pidgin 2.4.1 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service. Pidgin 2.4.1 allows remote attackers to cause a denial of service via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function. The UPnP functionality in Pidgin 2.0.0, and possibly other versions, allows remote attackers to trigger the download of arbitrary files and cause a denial of service via a UDP packet that specifies an arbitrary URL. The updated packages have been patched to fix these issues.