MDVSA-2009:025 -- Mandriva pidginID: oval:org.secpod.oval:def:300498 | Date: (C)2012-01-07 (M)2024-01-29 |
Class: PATCH | Family: unix |
The NSS plugin in libpurple in Pidgin 2.4.1 does not verify SSL certificates, which makes it easier for remote attackers to trick a user into accepting an invalid server certificate for a spoofed service. Pidgin 2.4.1 allows remote attackers to cause a denial of service via a long filename that contains certain characters, as demonstrated using an MSN message that triggers the crash in the msn_slplink_process_msg function. The UPnP functionality in Pidgin 2.0.0, and possibly other versions, allows remote attackers to trigger the download of arbitrary files and cause a denial of service via a UDP packet that specifies an arbitrary URL. The updated packages have been patched to fix these issues.
Platform: |
Mandriva Linux 2008.1 |