CVE-2009-3026 Information

Feb 14, 2021 cve

Description

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0 and possibly other versions does not follow the \require TLS/SSL\ preference when connecting to older Jabber servers that do not follow the XMPP specification which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.

Reference

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891 http://developer.pidgin.im/ticket/8131 http://developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279 http://secunia.com/advisories/37071 http://www.openwall.com/lists/oss-security/2009/08/24/2 http://www.securityfocus.com/bid/36368 https://exchange.xforce.ibmcloud.com/vulnerabilities/53000 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A11070 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A5757

Share on: