tags 492434 patch
thanks
Miron Cuperman <[EMAIL PROTECTED]> wrote:
> I believe this bug was introduced with the "fix" for bug #401567.
>
> At that time, the SSL implementation was changed from GNUTLS to NSS.
> Unfortunately, the NSS plugin in pidgin does no certificate checking at
> all, meaning that any certificate is accepted (including malformed or
> self-signed ones).
>
> I recommend switching back to gnutls. Patch attached. The attached
> patch also corrects a problem in reading the certificate store from
> /etc/ssl/certs . (note that this patch is cumulative to
> 00_debian-ca-certs.patch .)
>
> Unfortunately, it is now the case that any passwords transmitted over an
> NSS created link could have been compromised by man-in-the-middle
> attacks, since many people use the PLAIN auth mechanism. Any valuable
> passwords compromised in this way should be changed.
>
> --
> Miron
>
> diff -ur pidgin-2.4.1/debian/rules pidgin-2.4.1-gnutls/debian/rules
> --- pidgin-2.4.1/debian/rules 2008-08-02 19:04:58.000000000 -0700
> +++ pidgin-2.4.1-gnutls/debian/rules 2008-08-02 18:43:49.000000000 -0700
> @@ -20,7 +20,7 @@
> LDFLAGS = -Wl,--as-needed
> CFLAGS = -fstack-protector
>
> -DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus
> --enable-gnutls=no --enable-nss=yes --enable-cyrus-sasl --enable-nm
> --disable-silc
> +DEB_CONFIGURE_EXTRA_FLAGS := --enable-perl --with-zephyr=/usr --enable-dbus
> --enable-gnutls=yes --enable-nss=no --enable-cyrus-sasl --enable-nm
> --disable-silc
> DEB_DH_MAKESHLIBS_ARGS_pidgin := -V -X/usr/lib/pidgin
> DEB_DH_SHLIBDEPS_ARGS_pidgin := -X/usr/lib/pidgin/gevolution.so
> -X/usr/lib/pidgin/cap.so -- -dSuggests debian/pidgin/usr/lib/pidgin/cap.so
> -dDepends
>
> diff -ur pidgin-2.4.1/libpurple/certificate.c
> pidgin-2.4.1-gnutls/libpurple/certificate.c
> --- pidgin-2.4.1/libpurple/certificate.c 2008-08-02 19:07:10.000000000
> -0700
> +++ pidgin-2.4.1-gnutls/libpurple/certificate.c 2008-08-02
> 18:56:25.000000000 -0700
> @@ -745,7 +745,7 @@
> x509_ca_paths = g_list_append(NULL, g_build_filename(DATADIR,
> "ca-certs", NULL));
> #else
> - x509_ca_paths = g_list_append(NULL, g_build_filename("etc",
> + x509_ca_paths = g_list_append(NULL, g_build_filename("/etc",
> "ssl", "certs", NULL));
> #endif
> }
--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]