Bug#492434: marked as done (pidgin: Connects to Jabber server with bad SSL certificates without warning (CVE-2008-3532))

Fri, 22 Aug 2008 07:04:58 -0700 

Your message dated Fri, 22 Aug 2008 13:32:06 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#492434: fixed in pidgin 2.4.3-2
has caused the Debian Bug report #492434,
regarding pidgin: Connects to Jabber server with bad SSL certificates without 
warning (CVE-2008-3532)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)


-- 
492434: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492434
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message --- 
Package: pidgin
Version: 2.4.3-1
Severity: grave
Tags: security
Justification: user security hole

I recently set up a Jabber server.  I used the default snakeoil
certificate.  When I configured Pidgin to connect to my new server,
using SSL, it connected without any complaint whatsoever.

- Josh Triplett

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.25-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages pidgin depends on:
ii  gconf2                       2.22.0-1    GNOME configuration database syste
ii  libatk1.0-0                  1.22.0-1    The ATK accessibility toolkit
ii  libc6                        2.7-12      GNU C Library: Shared libraries
ii  libcairo2                    1.6.4-6     The Cairo 2D vector graphics libra
ii  libdbus-1-3                  1.2.1-2     simple interprocess messaging syst
ii  libdbus-glib-1-2             0.76-1      simple interprocess messaging syst
ii  libglib2.0-0                 2.16.4-2    The GLib library of C routines
ii  libgstreamer0.10-0           0.10.20-1   Core GStreamer libraries and eleme
ii  libgtk2.0-0                  2.12.11-3   The GTK+ graphical user interface 
ii  libgtkspell0                 2.0.13-1    a spell-checking addon for GTK's T
ii  libice6                      2:1.0.4-1   X11 Inter-Client Exchange library
ii  libpango1.0-0                1.20.5-1    Layout and rendering of internatio
ii  libpurple0                   2.4.3-1     multi-protocol instant messaging l
ii  libsm6                       2:1.0.3-2   X11 Session Management library
ii  libstartup-notification0     0.9-1       library for program launch feedbac
ii  libx11-6                     2:1.1.4-2   X11 client-side library
ii  libxss1                      1:1.1.3-1   X11 Screen Saver extension library
ii  perl                         5.10.0-11.1 Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.10.0]   5.10.0-11.1 The Pathologically Eclectic Rubbis
ii  pidgin-data                  2.4.3-1     multi-protocol instant messaging c

Versions of packages pidgin recommends:
ii  gstreamer0.10-plugins-base    0.10.20-1  GStreamer plugins from the "base" 
ii  gstreamer0.10-plugins-good    0.10.8-4   GStreamer plugins from the "good" 

Versions of packages pidgin suggests:
ii  evolution-data-server         2.22.3-1   evolution database backend server
ii  gnome-panel                   2.20.3-5   launcher and docking facility for 
ii  libsqlite3-0                  3.5.9-3    SQLite 3 shared library

-- no debconf information

--- End Message ---
--- Begin Message --- 
Source: pidgin
Source-Version: 2.4.3-2

We believe that the bug you reported is fixed in the latest version of
pidgin, which is due to be installed in the Debian FTP archive:

finch-dev_2.4.3-2_all.deb
  to pool/main/p/pidgin/finch-dev_2.4.3-2_all.deb
finch_2.4.3-2_amd64.deb
  to pool/main/p/pidgin/finch_2.4.3-2_amd64.deb
libpurple-bin_2.4.3-2_all.deb
  to pool/main/p/pidgin/libpurple-bin_2.4.3-2_all.deb
libpurple-dev_2.4.3-2_all.deb
  to pool/main/p/pidgin/libpurple-dev_2.4.3-2_all.deb
libpurple0_2.4.3-2_amd64.deb
  to pool/main/p/pidgin/libpurple0_2.4.3-2_amd64.deb
pidgin-data_2.4.3-2_all.deb
  to pool/main/p/pidgin/pidgin-data_2.4.3-2_all.deb
pidgin-dbg_2.4.3-2_amd64.deb
  to pool/main/p/pidgin/pidgin-dbg_2.4.3-2_amd64.deb
pidgin-dev_2.4.3-2_all.deb
  to pool/main/p/pidgin/pidgin-dev_2.4.3-2_all.deb
pidgin_2.4.3-2.diff.gz
  to pool/main/p/pidgin/pidgin_2.4.3-2.diff.gz
pidgin_2.4.3-2.dsc
  to pool/main/p/pidgin/pidgin_2.4.3-2.dsc
pidgin_2.4.3-2_amd64.deb
  to pool/main/p/pidgin/pidgin_2.4.3-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ari Pollak <[EMAIL PROTECTED]> (supplier of updated pidgin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.8
Date: Thu, 21 Aug 2008 23:56:42 -0400
Source: pidgin
Binary: libpurple0 pidgin pidgin-data pidgin-dev pidgin-dbg finch finch-dev 
libpurple-dev libpurple-bin
Architecture: source all amd64
Version: 2.4.3-2
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <[EMAIL PROTECTED]>
Changed-By: Ari Pollak <[EMAIL PROTECTED]>
Description: 
 finch      - text-based multi-protocol instant messaging client
 finch-dev  - text-based multi-protocol instant messaging client - development
 libpurple-bin - multi-protocol instant messaging library - extra utilities
 libpurple-dev - multi-protocol instant messaging library - development files
 libpurple0 - multi-protocol instant messaging library
 pidgin     - graphical multi-protocol instant messaging client for X
 pidgin-data - multi-protocol instant messaging client - data files
 pidgin-dbg - Debugging symbols for Pidgin
 pidgin-dev - multi-protocol instant messaging client - development files
Closes: 492434
Changes: 
 pidgin (2.4.3-2) unstable; urgency=low
 .
   * Apply patch from Miron Cuperman to fix path to CA certificates in
     00_debian-ca-certs.path
   * debian/patches/25_ssl-nss.patch:
     - Apply patch from upstream to add SSL certificate checking to the NSS
       plugin, which we use (CVE-2008-3532) (Closes: #492434)
Checksums-Sha1: 
 33442621042807e53c136caede7007823fabe016 1760 pidgin_2.4.3-2.dsc
 5ffb9f73789e6cb7b1a5b8189463883b7cf5b0cd 60877 pidgin_2.4.3-2.diff.gz
 585990093664cec5e74213c8ac4951fb80e627f0 7014222 pidgin-data_2.4.3-2_all.deb
 31fb43c88a32bb47345ea8bf5f183a42ea97cd8a 193246 pidgin-dev_2.4.3-2_all.deb
 e91e5d11788f39b74bca04a531d14e6acaff1533 155420 finch-dev_2.4.3-2_all.deb
 81377692a8477485253561f8e0ac130a5d81ed48 274612 libpurple-dev_2.4.3-2_all.deb
 068a3ad4594061b6b30245ff1f50ee00b21e4ea5 131656 libpurple-bin_2.4.3-2_all.deb
 60cbece5e5767fd67a74da57165dad0496b8aa7c 1711098 libpurple0_2.4.3-2_amd64.deb
 a7c42107ade9b3f70e0e21f8c4edb02cffe3ed72 727426 pidgin_2.4.3-2_amd64.deb
 a3a5b5466df522852eb6f757fdb4572a1e3ec92f 5663642 pidgin-dbg_2.4.3-2_amd64.deb
 8c5d7577d66d0a3277c2b01ba532c20672d6fbca 347578 finch_2.4.3-2_amd64.deb
Checksums-Sha256: 
 64ebb90eb49974754daa8dfe53ec310ba12c7667338b0e022645147efb5500f6 1760 
pidgin_2.4.3-2.dsc
 7dbb871e7c276d107e365d82d79cfdb83bd3fee554b47061231af63e1ac9dbb3 60877 
pidgin_2.4.3-2.diff.gz
 d34470b61efb29cf1246bcea2aacf82b8aa94e51784b2e86e36cb683c1f603db 7014222 
pidgin-data_2.4.3-2_all.deb
 ab5a355bfcffbfd6e2afe3353395dc875233c3ac251ee798b92992a0af375426 193246 
pidgin-dev_2.4.3-2_all.deb
 6d91a688b374427f83aeb83ea276da182fb6550199319a4f3639bb40b8f87499 155420 
finch-dev_2.4.3-2_all.deb
 175046507fd273af3581cb877a3b565f3492da6a83975feded23a8eb9289e3af 274612 
libpurple-dev_2.4.3-2_all.deb
 f44c7c04aa0f767ac6ac212bbe7794db030c80f39592d9c55c2e6c03e5e8b748 131656 
libpurple-bin_2.4.3-2_all.deb
 8a358f008ef9e51afb76ea4e90b4b0f8b7e9a67588e6dec9c441c97bc0775a08 1711098 
libpurple0_2.4.3-2_amd64.deb
 25d78ee4c192102a6312c4aa58442179eed5944c798d219ca7b3a3e21f6a7f4c 727426 
pidgin_2.4.3-2_amd64.deb
 d5ea420a742e2fd90d4684d9e526b06bcc0d9771a6764dfd1477850d1d7d6162 5663642 
pidgin-dbg_2.4.3-2_amd64.deb
 c4f61ed5e2d80c6761c4546df756f981a710754f44171a41945da82e2bd0589a 347578 
finch_2.4.3-2_amd64.deb
Files: 
 3904b9f4f3be9cede29eb14f7220309b 1760 net optional pidgin_2.4.3-2.dsc
 1b6ce18d5f34c6a292485433bcbdcc4f 60877 net optional pidgin_2.4.3-2.diff.gz
 54a1010a30f8d9a683688853d914243a 7014222 net optional 
pidgin-data_2.4.3-2_all.deb
 61c922a030a6a93c7d4e814de8c1074d 193246 devel optional 
pidgin-dev_2.4.3-2_all.deb
 9a59d0f64b6de495e467df3deac65d71 155420 devel optional 
finch-dev_2.4.3-2_all.deb
 dd2190cb307bd62152f933df58787ac9 274612 libdevel optional 
libpurple-dev_2.4.3-2_all.deb
 2b621b7d01815c526642b4a3c8f7ca9d 131656 net optional 
libpurple-bin_2.4.3-2_all.deb
 2dc3eabf09a9b948ae7ee348e6c73b5c 1711098 net optional 
libpurple0_2.4.3-2_amd64.deb
 28f70122b4b1126010f6486da55201f2 727426 net optional pidgin_2.4.3-2_amd64.deb
 c7e0e2c0e36004f419917618fc341792 5663642 net extra pidgin-dbg_2.4.3-2_amd64.deb
 6509947cfa0bdeea20ea868705ae4880 347578 net optional finch_2.4.3-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREDAAYFAkiuvroACgkQwO+u47cOQDuQwgCgg+wRDv9vLd0ftL09HHhvNzyG
fUIAnA3EpwmncxU5j4SgVsmxSfA4E/gD
=kguu
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to