Pidgin Messenger Update

Wie man im täglichen Leben anonym bleibt. Diskussion und Erfahrungsaustausch.
Post Reply
User avatar
totentanz
Posts: 516
Joined: Thu Nov 15, 2012 15:09

Pidgin Messenger Update

Post by totentanz » Wed Oct 22, 2014 22:02

Wichtiges Update für den Pidgin Messenger:
https://pidgin.im/download/

Changelog Version Pidgin 2.10.10:

Code: Select all

Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694)
Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL. (Elrond and Ashish Gupta) (#15909)     libpurple3 compatibility
Don't allow overwriting arbitrary files on the file system when the user installs a smiley theme via drag-and-drop. (Discovered by Yves Younan of Cisco Talos) (CVE-2014-3697)
Updates to dependencies
NSS 3.17.1 and NSPR 4.10.7 

cane

Re: Pidgin Messenger Update

Post by cane » Thu Oct 23, 2014 9:09

Außerdem gefixt: Heartblead for XMPP:
A malicious server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory.
Heute abend wird das Update für die Live-DVD online sein.

User avatar
totentanz
Posts: 516
Joined: Thu Nov 15, 2012 15:09

Re: Pidgin Messenger Update

Post by totentanz » Mon Nov 24, 2014 3:52

Wichtiges Update auf Version Pidgin 2.10.11

https://developer.pidgin.im/wiki/ChangeLog

Code: Select all

General
Fix handling of Self-Signed SSL/TLS Certificates when using the NSS plugin 
Improve default cipher suites used with the NSS plugin 
Add NSS Preferences plugin which allows the SSL/TLS Versions and cipher suites to be configured )

Gadu-Gadu
Fix a bug that prevented plugin to load when compiled without GnuTLS.
Fix build for platforms without AF_LOCAL definition. 

MSN
Fix broken login due to server change. 
Fail early when buddy list is unavailable instead of wasting bandwidth endlessly re-trying.
https://pidgin.im/download/

Das neue NSS Einstellungs Plugin ist wirklich nützlich. So kann man nur PFS Chiphersuites auswählen, RC4 und DSS deaktivieren, sowie SSL3 abschalten.
NSSPlugin.jpg
Die Frage ist jetzt, TLS 1.2 AES im GCM Modus oder TLS 1.2 AES im CBC Modus.
TLS 1.2 als minimum und maximum eingestellt.

P.S: für die Details, Pidgin verwendet das Mozilla NSS Modul 3.17.1 aus dem FF33, im neuen FF34 gibs das Modul 3.17.2 mit einigen Anpassungen.

Post Reply