Page 1 of 1

Pidgin Messenger Update

Posted: Wed Oct 22, 2014 22:02
by totentanz
Wichtiges Update für den Pidgin Messenger:
https://pidgin.im/download/

Changelog Version Pidgin 2.10.10:

Code: Select all

Check the basic constraints extension when validating SSL/TLS certificates. This fixes a security hole that allowed a malicious man-in-the-middle to impersonate an IM server or any other https endpoint. This affected both the NSS and GnuTLS plugins. (Discovered by an anonymous person and Jacob Appelbaum of the Tor Project, with thanks to Moxie Marlinspike for first publishing about this type of vulnerability. Thanks to Kai Engert for guidance and for some of the NSS changes) (CVE-2014-3694)
Allow and prefer TLS 1.2 and 1.1 when using the NSS plugin for SSL. (Elrond and Ashish Gupta) (#15909)     libpurple3 compatibility
Don't allow overwriting arbitrary files on the file system when the user installs a smiley theme via drag-and-drop. (Discovered by Yves Younan of Cisco Talos) (CVE-2014-3697)
Updates to dependencies
NSS 3.17.1 and NSPR 4.10.7 

Re: Pidgin Messenger Update

Posted: Thu Oct 23, 2014 9:09
by cane
Außerdem gefixt: Heartblead for XMPP:
A malicious server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory.
Heute abend wird das Update für die Live-DVD online sein.

Re: Pidgin Messenger Update

Posted: Mon Nov 24, 2014 3:52
by totentanz
Wichtiges Update auf Version Pidgin 2.10.11

https://developer.pidgin.im/wiki/ChangeLog

Code: Select all

General
Fix handling of Self-Signed SSL/TLS Certificates when using the NSS plugin 
Improve default cipher suites used with the NSS plugin 
Add NSS Preferences plugin which allows the SSL/TLS Versions and cipher suites to be configured )

Gadu-Gadu
Fix a bug that prevented plugin to load when compiled without GnuTLS.
Fix build for platforms without AF_LOCAL definition. 

MSN
Fix broken login due to server change. 
Fail early when buddy list is unavailable instead of wasting bandwidth endlessly re-trying.
https://pidgin.im/download/

Das neue NSS Einstellungs Plugin ist wirklich nützlich. So kann man nur PFS Chiphersuites auswählen, RC4 und DSS deaktivieren, sowie SSL3 abschalten.
NSSPlugin.jpg
Die Frage ist jetzt, TLS 1.2 AES im GCM Modus oder TLS 1.2 AES im CBC Modus.
TLS 1.2 als minimum und maximum eingestellt.

P.S: für die Details, Pidgin verwendet das Mozilla NSS Modul 3.17.1 aus dem FF33, im neuen FF34 gibs das Modul 3.17.2 mit einigen Anpassungen.