hugo/content/about/security/advisories/cve-2014-3694-00.md

Fri, 30 Aug 2024 19:33:36 -0500

author
Gary Kramlich <grim@reaperworld.com>
date
Fri, 30 Aug 2024 19:33:36 -0500
changeset 543
4ab2b8637540
parent 401
50d9e50b8b86
permissions
-rw-r--r--

Update the plugins page for the new process

This includes defining the process and providing a template for a new issue to
add new plugins. I did go through and audit `No IRC /WHO` so we had at least
one validated entry.

Testing Done:
Ran `npm run hugo:server` locally and verified the page worked and checked the new links.

Bugs closed: NEST-53

Reviewed at https://reviews.imfreedom.org/r/3450/

---
title: cve-2014-3694-00
date: 2014-10-22T00:00:00.000Z
cveNumber: cve-2014-3694
summary: Insufficient SSL certificate validation
discoveredBy: |
  An anonymous person and Jacob Appelbaum of the Tor Project, with thanks to
  Moxie Marlinspike for first publishing about this type of vulnerability
fixedInRelease: 2.10.10
type: security
layout: cve
hidden: true
---

### Description

Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS)
failed to check that the Basic Constraints extension allowed intermediate
certificates to act as CAs. This allowed anyone with any valid certificate to
create a fake certificate for any arbitrary domain and Pidgin would trust it.

### Mitigation

Both bundled plugins were changed to check the Basic Constraints extension on
all intermediate CA certificates.

mercurial