pidgin/nest

Update the changelog for the 2.14.7 release
default tip
6 days ago, Gary Kramlich
d040bee36d7c
Update the changelog for the 2.14.7 release

Testing Done:
None

Reviewed at https://reviews.imfreedom.org/r/928/
---
title: cve-2014-3694-00
date: 2014-10-22T00:00:00.000Z
cveNumber: cve-2014-3694
summary: Insufficient SSL certificate validation
discoveredBy: |
An anonymous person and Jacob Appelbaum of the Tor Project, with thanks to
Moxie Marlinspike for first publishing about this type of vulnerability
fixedInRelease: 2.10.10
type: security
layout: cve
hidden: true
---
### Description
Both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS)
failed to check that the Basic Constraints extension allowed intermediate
certificates to act as CAs. This allowed anyone with any valid certificate to
create a fake certificate for any arbitrary domain and Pidgin would trust it.
### Mitigation
Both bundled plugins were changed to check the Basic Constraints extension on
all intermediate CA certificates.