IMFreedom Security

Description

Both of libpurple’s bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it.

Mitigation

Both bundled plugins were changed to check the Basic Constraints extension on all intermediate CA certificates.