Jacob Appelbaum

**Name of the Vulnerable Software and Affected Versions** Pidgin versions prior to 2.10.10 **Description** The issue arises from the improper consideration of the Basic Constraints extension during the verification of X.509 certificates from SSL servers by the bundled GnuTLS and OpenSSL SSL/TLS plugins in libpurple. This allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. **Recommendations** For versions prior to 2.10.10, update to version 2.10.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Pidgin versions prior to 2.10.8 **Description** The issue concerns a problem in the libpurple component of Pidgin, where an inconsistency in HTTP response headers can be exploited by a remote attacker to cause a denial of service, leading to an application crash. This is achieved by manipulating the HTTP headers, specifically the Content-Length header, allowing remote HTTP servers to craft a response that causes the application to fail. **Recommendations** For versions prior to 2.10.8, update to version 2.10.8 or later to resolve the issue.