CVE-2009-3026

Name of the Vulnerable Software and Affected Versions libpurple versions 2.6.0 through 2.6.2 Pidgin versions 2.6.0 and possibly other versions

Description The issue concerns multiple vulnerabilities in the libpurple package, which can be exploited remotely to disrupt the confidentiality of protected information. Specifically, the protocols/jabber/auth.c file in libpurple does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification. This causes libpurple to connect to the server without the expected encryption, allowing remote attackers to sniff sessions.

Recommendations For libpurple versions 2.6.0 through 2.6.2, consider disabling the vulnerable auth.c function until a patch is available. For Pidgin versions 2.6.0 and possibly other versions, restrict access to the protocols/jabber/auth.c file to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.