Debian Security Advisory DSA 3055-1 (pidgin - security update)

Summary
Multiple vulnerabilities have been discovered in Pidgin, a multi-protocol instant messaging client: CVE-2014-3694 It was discovered that the SSL/TLS plugins failed to validate the basic constraints extension in intermediate CA certificates. CVE-2014-3695 Yves Younan and Richard Johnson discovered that emotictons with overly large length values could crash Pidgin. CVE-2014-3696 Yves Younan and Richard Johnson discovered that malformed Groupwise messages could crash Pidgin. CVE-2014-3698 Thijs Alkemade and Paul Aurich discovered that malformed XMPP messages could result in memory disclosure.
Solution
For the stable distribution (wheezy), these problems have been fixed in version 2.10.10-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 2.10.10-1. We recommend that you upgrade your pidgin packages.
Insight
Pidgin is a graphical, modular instant messaging client capable of using multiple networks at once. Currently supported are: AIM/ICQ, Yahoo!, MSN, IRC, Jabber/XMPP/Google Talk, Napster, Zephyr, Gadu-Gadu, Bonjour, Groupwise, Sametime, SIMPLE, MySpaceIM, and MXit.
Affected
pidgin on Debian Linux
Detection
This check tests the installed software version using the apt package manager.
References