pidgin-2.10.11-5.el7

Pidgin allows you to talk to anyone using a variety of messaging
protocols including AIM, MSN, Yahoo!, Jabber, Bonjour, Gadu-Gadu,
ICQ, IRC, Novell Groupwise, QQ, Lotus Sametime, SILC, Simple and
Zephyr. These protocols are implemented using a modular, easy to
use design. To use a protocol, just add an account using the
account editor.

Pidgin supports many common features of other clients, as well as many
unique features, such as perl scripting, TCL scripting and C plugins.

Pidgin is not affiliated with or endorsed by America Online, Inc.,
Microsoft Corporation, Yahoo! Inc., or ICQ Inc.

CVE-2014-3694
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL
SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly
consider the Basic Constraints extension during verification of X.509
certificates from SSL servers, which allows man-in-the-middle
attackers to spoof servers and obtain sensitive information via a
crafted certificate.
CVE-2014-3695
markup.c in the MXit protocol plugin in libpurple in Pidgin before
2.10.10 allows remote servers to cause a denial of service
(application crash) via a large length value in an emoticon response.
CVE-2014-3696
nmevent.c in the Novell GroupWise protocol plugin in libpurple in
Pidgin before 2.10.10 allows remote servers to cause a denial of
service (application crash) via a crafted server message that triggers
a large memory allocation.
CVE-2014-3698
The jabber_idn_validate function in jutil.c in the Jabber protocol
plugin in libpurple in Pidgin before 2.10.10 allows remote attackers
to obtain sensitive information from process memory via a crafted XMPP
message.
CVE-2017-2640
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.