CVE-2009-3026
EPSS 0.53%
Description
protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.
How to fix CVE-2009-3026
To remediate CVE-2009-3026, upgrade the affected package to a fixed version below.
- Debian/pidgin—upgrade to 2.6.1-1 or later
Is CVE-2009-3026 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 2.6.1-1