DEBIAN-CVE-2009-3026

DEBIAN-CVE-2009-3026 PUBLISHED

protocols/jabber/auth.c in libpurple in Pidgin 2.6.0, and possibly other versions, does not follow the "require TLS/SSL" preference when connecting to older Jabber servers that do not follow the XMPP specification, which causes libpurple to connect to the server without the expected encryption and allows remote attackers to sniff sessions.

Affected Products

Vendor	Product	Versions
Debian:12	pidgin	0, 0, 0
Debian	pidgin
Debian:11	pidgin	0, 0, 0
Debian:13	pidgin	0, 0, 0
Debian:14	pidgin	0, 0, 0

Timeline

Aug 31, 2009 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2009-3026 advisory

Open in Interactive Console →