CVE-2022-26491: 
NixOS vulnerability analysis and mitigation

A critical security vulnerability (CVE-2022-26491) was discovered in Pidgin versions before 2.14.9. The vulnerability allows a remote attacker who can spoof DNS responses to redirect a client connection to a malicious server. When exploited, the client performs TLS certificate verification of the malicious domain name instead of the original XMPP service domain, enabling the attacker to take control over the XMPP connection and obtain user credentials and communication content. This vulnerability was disclosed and patched in April 2022 (Pidgin Advisory, Debian LTS).

The vulnerability stems from the implementation of the _xmppconnect DNS TXT record support in Pidgin's XMPP protocol handler. The issue was particularly dangerous when used without DNSSEC, as it made it trivial to perform man-in-the-middle attacks via DNS spoofing. The vulnerability received a CVSS v3.1 Base Score of 5.9 (Medium) with vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability's impact is severe as it allows attackers to intercept and take control of XMPP connections. This could lead to the compromise of user credentials and expose all communication content between the client and server. The attack vector is particularly concerning as it can be executed remotely without user interaction (Pidgin Advisory).

The vulnerability was addressed in Pidgin version 2.14.9 by completely removing the code that supported the _xmppconnect DNS TXT record. Users are strongly advised to upgrade to this version or later. For Debian 9 (stretch) users, the fix was backported to version 2.12.0-1+deb9u1 (Debian LTS).