pidgin is vulnerable to information disclosure. It was discovered that, when connecting to certain, very old Jabber servers via XMPP, Pidgin may ignore the “Require SSL/TLS” setting. In these situations, a non-encrypted connection is established rather than the connection failing, causing the user to believe they are using an encrypted connection when they are not, leading to sensitive information disclosure (session sniffing).
bugs.debian.org/cgi-bin/bugreport.cgi?bug=542891
developer.pidgin.im/ticket/8131
developer.pidgin.im/viewmtn/revision/diff/312e056d702d29379ea61aea9d27765f127bc888/with/55897c4ce0787edc1e7721b7f4a9b5cbc8357279
secunia.com/advisories/37071
www.openwall.com/lists/oss-security/2009/08/24/2
www.redhat.com/security/updates/classification/#moderate
www.securityfocus.com/bid/36368
xmpp.org/rfcs/rfc3920.html#stanzas-semantics-iq
access.redhat.com/errata/RHSA-2009:1453
exchange.xforce.ibmcloud.com/vulnerabilities/53000
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11070
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5757