diff -Nru pidgin-2.6.6/debian/changelog pidgin-2.6.6/debian/changelog
--- pidgin-2.6.6/debian/changelog	2010-11-03 13:53:01.000000000 +0100
+++ pidgin-2.6.6/debian/changelog	2010-11-24 18:58:30.000000000 +0100
@@ -1,3 +1,10 @@
+pidgin (1:2.6.6-1ubuntu4.2) lucid-proposed; urgency=low
+
+  * debian/patches/workaround-msn-ssl-failure.patch: Workaround SSL
+      connectivity issues with MSN (LP: #676972)
+
+ -- Roel Huybrechts <mail@rulus.be>  Wed, 24 Nov 2010 18:58:18 +0100
+
 pidgin (1:2.6.6-1ubuntu4.1) lucid-security; urgency=low
 
   * SECURITY UPDATE: denial of service via custom emoticon
diff -Nru pidgin-2.6.6/debian/patches/workaround-msn-ssl-failure.patch pidgin-2.6.6/debian/patches/workaround-msn-ssl-failure.patch
--- pidgin-2.6.6/debian/patches/workaround-msn-ssl-failure.patch	1970-01-01 01:00:00.000000000 +0100
+++ pidgin-2.6.6/debian/patches/workaround-msn-ssl-failure.patch	2010-11-24 18:57:13.000000000 +0100
@@ -0,0 +1,278 @@
+diff -Nur -x '*.orig' -x '*~' pidgin-2.6.6/libpurple/certificate.c pidgin-2.6.6.new/libpurple/certificate.c
+--- pidgin-2.6.6/libpurple/certificate.c	2010-02-16 10:34:06.000000000 +0100
++++ pidgin-2.6.6.new/libpurple/certificate.c	2010-11-24 18:57:07.824010212 +0100
+@@ -925,6 +925,22 @@
+ 	return NULL;
+ }
+ 
++static GSList *
++x509_ca_locate_certs(GList *lst, const gchar *dn)
++{
++	GList *cur;
++	GSList *crts = NULL;
++
++	for (cur = lst; cur; cur = cur->next) {
++		x509_ca_element *el = cur->data;
++		if (purple_strequal(dn, el->dn)) {
++			crts = g_slist_prepend(crts, el);
++		}
++	}
++	return crts;
++}
++
++
+ static gboolean
+ x509_ca_cert_in_pool(const gchar *id)
+ {
+@@ -963,6 +979,31 @@
+ 	return crt;
+ }
+ 
++static GSList *
++x509_ca_get_certs(const gchar *id)
++{
++	GSList *crts = NULL, *els = NULL;
++
++	g_return_val_if_fail(x509_ca_lazy_init(), NULL);
++	g_return_val_if_fail(id, NULL);
++
++	/* Search the memory-cached pool */
++	els = x509_ca_locate_certs(x509_ca_certs, id);
++
++	if (els != NULL) {
++		GSList *cur;
++		/* Make a copy of the memcached ones for the function caller
++		   to play with */
++		for (cur = els; cur; cur = cur->next) {
++			x509_ca_element *el = cur->data;
++			crts = g_slist_prepend(crts, purple_certificate_copy(el->crt));
++		}
++		g_slist_free(els);
++	}
++
++	return crts;
++}
++
+ static gboolean
+ x509_ca_put_cert(const gchar *id, PurpleCertificate *crt)
+ {
+@@ -1535,7 +1576,9 @@
+ 	PurpleCertificate *ca_crt, *end_crt;
+ 	PurpleCertificate *failing_crt;
+ 	GList *chain = vrq->cert_chain;
++	GSList *ca_crts, *cur;
+ 	GByteArray *last_fpr, *ca_fpr;
++	gboolean valid = FALSE;
+ 	gchar *ca_id;
+ 
+ 	peer_crt = (PurpleCertificate *) chain->data;
+@@ -1623,8 +1666,8 @@
+ 	purple_debug_info("certificate/x509/tls_cached",
+ 			  "Checking for a CA with DN=%s\n",
+ 			  ca_id);
+-	ca_crt = purple_certificate_pool_retrieve(ca, ca_id);
+-	if ( NULL == ca_crt ) {
++	ca_crts = x509_ca_get_certs(ca_id);
++	if ( NULL == ca_crts ) {
+ 		flags |= PURPLE_CERTIFICATE_CA_UNKNOWN;
+ 
+ 		purple_debug_warning("certificate/x509/tls_cached",
+@@ -1654,23 +1697,32 @@
+ 	 * the list, so here we are.
+ 	 */
+ 	last_fpr = purple_certificate_get_fingerprint_sha1(end_crt);
+-	ca_fpr   = purple_certificate_get_fingerprint_sha1(ca_crt);
++	for (cur = ca_crts; cur; cur = cur->next) {
++		ca_crt = cur->data;
++		ca_fpr = purple_certificate_get_fingerprint_sha1(ca_crt);
++
++		if ( byte_arrays_equal(last_fpr, ca_fpr) ||
++				purple_certificate_signed_by(end_crt, ca_crt) )
++		{
++			/* TODO: If signed_by ever returns a reason, maybe mention
++			   that, too. */
++			/* TODO: Also mention the CA involved. While I could do this
++			   now, a full DN is a little much with which to assault the
++			   user's poor, leaky eyes. */
++			valid = TRUE;
++			g_byte_array_free(ca_fpr, TRUE);
++			break;
++		}
+ 
+-	if ( !byte_arrays_equal(last_fpr, ca_fpr) &&
+-			!purple_certificate_signed_by(end_crt, ca_crt) )
+-	{
+-		/* TODO: If signed_by ever returns a reason, maybe mention
+-		   that, too. */
+-		/* TODO: Also mention the CA involved. While I could do this
+-		   now, a full DN is a little much with which to assault the
+-		   user's poor, leaky eyes. */
+-		flags |= PURPLE_CERTIFICATE_INVALID_CHAIN;
++		g_byte_array_free(ca_fpr, TRUE);
+ 	}
+ 
+-	g_byte_array_free(ca_fpr, TRUE);
+-	g_byte_array_free(last_fpr, TRUE);
++	if (valid == FALSE)
++		flags |= PURPLE_CERTIFICATE_INVALID_CHAIN;
+ 
+-	purple_certificate_destroy(ca_crt);
++	g_slist_foreach(ca_crts, (GFunc)purple_certificate_destroy, NULL);
++	g_slist_free(ca_crts);
++	g_byte_array_free(last_fpr, TRUE);
+ 
+ 	x509_tls_cached_check_subject_name(vrq, flags);
+ }
+diff -Nur -x '*.orig' -x '*~' pidgin-2.6.6/libpurple/plugins/ssl/ssl-gnutls.c pidgin-2.6.6.new/libpurple/plugins/ssl/ssl-gnutls.c
+--- pidgin-2.6.6/libpurple/plugins/ssl/ssl-gnutls.c	2010-02-16 10:34:06.000000000 +0100
++++ pidgin-2.6.6.new/libpurple/plugins/ssl/ssl-gnutls.c	2010-11-24 18:56:47.988011392 +0100
+@@ -393,11 +393,18 @@
+ /* Forward declarations are fun! */
+ static PurpleCertificate *
+ x509_import_from_datum(const gnutls_datum dt, gnutls_x509_crt_fmt mode);
++/* indeed! */
++static gboolean
++x509_certificate_signed_by(PurpleCertificate * crt,
++			   PurpleCertificate * issuer);
++static void
++x509_destroy_certificate(PurpleCertificate * crt);
+ 
+ static GList *
+ ssl_gnutls_get_peer_certificates(PurpleSslConnection * gsc)
+ {
+ 	PurpleSslGnutlsData *gnutls_data = PURPLE_SSL_GNUTLS_DATA(gsc);
++	PurpleCertificate *prvcrt = NULL;
+ 
+ 	/* List of Certificate instances to return */
+ 	GList * peer_certs = NULL;
+@@ -423,7 +430,17 @@
+ 		/* Append is somewhat inefficient on linked lists, but is easy
+ 		   to read. If someone complains, I'll change it.
+ 		   TODO: Is anyone complaining? (Maybe elb?) */
+-		peer_certs = g_list_append(peer_certs, newcrt);
++		/* only append if previous cert was actually signed by this one.
++		 * Thanks Microsoft. */
++		if ((prvcrt == NULL) || x509_certificate_signed_by(prvcrt, newcrt)) {
++			peer_certs = g_list_append(peer_certs, newcrt);
++			prvcrt = newcrt;
++		} else {
++			x509_destroy_certificate(newcrt);
++			purple_debug_error("gnutls", "Dropping further peer certificates "
++			                             "because the chain is broken!\n");
++			break;
++		}
+ 	}
+ 
+ 	/* cert_list doesn't need free()-ing */
+diff -Nur -x '*.orig' -x '*~' pidgin-2.6.6/pidgin/win32/nsis/pidgin-installer.nsi pidgin-2.6.6.new/pidgin/win32/nsis/pidgin-installer.nsi
+--- pidgin-2.6.6/pidgin/win32/nsis/pidgin-installer.nsi	2010-02-16 10:34:06.000000000 +0100
++++ pidgin-2.6.6.new/pidgin/win32/nsis/pidgin-installer.nsi	2010-11-24 18:55:12.144011584 +0100
+@@ -724,7 +724,9 @@
+     Delete "$INSTDIR\ca-certs\Equifax_Secure_Global_eBusiness_CA-1.pem"
+     Delete "$INSTDIR\ca-certs\GTE_CyberTrust_Global_Root.pem"
+     Delete "$INSTDIR\ca-certs\Microsoft_Internet_Authority.pem"
++    Delete "$INSTDIR\ca-certs\Microsoft_Internet_Authority_2010.pem"
+     Delete "$INSTDIR\ca-certs\Microsoft_Secure_Server_Authority.pem"
++    Delete "$INSTDIR\ca-certs\Microsoft_Secure_Server_Authority_2010.pem"
+     Delete "$INSTDIR\ca-certs\StartCom_Certification_Authority.pem"
+     Delete "$INSTDIR\ca-certs\StartCom_Free_SSL_CA.pem"
+     Delete "$INSTDIR\ca-certs\Thawte_Premium_Server_CA.pem"
+diff -Nur -x '*.orig' -x '*~' pidgin-2.6.6/share/ca-certs/Makefile.am pidgin-2.6.6.new/share/ca-certs/Makefile.am
+--- pidgin-2.6.6/share/ca-certs/Makefile.am	2010-02-16 10:34:07.000000000 +0100
++++ pidgin-2.6.6.new/share/ca-certs/Makefile.am	2010-11-24 18:55:40.120008577 +0100
+@@ -17,7 +17,9 @@
+ EXTRA_CERTS = \
+ 		AOL_Member_CA.pem \
+ 		Microsoft_Internet_Authority.pem \
++		Microsoft_Internet_Authority_2010.pem \
+ 		Microsoft_Secure_Server_Authority.pem \
++		Microsoft_Secure_Server_Authority_2010.pem \
+ 		VeriSign_Class3_Extended_Validation_CA.pem \
+ 		VeriSign_International_Server_Class_3_CA.pem
+ 
+diff -Nur -x '*.orig' -x '*~' pidgin-2.6.6/share/ca-certs/Makefile.in pidgin-2.6.6.new/share/ca-certs/Makefile.in
+--- pidgin-2.6.6/share/ca-certs/Makefile.in	2010-02-16 10:34:32.000000000 +0100
++++ pidgin-2.6.6.new/share/ca-certs/Makefile.in	2010-11-24 18:56:21.566661423 +0100
+@@ -420,7 +420,9 @@
+ EXTRA_CERTS = \
+ 		AOL_Member_CA.pem \
+ 		Microsoft_Internet_Authority.pem \
++		Microsoft_Internet_Authority_2010.pem \
+ 		Microsoft_Secure_Server_Authority.pem \
++		Microsoft_Secure_Server_Authority_2010.pem \
+ 		VeriSign_Class3_Extended_Validation_CA.pem \
+ 		VeriSign_International_Server_Class_3_CA.pem
+ 
+diff -Nur -x '*.orig' -x '*~' pidgin-2.6.6/share/ca-certs/Microsoft_Internet_Authority_2010.pem pidgin-2.6.6.new/share/ca-certs/Microsoft_Internet_Authority_2010.pem
+--- pidgin-2.6.6/share/ca-certs/Microsoft_Internet_Authority_2010.pem	1970-01-01 01:00:00.000000000 +0100
++++ pidgin-2.6.6.new/share/ca-certs/Microsoft_Internet_Authority_2010.pem	2010-11-24 18:54:39.404012138 +0100
+@@ -0,0 +1,30 @@
++-----BEGIN CERTIFICATE-----
++MIIFEjCCBHugAwIBAgIEBydiAjANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV
++UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU
++cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds
++b2JhbCBSb290MB4XDTEwMDQxNDE4MTIyNloXDTE4MDQxNDE4MTIxNFowJzElMCMG
++A1UEAxMcTWljcm9zb2Z0IEludGVybmV0IEF1dGhvcml0eTCCAiIwDQYJKoZIhvcN
++AQEBBQADggIPADCCAgoCggIBAL30zSelStiQGduyCntgpE6PDpijnHxQduuzSoyf
++GLDnmsUrgoYJKKwREjIm9Rnq8LhnaMUG/fQZrtkToNCBJwimeZwE9UgyLjYfq2sm
++7KFDtJ2AsEkD6oJJXwUTxaCDX+Eq9AQZS37I2oi8tV0DvHhWoel/xWrvtv8dAVm3
++H1NaX8b4kW3FfUOTGHRF7RW6snzIOjQUHqpj9+XUS8gjK4dplROZCRTvegEgTrfG
++SEGuyYcBKdnChzh/tkKk8LLOLf20TFfwqNbLTvpfXf25+wncFoVk5XGc1fEzlzhn
++Lpu8FzYFfhA2f37rmFpbHK2l5wkQfflKL7OPNxXWb7lbN9y3n3+OZn8jXO0Sf4wH
++8P4Z+bg0Q3uy6oX7jKmq3/2RDSz1+6+XifEGiq9J9jwuI/ZEFiWREeIjw8qFVUkq
++yCGvfREmhrAoRbqH7jYTgdVLRxqO2wnx0ZcpUBQymQnj8sDnU49r9PoTXDyN7lSZ
++DydHTjwS848SF0bwiWpFs7U8DHdFBC+9vrWemDwFO7tBOYQgvHkE1kLNPonp53o3
++SRC0zJ8kXCOmSG7749TuISmT5P2AGhs6bMH369nUTb7xEfaijkIkoU9ptdJoFInZ
++n5DYH54b5m1kJSm2NEOkW/UN63QGfp/xY9xFp3w6mlxrc9jDWASOiG8T0ObQ383E
++Cg4HAgMBAAGjggF3MIIBczASBgNVHRMBAf8ECDAGAQH/AgEBMFsGA1UdIARUMFIw
++SAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly9jeWJlcnRydXN0Lm9t
++bmlyb290LmNvbS9yZXBvc2l0b3J5LmNmbTAGBgRVHSAAMA4GA1UdDwEB/wQEAwIB
++hjCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUg
++Q29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNvbHV0aW9ucywg
++SW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJvb3SCAgGlMEUG
++A1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0LmNvbS9jZ2kt
++YmluL0NSTC8yMDE4L2NkcC5jcmwwHQYDVR0OBBYEFDMh8Mv+oqBEkt72OzPYXwFL
++l3hdMA0GCSqGSIb3DQEBBQUAA4GBACtI85T7RMWTatZN/rQTThImF8qyWqsJuVak
++b39XnmSy9eTTNe9jZcvlLBWc7874KsWSZCtJPjw2bL0Ym2Rnlz/taNAWwRM88lGg
++V94kzjWraZBOKww6+bTxgPptAHmmOpaZTjpuVNCjWW6LHZVJu5XYdbjhEjOsXCe7
++y1Vx1frt
++-----END CERTIFICATE-----
+diff -Nur -x '*.orig' -x '*~' pidgin-2.6.6/share/ca-certs/Microsoft_Secure_Server_Authority_2010.pem pidgin-2.6.6.new/share/ca-certs/Microsoft_Secure_Server_Authority_2010.pem
+--- pidgin-2.6.6/share/ca-certs/Microsoft_Secure_Server_Authority_2010.pem	1970-01-01 01:00:00.000000000 +0100
++++ pidgin-2.6.6.new/share/ca-certs/Microsoft_Secure_Server_Authority_2010.pem	2010-11-24 18:54:39.404012138 +0100
+@@ -0,0 +1,35 @@
++-----BEGIN CERTIFICATE-----
++MIIGEzCCA/ugAwIBAgIKYQMzNgAFAAAAMDANBgkqhkiG9w0BAQUFADAnMSUwIwYD
++VQQDExxNaWNyb3NvZnQgSW50ZXJuZXQgQXV0aG9yaXR5MB4XDTEwMDUxOTIyMTMz
++MFoXDTE0MDUxOTIyMjMzMFowgYsxEzARBgoJkiaJk/IsZAEZFgNjb20xGTAXBgoJ
++kiaJk/IsZAEZFgltaWNyb3NvZnQxFDASBgoJkiaJk/IsZAEZFgRjb3JwMRcwFQYK
++CZImiZPyLGQBGRYHcmVkbW9uZDEqMCgGA1UEAxMhTWljcm9zb2Z0IFNlY3VyZSBT
++ZXJ2ZXIgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
++6p9fkQvNGYJfkeqr9Yso2Iv1HOCRybzNAhBQIrc4ClzPcQxYLYhsqLg8M2P5c508
++6cN57fL+ycvDbiTiPEJw2F+3W/ebX/Unb3gA65Zdt2/P5EEE8LtDvW9fJg+3jjdB
++E1RnG5AAJzi4GsOWbRwxNTVJxUYe53OkygMReUGBr9OORqLFvgBTBbk4nLdgKbPK
++UpqSxVMntkENQPgvm+eBSRpaaqhPccfobYG+J+/J1saSKxDkNjVACNBNcP1wmyAc
++s7nfdZ0rd9DEzWpx71pYC/lwhYgFiW1mkjCrr4g519QtC5aceCSvAKvPCT4TrmvD
++4OHPYH+LU9wC0POwhhHevQIDAQABo4IB2jCCAdYwEgYDVR0TAQH/BAgwBgEB/wIB
++ADAdBgNVHQ4EFgQUCELj204RZvO1CMVA21V8M0YRgzgwCwYDVR0PBAQDAgGGMBIG
++CSsGAQQBgjcVAQQFAgMIAAgwIwYJKwYBBAGCNxUCBBYEFH6KwpxaMozCcaLZT3Vw
++96kb9pQFMBkGCSsGAQQBgjcUAgQMHgoAUwB1AGIAQwBBMB8GA1UdIwQYMBaAFDMh
++8Mv+oqBEkt72OzPYXwFLl3hdMIGjBgNVHR8EgZswgZgwgZWggZKggY+GNmh0dHA6
++Ly9tc2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zd3d3KDUpLmNy
++bIY0aHR0cDovL2NybC5taWNyb3NvZnQuY29tL3BraS9tc2NvcnAvY3JsL21zd3d3
++KDUpLmNybIYfaHR0cDovL2NvcnBwa2kvY3JsL21zd3d3KDUpLmNybDB5BggrBgEF
++BQcBAQRtMGswPAYIKwYBBQUHMAKGMGh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9w
++a2kvbXNjb3JwL21zd3d3KDUpLmNydDArBggrBgEFBQcwAoYfaHR0cDovL2NvcnBw
++a2kvYWlhL21zd3d3KDUpLmNydDANBgkqhkiG9w0BAQUFAAOCAgEAj8LRXO8UEXcX
++Ywc8THxo2v6GSuIgzD+wJz3R4qzIi0im5Fn3OgatfVLx9mVhliEirmi+L3reswz1
++6cXd+GWCXctsPgw3EXQVCXhVvSYSu9aVdNO89XYJKmrfNsSOVtUfIN9/gjDXQ6to
++IotqWsWb0J2NCwxQhX7MWoAHiwNOv71fbFYPBaniVMOl01JcX00L3QX4URIDIW+c
++bJeYKsHBEby9G67741dfTx8AnuKkUdP3rAk3WKUJIdFy0LLBi9tN3BPRVFhNK8Ct
+++lMZNbEVqEJkt+3HH6V5qA041FC/9Fr/L+m/P3045fsgDNRO4C8dRXr7KC8xSG/M
++blxoQvrqyAsBMOwQJkI4I6nDGbjZcBpoLJLLn3PmzP8zI+7bXrV/BVg/UMUcCBj0
++6y9iqlP3oc3e4+uCHBpna6FMp2hxQNFlO0EYnEnjcfvrTYOT00fmZELLtjUc+zQO
++oSj7jKGnHwEoUeVxlDec3EFbfH7pLCNnlJ1z319AeaONlTDMUxcIvFCG8/wQGYH8
++9Fpu89yimnV7w6ygUe0ytljfT46RU2rSqhtd5lO4iaOeiaHjKeCzbOsazG9aqsLi
++9h5FKe/WwkOxO60+JvyBl1xI/WJZNJLJ+7mh10IF+xn2fjL7KTTVh2blBB3IPhD6
++pnj1Hn3eGjp4fNwqcQajLW8FVSOLkO8=
++-----END CERTIFICATE-----