In Pidgin before 2.10.10, both of libpurple's bundled SSL/TLS plugins (one for GnuTLS and one for NSS) failed to check that the Basic Constraints extension allowed intermediate certificates to act as CAs. This allowed anyone with any valid certificate to create a fake certificate for any arbitrary domain and Pidgin would trust it (CVE-2014-3694).
In Pidgin before 2.10.10, a malicious server or man-in-the-middle could trigger a crash in libpurple by sending an emoticon with an overly large length value (CVE-2014-3695).
In Pidgin before 2.10.10, a malicious server or man-in-the-middle could trigger a crash in libpurple by specifying that a large amount of memory should be allocated in many places in the UI (CVE-2014-3696).
In Pidgin before 2.10.10, a malicious server and possibly even a malicious remote user could create a carefully crafted XMPP message that causes libpurple to send an XMPP message containing arbitrary memory (CVE-2014-3698).
The pidgin package has been updated to version 2.10.10 which fixes these issues and other bugs.