control: reopen -1 On Thu, Jan 29, 2015 at 11:22:42PM +0100, Marian Sigler wrote: > From http://www.openwall.com/lists/oss-security/2015/01/29/23 : > > > XChat did not verify that the server hostname matched the domain name in > > the subject's Common Name (CN) or subjectAltName field in X.509 > > certificates. This could allow a man-in-the-middle attacker to spoof an > > SSL server if they had a certificate that was valid for any domain name. > > > > The same code is used in hexchat. > > > > This was initially reported to hexchat in 2013 [2] and fixed last > > November [3]. > > > > [2] https://github.com/hexchat/hexchat/issues/524 > > [3] > > https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d
so, this bug affects also hexchat, which has already been fixed upstream and included in the 2.12.0 release of today. Sadly, a CVE id has not been provided (yet). http://www.openwall.com/lists/oss-security/2015/02/22/12 -- regards, Mattia Rizzolo GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`. more about me: http://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'` Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
