*** This bug is a security vulnerability *** Public security bug reported:
http://www.openwall.com/lists/oss-security/2015/01/29/23 XChat did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. Also applied to hexchat and xchat-gnome. ** Affects: hexchat (Ubuntu) Importance: Undecided Status: New ** Affects: xchat (Ubuntu) Importance: Undecided Status: Invalid ** Affects: xchat-gnome (Ubuntu) Importance: Undecided Status: New ** Affects: hexchat (Ubuntu Precise) Importance: Undecided Status: New ** Affects: xchat (Ubuntu Precise) Importance: Undecided Status: New ** Affects: xchat-gnome (Ubuntu Precise) Importance: Undecided Assignee: Marc Deslauriers (mdeslaur) Status: Confirmed ** Affects: hexchat (Ubuntu Trusty) Importance: Undecided Status: New ** Affects: xchat (Ubuntu Trusty) Importance: Undecided Status: New ** Affects: xchat-gnome (Ubuntu Trusty) Importance: Undecided Status: New ** Affects: hexchat (Ubuntu Wily) Importance: Undecided Status: New ** Affects: xchat (Ubuntu Wily) Importance: Undecided Status: New ** Affects: xchat-gnome (Ubuntu Wily) Importance: Undecided Status: New ** Affects: hexchat (Ubuntu Xenial) Importance: Undecided Status: New ** Affects: xchat (Ubuntu Xenial) Importance: Undecided Status: Invalid ** Affects: xchat-gnome (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: xchat (Ubuntu) Importance: Undecided Status: New ** Also affects: hexchat (Ubuntu) Importance: Undecided Status: New ** Bug watch added: Red Hat Bugzilla #1081839 https://bugzilla.redhat.com/show_bug.cgi?id=1081839 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xchat-gnome in Ubuntu. https://bugs.launchpad.net/bugs/1565000 Title: xchat-gnome doesn't validate ssl hostnames Status in hexchat package in Ubuntu: New Status in xchat package in Ubuntu: Invalid Status in xchat-gnome package in Ubuntu: New Status in hexchat source package in Precise: New Status in xchat source package in Precise: New Status in xchat-gnome source package in Precise: Confirmed Status in hexchat source package in Trusty: New Status in xchat source package in Trusty: New Status in xchat-gnome source package in Trusty: New Status in hexchat source package in Wily: New Status in xchat source package in Wily: New Status in xchat-gnome source package in Wily: New Status in hexchat source package in Xenial: New Status in xchat source package in Xenial: Invalid Status in xchat-gnome source package in Xenial: New Bug description: http://www.openwall.com/lists/oss-security/2015/01/29/23 XChat did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. Also applied to hexchat and xchat-gnome. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/hexchat/+bug/1565000/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp