[Desktop-packages] [Bug 1565000] Re: xchat-gnome doesn't validate ssl hostnames

Fri, 01 Apr 2016 12:41:30 -0700 

This bug was fixed in the package xchat-gnome -
1:0.30.0~git20141005.816798-0ubuntu9

---------------
xchat-gnome (1:0.30.0~git20141005.816798-0ubuntu9) xenial; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <marc.deslauri...@ubuntu.com>  Fri, 01 Apr 2016
12:39:36 -0400

** Changed in: xchat-gnome (Ubuntu Xenial)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to xchat-gnome in Ubuntu.
https://bugs.launchpad.net/bugs/1565000

Title:
  xchat-gnome doesn't validate ssl hostnames

Status in hexchat package in Ubuntu:
  Fix Released
Status in xchat package in Ubuntu:
  Invalid
Status in xchat-gnome package in Ubuntu:
  Fix Released
Status in hexchat source package in Precise:
  Invalid
Status in xchat source package in Precise:
  Confirmed
Status in xchat-gnome source package in Precise:
  Confirmed
Status in hexchat source package in Trusty:
  Confirmed
Status in xchat source package in Trusty:
  Confirmed
Status in xchat-gnome source package in Trusty:
  Confirmed
Status in hexchat source package in Wily:
  Fix Released
Status in xchat source package in Wily:
  Confirmed
Status in xchat-gnome source package in Wily:
  Confirmed
Status in hexchat source package in Xenial:
  Fix Released
Status in xchat source package in Xenial:
  Invalid
Status in xchat-gnome source package in Xenial:
  Fix Released

Bug description:
  http://www.openwall.com/lists/oss-security/2015/01/29/23

  XChat did not verify that the server hostname matched the domain name in 
  the subject's Common Name (CN) or subjectAltName field in X.509 
  certificates. This could allow a man-in-the-middle attacker to spoof an 
  SSL server if they had a certificate that was valid for any domain name.

  Also applied to hexchat and xchat-gnome.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/hexchat/+bug/1565000/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to