Source: xchat-gnome Version: 1:0.30.0~git20110821.e2a400-0.2 Severity: important Tags: security upstream
Hi, the following vulnerability was published for xchat-gnome. CVE-2013-7449[0]: | The ssl_do_connect function in common/server.c in HexChat before | 2.10.2, XChat, and XChat-GNOME does not verify that the server | hostname matches a domain name in the X.509 certificate, which allows | man-in-the-middle attackers to spoof SSL servers via an arbitrary | valid certificate. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2013-7449 [1] http://www.ubuntu.com/usn/usn-2945-1/ It looks like ubuntu is shipping a patch for this issue as well for xchat-gnome. Question: is xchat-gnome still be actively developed upstream, or would it maybe a candidate for removal (or at least not included in stretch?). Regards, Salvatore _______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
