group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1565000] Re: xchat-gnome doesn't validate ssl hostnames

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1565000@xxxxxxxxxxxxxxxxxx>
Date: Mon, 04 Apr 2016 15:01:57 -0000
Reply-to: Bug 1565000 <1565000@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package hexchat - 2.9.6.1-2ubuntu0.1

---------------
hexchat (2.9.6.1-2ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: no ssl hostname verification (LP: #1565000)
    - debian/patches/validate_ssl_hostnames.patch: properly validate
      hostnames in src/common/server.c, src/common/ssl.c, src/common/ssl.h.
    - CVE number pending
  * SECURITY UPDATE: missing ssl certificate handled incorrectly
    - debian/patches/handle_missing_ssl_cert.patch: fail connection if
      certificate isn't found in src/common/server.c.
    - No CVE number

 -- Marc Deslauriers <marc.deslauriers@xxxxxxxxxx>  Fri, 01 Apr 2016
19:53:41 -0400

** Changed in: hexchat (Ubuntu Trusty)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1565000

Title:
  xchat-gnome doesn't validate ssl hostnames

Status in hexchat package in Ubuntu:
  Fix Released
Status in xchat package in Ubuntu:
  Invalid
Status in xchat-gnome package in Ubuntu:
  Fix Released
Status in hexchat source package in Precise:
  Invalid
Status in xchat source package in Precise:
  Confirmed
Status in xchat-gnome source package in Precise:
  Confirmed
Status in hexchat source package in Trusty:
  Fix Released
Status in xchat source package in Trusty:
  Confirmed
Status in xchat-gnome source package in Trusty:
  Confirmed
Status in hexchat source package in Wily:
  Fix Released
Status in xchat source package in Wily:
  Confirmed
Status in xchat-gnome source package in Wily:
  Confirmed
Status in hexchat source package in Xenial:
  Fix Released
Status in xchat source package in Xenial:
  Invalid
Status in xchat-gnome source package in Xenial:
  Fix Released

Bug description:
  http://www.openwall.com/lists/oss-security/2015/01/29/23

  XChat did not verify that the server hostname matched the domain name in 
  the subject's Common Name (CN) or subjectAltName field in X.509 
  certificates. This could allow a man-in-the-middle attacker to spoof an 
  SSL server if they had a certificate that was valid for any domain name.

  Also applied to hexchat and xchat-gnome.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/hexchat/+bug/1565000/+subscriptions