Package: xchat Tags: security
>From http://www.openwall.com/lists/oss-security/2015/01/29/23 : > XChat did not verify that the server hostname matched the domain name in > the subject's Common Name (CN) or subjectAltName field in X.509 > certificates. This could allow a man-in-the-middle attacker to spoof an > SSL server if they had a certificate that was valid for any domain name. > > The same code is used in hexchat. > > This was initially reported to hexchat in 2013 [2] and fixed last > November [3]. > > [2] https://github.com/hexchat/hexchat/issues/524 > [3] > https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d Unfortunately I don't have a debian with gui available, but - there was no upgrade of the package in the last two years - I didn't find anything its changelog - I think you would have made some rumors and not just have fixed it silently. So I think it's very probable it is not fixed yet in debian and report it rather than it being forgotten. How to verify: run openssl s_server -accept 6667 -cert somevalid.crt -key somevalid.key Add a server to xchat, select "Use SSL for all servers on this network", DO NOT select "accept invalid SSL certificate". Add the server name of the certificate as the server name, to verify it works in principle. Then configure the server to use another hostname, which is not contained in the cert, but has the same IP. XChat should refuse to connect in the second case. >From https://bugzilla.redhat.com/show_bug.cgi?id=1081839 : > Also, upstream XChat is no longer in active development. This leads me to suggest to remove XChat from the debian archives, in particular because with hexchat there is a compatible alternative available [1] (even they don't desserve too much trust either, having needed 1.5 years to fix that...) But I don't know what your rules for things like that are so... Marian [1] http://hexchat.readthedocs.org/en/latest/faq.html#how-do-i-migrate-my-settings-from-xchat -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
