[Secure-testing-team] Bug#829730: xchat-gnome: CVE-2013-7449
Salvatore Bonaccorso
carnil at debian.org
Tue Jul 5 15:53:19 UTC 2016
Source: xchat-gnome
Version: 1:0.30.0~git20110821.e2a400-0.2
Severity: important
Tags: security upstream
Hi,
the following vulnerability was published for xchat-gnome.
CVE-2013-7449[0]:
| The ssl_do_connect function in common/server.c in HexChat before
| 2.10.2, XChat, and XChat-GNOME does not verify that the server
| hostname matches a domain name in the X.509 certificate, which allows
| man-in-the-middle attackers to spoof SSL servers via an arbitrary
| valid certificate.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2013-7449
[1] http://www.ubuntu.com/usn/usn-2945-1/
It looks like ubuntu is shipping a patch for this issue as well for
xchat-gnome.
Question: is xchat-gnome still be actively developed upstream, or
would it maybe a candidate for removal (or at least not included in
stretch?).
Regards,
Salvatore
More information about the Secure-testing-team
mailing list