Bug#829730: xchat-gnome: CVE-2013-7449

Michael Biebl biebl at debian.org
Tue Jul 5 20:15:45 UTC 2016


Am 05.07.2016 um 17:53 schrieb Salvatore Bonaccorso:
> Source: xchat-gnome

> CVE-2013-7449[0]:
> | The ssl_do_connect function in common/server.c in HexChat before
> | 2.10.2, XChat, and XChat-GNOME does not verify that the server
> | hostname matches a domain name in the X.509 certificate, which allows
> | man-in-the-middle attackers to spoof SSL servers via an arbitrary
> | valid certificate.
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 

We have a supported successor/alternative with hexchat, so I'm inclined
to request the removal of the package.
Joss et al, do you see any reason why we should keep the package?

Regards,
Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20160705/d79a3fd6/attachment.sig>


More information about the pkg-gnome-maintainers mailing list