Summary: | <net-irc/weechat-0.3.5: SSL Certificate Validation Security Issue (CVE-2011-1428) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Paweł Hajdan, Jr. (RETIRED) <phajdan.jr> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | alexanderyt, net-irc, scarabeus |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/43543 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Paweł Hajdan, Jr. (RETIRED)
2011-03-17 10:21:31 UTC
Hmpf I can't find any fix in the GIT repository for now. Could be this the fix? https://savannah.nongnu.org/patch/?7459 This fix has been included in new version (0.3.5-rc2 at the moment, ready for May 15th). 0.3.5 is out. We should just upgrade to it. Sure enough, the upstream changelog [1] includes this issue as fixed. core: fix verification of SSL certificates by calling gnutls verify callback (patch #7459) 1 http://weechat.org/files/changelog/ChangeLog-0.3.5.html This is fixed in 0.3.5 version that is in main tree. Feel free to stabilise it if you want (just add arches). Arches, please test and mark stable: =net-irc/weechat-0.3.5 Target keywords : "amd64 ppc x86" works on amd64. ppc stable x86 stable Amd64 done. All arches done. Older version dropped. Thanks, everyone. GLSA Vote: no. NO too, closing noglsa. CVE-2011-1428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1428): Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, related to incorrect use of the GnuTLS API. |