Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 538228 - <net-irc/hexchat-2.10.2: does not verify the server hostname matches the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates
Summary: <net-irc/hexchat-2.10.2: does not verify the server hostname matches the doma...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-01-30 08:27 UTC by Agostino Sarubbo
Modified: 2015-02-25 01:51 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-01-30 08:27:42 UTC
From ${URL} :

Hexchat did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid 
for any domain name.



@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Julian Ospald 2015-01-30 15:37:37 UTC
yes
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-07 19:58:25 UTC
Arches, please stabilize: 
=net-irc/hexchat-2.10.2
Stable targets: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2015-02-08 14:12:07 UTC
Stable for HPPA.
Comment 4 Markus Meier gentoo-dev 2015-02-08 21:12:54 UTC
arm stable
Comment 5 Sergey Popov gentoo-dev 2015-02-09 11:58:47 UTC
amd64/x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2015-02-16 10:23:37 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-02-18 08:52:40 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2015-02-18 09:18:06 UTC
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-02-23 11:38:18 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-02-24 10:59:32 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 11 Julian Ospald 2015-02-24 16:26:34 UTC
+  24 Feb 2015; Julian Ospald <hasufell@gentoo.org> -hexchat-2.9.5-r1.ebuild,
+  -hexchat-2.9.6.1.ebuild, -hexchat-2.9.6.1-r1.ebuild,
+  -hexchat-2.9.6.1-r2.ebuild, -hexchat-2.10.0-r1.ebuild,
+  -hexchat-2.10.1.ebuild, -files/hexchat-2.9.1-input-box.patch,
+  -files/hexchat-2.9.5-cflags.patch,
+  -files/hexchat-2.9.5-fix_leftclick_opens_menu.patch,
+  -files/hexchat-2.9.5-gettextize.patch, -files/hexchat-2.9.5-gobject.patch,
+  -files/hexchat-2.9.6.1-sasl.patch, -files/hexchat-2.9.6.1-xdcc.patch,
+  -files/hexchat-2.10.0-plugins.patch, -files/hexchat-2.10.0-pofiles.patch,
+  metadata.xml:
+  cleanup old wrt #538228
Comment 12 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-24 17:32:10 UTC
Thanks for cleanup.

GLSA Vote: No
Comment 13 Yury German Gentoo Infrastructure gentoo-dev 2015-02-25 01:51:44 UTC
GLSA Vote: No