"This release fixes two security issues: The first being that Irssi didn't check hostname on SSL connections and the other being a hard to exploit remote crash bug." Sven, can 0.8.15 go stable?
Fixing summary. Sven: Please advise.
CVE-2010-1155 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1155): Irssi before 0.8.15, when SSL is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field or a Subject Alternative Name field of the X.509 certificate, which allows man-in-the-middle attackers to spoof IRC servers via an arbitrary certificate. CVE-2010-1156 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1156): core/nicklist.c in Irssi before 0.8.15 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors related to an attempted fuzzy nick match at the instant that a victim leaves a channel.
(In reply to comment #0) > Sven, can 0.8.15 go stable? Yes, I've been using it without problems since it has been commited.
Arches, please test and mark stable: =net-irc/irssi-0.8.15 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
amd64 stable.
All useflag combinations built, net-irc/irssi-otr successfully built against it. -> Looking good on x86.
alpha/arm/ia64/s390/sh/sparc/x86 stable
ppc done
ppc64 done; closing as last arch
This is a security bug, reopening.
Vote: no.
NO too, closing.