JD has discovered a security issue in WeeChat, which can be exploited by malicious people to conduct spoofing attacks. The security issue is caused due to the application not verifying the validity of the SSL certificates presented when logging in to a server which does not request a client certificate during the handshake. This can be exploited to spoof a valid server and e.g. conduct Man-in-the-Middle (MitM) attacks. The security issue is confirmed in version 0.3.4. Other versions may also be affected. http://secunia.com/advisories/43543
Hmpf I can't find any fix in the GIT repository for now.
Could be this the fix? https://savannah.nongnu.org/patch/?7459 This fix has been included in new version (0.3.5-rc2 at the moment, ready for May 15th).
0.3.5 is out. We should just upgrade to it.
Sure enough, the upstream changelog [1] includes this issue as fixed. core: fix verification of SSL certificates by calling gnutls verify callback (patch #7459) 1 http://weechat.org/files/changelog/ChangeLog-0.3.5.html
This is fixed in 0.3.5 version that is in main tree. Feel free to stabilise it if you want (just add arches).
Arches, please test and mark stable: =net-irc/weechat-0.3.5 Target keywords : "amd64 ppc x86"
works on amd64.
ppc stable
x86 stable
Amd64 done. All arches done. Older version dropped.
Thanks, everyone. GLSA Vote: no.
NO too, closing noglsa.
CVE-2011-1428 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1428): Wee Enhanced Environment for Chat (aka WeeChat) 0.3.4 and earlier does not properly verify that the server hostname matches the domain name of the subject of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL chat server via an arbitrary certificate, related to incorrect use of the GnuTLS API.
