oss-sec mailing list archives
Re: CVE request: xchat/hexchat don't properly verify SSL certificates
From: Marc Deslauriers <marc.deslauriers () canonical com>
Date: Thu, 29 Jan 2015 13:58:00 -0500
On 2015-01-29 01:52 PM, Vincent Danen wrote:
As reported [1]: XChat did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. The same code is used in hexchat. This was initially reported to hexchat in 2013 [2] and fixed last November [3]. I'm not sure if it should receive a 2013 or a 2014 CVE. Can one be assigned to this? Thanks. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1081839 [2] https://github.com/hexchat/hexchat/issues/524 [3] https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d
Looks like XChat-GNOME is vulnerable also. Marc. -- Marc Deslauriers Ubuntu Security Engineer | http://www.ubuntu.com/ Canonical Ltd. | http://www.canonical.com/
Current thread:
- CVE request: xchat/hexchat don't properly verify SSL certificates Vincent Danen (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Marc Deslauriers (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sam Dodrill (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Reed Loden (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Daniel Kahn Gillmor (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Michael Samuel (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Kurt Seifried (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates TingPing (Jan 30)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sam Dodrill (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Marc Deslauriers (Jan 29)
- Re: CVE request: xchat/hexchat don't properly verify SSL certificates Sven Schwedas (Jan 30)