Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 29 Jan 2015 11:52:08 -0700
From: "Vincent Danen" <vdanen@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: CVE request: xchat/hexchat don't properly verify SSL certificates

As reported [1]:

XChat did not verify that the server hostname matched the domain name in 
the subject's Common Name (CN) or subjectAltName field in X.509 
certificates. This could allow a man-in-the-middle attacker to spoof an 
SSL server if they had a certificate that was valid for any domain name.

The same code is used in hexchat.

This was initially reported to hexchat in 2013 [2] and fixed last 
November [3].  I'm not sure if it should receive a 2013 or a 2014 CVE.  
Can one be assigned to this?

Thanks.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=1081839
[2] https://github.com/hexchat/hexchat/issues/524
[3] 
https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d


-- 
Vincent Danen / Red Hat Product Security

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.