Update hexchat to 2.10.2 on 14.04
Bug #1396871 reported by
HRJ
This bug affects 3 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
hexchat (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
According to the release notes here: https:/
"Historically XChat has not used ssl very securely; The last release of it used terrible defaults such as forcing SSLv3 (which is known insecure) and does not take any effort to verify the cert is for the correct address you connected to. With this HexChat release this has finally changed; Now only TLSv1.0+ are accepted and all hostnames are verified as well as a few other more secure options."
Given that the defaults are "known insecure" and that 14.04 is LTS, an update, if possible, would be great.
information type: | Private Security → Public Security |
tags: | added: poodle |
tags: | added: trusty upgrade-software-version |
To post a comment you must log in.
SSLv3 was disabled in 2.10.1-2 which was uploaded about a week ago. It's up
to motu to sync it to the proper places.
On Nov 26, 2014 10:20 PM, "HRJ" <email address hidden> wrote:
> *** This bug is a security vulnerability *** /hexchat. github. io/news/ 2.10.2. html /bugs.launchpad .net/bugs/ 1396871 /hexchat. github. io/news/ 2.10.2. html /bugs.launchpad .net/ubuntu/ +source/ hexchat/ +bug/1396871/ +subscriptions
>
> Public security bug reported:
>
> According to the release notes here:
> https:/
>
> "Historically XChat has not used ssl very securely; The last release of
> it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> ** Affects: hexchat (Ubuntu)
> Importance: Undecided
> Status: New
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to hexchat
> in Ubuntu.
> Matching subscriptions: hexchat-bugs
> https:/
>
> Title:
> Update hexchat to 2.10.2 on 14.04
>
> Status in “hexchat” package in Ubuntu:
> New
>
> Bug description:
> According to the release notes here:
> https:/
>
> "Historically XChat has not used ssl very securely; The last release
> of it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> To manage notifications about this bug go to:
>
> https:/
>