Update hexchat to 2.10.2 on 14.04

SSLv3 was disabled in 2.10.1-2 which was uploaded about a week ago. It's up
to motu to sync it to the proper places.
On Nov 26, 2014 10:20 PM, "HRJ" <email address hidden> wrote:

> *** This bug is a security vulnerability ***
>
> Public security bug reported:
>
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release of
> it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> ** Affects: hexchat (Ubuntu)
> Importance: Undecided
> Status: New
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to hexchat
> in Ubuntu.
> Matching subscriptions: hexchat-bugs
> https://bugs.launchpad.net/bugs/1396871
>
> Title:
> Update hexchat to 2.10.2 on 14.04
>
> Status in “hexchat” package in Ubuntu:
> New
>
> Bug description:
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release
> of it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/hexchat/+bug/1396871/+subscriptions
>

Status changed to 'Confirmed' because the bug affects multiple users.

Just a note, if anyone is working on this.

hexchat 2.10.1 from this PPA:
https://launchpad.net/~gwendal-lebihan-dev/+archive/ubuntu/hexchat-stable

... works fine in my testing.

Hopefully, 2.10.2 doesn't have any package-breaking changes over 2.10.1

HRJ,

The packages in that ppa are built based on the debian packages. Think
of them as backports for no-longer-updated ubuntu releases.

2.10.2 doesn't have any package-breaking changes; however, I'm making
the package layout a bit more modular.

I can only really devote time to packaging on the weekends. I'm
working on it currently and hopefully we'll have an upload today.

Thanks for your patience.

sney

On Sun, Dec 7, 2014 at 5:32 AM, HRJ <email address hidden> wrote:
> Just a note, if anyone is working on this.
>
> hexchat 2.10.1 from this PPA:
> https://launchpad.net/~gwendal-lebihan-dev/+archive/ubuntu/hexchat-stable
>
> ... works fine in my testing.
>
> Hopefully, 2.10.2 doesn't have any package-breaking changes over 2.10.1
>
> --
> You received this bug notification because you are subscribed to hexchat
> in Ubuntu.
> Matching subscriptions: hexchat-bugs
> https://bugs.launchpad.net/bugs/1396871
>
> Title:
> Update hexchat to 2.10.2 on 14.04
>
> Status in hexchat package in Ubuntu:
> Confirmed
>
> Bug description:
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release
> of it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/hexchat/+bug/1396871/+subscriptions

Any news on this ?

The ubuntu backports project is unreliable, but if someone wants to go through the process, please look at https://wiki.ubuntu.com/UbuntuBackports .

The specific high-priority fixes should be SRUed to 14.04 however, which due to higher stabity requirements, can only really be for specific patches, such as the CVE one. See https://wiki.ubuntu.com/StableReleaseUpdates . If someone had the time to do the SRU work it would be greatly appreciated.

Just uploaded version 2.9.6.1-2ubuntu0.1 in trusty-security fixes the SSL validation issue (see lp #1565000).

For the rest: in ubuntu stable releases packages are not updated just because they are old, or just to have new feature, that's the very concept of stable releases.

So, I'm closing this bug.