Ubuntu
hexchat package

Bug #1396871
Comment #1

Comment 1 for bug 1396871

Revision history for this message

Jesse Rhodes (sney) wrote on 2014-11-27: Re: [Bug 1396871] [NEW] Update hexchat to 2.10.2 on 14.04

SSLv3 was disabled in 2.10.1-2 which was uploaded about a week ago. It's up
to motu to sync it to the proper places.
On Nov 26, 2014 10:20 PM, "HRJ" <email address hidden> wrote:

> *** This bug is a security vulnerability ***
>
> Public security bug reported:
>
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release of
> it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> ** Affects: hexchat (Ubuntu)
> Importance: Undecided
> Status: New
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to hexchat
> in Ubuntu.
> Matching subscriptions: hexchat-bugs
> https://bugs.launchpad.net/bugs/1396871
>
> Title:
> Update hexchat to 2.10.2 on 14.04
>
> Status in “hexchat” package in Ubuntu:
> New
>
> Bug description:
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release
> of it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/hexchat/+bug/1396871/+subscriptions
>

SSLv3 was disabled in 2.10.1-2 which was uploaded about a week ago. It's up
to motu to sync it to the proper places.
On Nov 26, 2014 10:20 PM, "HRJ" <1396871@bugs.launchpad.net> wrote:

> *** This bug is a security vulnerability ***
>
> Public security bug reported:
>
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release of
> it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> ** Affects: hexchat (Ubuntu)
>      Importance: Undecided
>          Status: New
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to hexchat
> in Ubuntu.
> Matching subscriptions: hexchat-bugs
> https://bugs.launchpad.net/bugs/1396871
>
> Title:
>   Update hexchat to 2.10.2 on 14.04
>
> Status in “hexchat” package in Ubuntu:
>   New
>
> Bug description:
>   According to the release notes here:
>   https://hexchat.github.io/news/2.10.2.html
>
>   "Historically XChat has not used ssl very securely; The last release
>   of it used terrible defaults such as forcing SSLv3 (which is known
>   insecure) and does not take any effort to verify the cert is for the
>   correct address you connected to. With this HexChat release this has
>   finally changed; Now only TLSv1.0+ are accepted and all hostnames are
>   verified as well as a few other more secure options."
>
>   Given that the defaults are "known insecure" and that 14.04 is LTS, an
>   update, if possible, would be great.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/hexchat/+bug/1396871/+subscriptions
>

Ubuntuhexchat package

Comment 1 for bug 1396871

Ubuntu
hexchat package