SSLv3 was disabled in 2.10.1-2 which was uploaded about a week ago. It's up
to motu to sync it to the proper places.
On Nov 26, 2014 10:20 PM, "HRJ" <email address hidden> wrote:
> *** This bug is a security vulnerability ***
>
> Public security bug reported:
>
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release of
> it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> ** Affects: hexchat (Ubuntu)
> Importance: Undecided
> Status: New
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to hexchat
> in Ubuntu.
> Matching subscriptions: hexchat-bugs
> https://bugs.launchpad.net/bugs/1396871
>
> Title:
> Update hexchat to 2.10.2 on 14.04
>
> Status in “hexchat” package in Ubuntu:
> New
>
> Bug description:
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release
> of it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/hexchat/+bug/1396871/+subscriptions
>
SSLv3 was disabled in 2.10.1-2 which was uploaded about a week ago. It's up
to motu to sync it to the proper places.
On Nov 26, 2014 10:20 PM, "HRJ" <email address hidden> wrote:
> *** This bug is a security vulnerability *** /hexchat. github. io/news/ 2.10.2. html /bugs.launchpad .net/bugs/ 1396871 /hexchat. github. io/news/ 2.10.2. html /bugs.launchpad .net/ubuntu/ +source/ hexchat/ +bug/1396871/ +subscriptions
>
> Public security bug reported:
>
> According to the release notes here:
> https:/
>
> "Historically XChat has not used ssl very securely; The last release of
> it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> ** Affects: hexchat (Ubuntu)
> Importance: Undecided
> Status: New
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to hexchat
> in Ubuntu.
> Matching subscriptions: hexchat-bugs
> https:/
>
> Title:
> Update hexchat to 2.10.2 on 14.04
>
> Status in “hexchat” package in Ubuntu:
> New
>
> Bug description:
> According to the release notes here:
> https:/
>
> "Historically XChat has not used ssl very securely; The last release
> of it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> To manage notifications about this bug go to:
>
> https:/
>