Comment 1 for bug 1396871

Revision history for this message
Jesse Rhodes (sney) wrote : Re: [Bug 1396871] [NEW] Update hexchat to 2.10.2 on 14.04

SSLv3 was disabled in 2.10.1-2 which was uploaded about a week ago. It's up
to motu to sync it to the proper places.
On Nov 26, 2014 10:20 PM, "HRJ" <email address hidden> wrote:

> *** This bug is a security vulnerability ***
>
> Public security bug reported:
>
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release of
> it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> ** Affects: hexchat (Ubuntu)
> Importance: Undecided
> Status: New
>
> ** Information type changed from Private Security to Public Security
>
> --
> You received this bug notification because you are subscribed to hexchat
> in Ubuntu.
> Matching subscriptions: hexchat-bugs
> https://bugs.launchpad.net/bugs/1396871
>
> Title:
> Update hexchat to 2.10.2 on 14.04
>
> Status in “hexchat” package in Ubuntu:
> New
>
> Bug description:
> According to the release notes here:
> https://hexchat.github.io/news/2.10.2.html
>
> "Historically XChat has not used ssl very securely; The last release
> of it used terrible defaults such as forcing SSLv3 (which is known
> insecure) and does not take any effort to verify the cert is for the
> correct address you connected to. With this HexChat release this has
> finally changed; Now only TLSv1.0+ are accepted and all hostnames are
> verified as well as a few other more secure options."
>
> Given that the defaults are "known insecure" and that 14.04 is LTS, an
> update, if possible, would be great.
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/hexchat/+bug/1396871/+subscriptions
>