Ubuntu
xchat-gnome package

Fails to connect to servers that disable SSLv3

Bug #1381484 reported by Marius Gedminas
280
This bug affects 4 people
Affects Status Importance Assigned to Milestone
XChat-GNOME
Fix Released
Medium
xchat (Ubuntu)
Fix Released
Undecided
Steve Beattie
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Marc Deslauriers
Utopic
Fix Released
Undecided
Steve Beattie
xchat-gnome (Debian)
Fix Released
Unknown
xchat-gnome (Ubuntu)
Fix Released
Undecided
Marc Deslauriers
Precise
Fix Released
Undecided
Marc Deslauriers
Trusty
Fix Released
Undecided
Marc Deslauriers
Utopic
Fix Released
Undecided
Marc Deslauriers

Bug Description

SRU REQUEST:

[Impact]

Xchat-Gnome (and xchat) for the use of SSLv3. Since the Poodle attack on SSLv3, many servers are now disabling the use of SSLv3, making xchat-gnome unsable to connect successfully.

[Test Case]

Install xchat-gnome and connect to an irc server that no longer offers SSLv3.

[Regression Potential]

This update may possibly introduce compatibility issues with sites that don't properly handle TLSv1.2 negotiations. While such sites existed in the past, they aren't likely to be common at the present time. Unfortunately, there is no ultimate solution that would be compatible with both scenarios.

Original report:

slack.com is a chat service with optional IRC integration. Since today I can no longer connect to their IRC gateway using XChat-GNOME. The error is:

> * Nepavyko prisijungti. Klaida: (336130315) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> Ar tai tikrai SSL šifravimą palaikantis serveris ir prievadas?

which, translated from lt_LT, means

> * Cannot connect. Error: (336130315) error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
> Does the server/port really support SSL?

I think this is part of the fallout of CVE-2014-3566 (aka POODLE). XChat-GNOME is trying to use the insecure SSL protocol version 3, and Slack, reasonably enough, rejects that.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: xchat-gnome 1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12
ProcVersionSignature: Ubuntu 3.13.0-37.64-generic 3.13.11.7
Uname: Linux 3.13.0-37-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.5
Architecture: amd64
CurrentDesktop: GNOME
Date: Wed Oct 15 14:50:57 2014
EcryptfsInUse: Yes
InstallationDate: Installed on 2012-07-25 (811 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
SourcePackage: xchat-gnome
UpgradeStatus: Upgraded to trusty on 2014-04-18 (180 days ago)

See original description
Revision history for this message
Marius Gedminas (mgedmin) wrote :
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in xchat-gnome (Ubuntu):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in xchat-gnome (Ubuntu):
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi mgedmin,

Could you please test the fixed package I've uploaded to my testing PPA here:

https://launchpad.net/~mdeslaur/+archive/ubuntu/testing

If that works for you to connect to irc.slack.com, I'll work on preparing an SRU.

Thanks!

Changed in xchat-gnome (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: New → Confirmed
Changed in xchat-gnome (Ubuntu Trusty):
status: New → Confirmed
assignee: nobody → Marc Deslauriers (mdeslaur)
Revision history for this message
Marius Gedminas (mgedmin) wrote :

xchat-gnome 0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.1~ppa1 from your PPA works for me.

Marc Deslauriers (mdeslaur)
Changed in xchat (Ubuntu Precise):
status: New → Confirmed
Changed in xchat (Ubuntu Trusty):
status: New → Confirmed
Changed in xchat (Ubuntu Utopic):
status: New → Confirmed
assignee: nobody → Steve Beattie (sbeattie)
Marc Deslauriers (mdeslaur)
summary: - Fails to connect to irc.slack.com with an SSL error
+ Fails to connect to servers that disable SSLv3
description: updated
Marc Deslauriers (mdeslaur)
Changed in xchat-gnome (Ubuntu Precise):
status: Confirmed → In Progress
Changed in xchat-gnome (Ubuntu Trusty):
status: Confirmed → In Progress
Bug Watch Updater (bug-watch-updater)
Changed in xchat-gnome:
importance: Unknown → Medium
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu14

---------------
xchat-gnome (1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu14) utopic; urgency=medium

  * Don't force the use of SSLv3 (LP: #1381484)
    - debian/patches/dont_force_sslv3.patch: use SSLv23_client_method() so
      the best method gets automatically negotiated in src/common/ssl.c.
 -- Marc Deslauriers <email address hidden> Mon, 20 Oct 2014 10:14:47 -0400

Changed in xchat-gnome (Ubuntu Utopic):
status: Confirmed → Fix Released
Marc Deslauriers (mdeslaur)
Changed in xchat (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: Confirmed → In Progress
Changed in xchat (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
status: Confirmed → In Progress
Changed in xchat (Ubuntu Utopic):
status: Confirmed → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in xchat-gnome (Debian):
status: Unknown → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat - 2.8.8-7.1ubuntu7

---------------
xchat (2.8.8-7.1ubuntu7) utopic; urgency=medium

  * Don't force the use of SSLv3 (LP: #1381484)
    - debian/patches/dont_force_sslv3.patch: use SSLv23_client_method()
      so the best method gets automatically negotiated in
      src/common/ssl.c.
 -- Steve Beattie <email address hidden> Mon, 20 Oct 2014 10:54:31 -0400

Changed in xchat (Ubuntu Utopic):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Marius, or anyone else affected,

Accepted xchat-gnome into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/xchat-gnome/1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in xchat-gnome (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in xchat (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Chris J Arges (arges) wrote :

Hello Marius, or anyone else affected,

Accepted xchat into trusty-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/xchat/2.8.8-7.1ubuntu5.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in xchat (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Chris J Arges (arges) wrote :

Hello Marius, or anyone else affected,

Accepted xchat into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/xchat/2.8.8-3ubuntu12.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Revision history for this message
Marius Gedminas (mgedmin) wrote :

I can confirm that xchat-gnome 0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.1 from your trusty-proposed works for me.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat - 2.8.8-3ubuntu12.1

---------------
xchat (2.8.8-3ubuntu12.1) precise; urgency=medium

  * Don't force the use of SSLv3 (LP: #1381484)
    - debian/patches/dont_force_sslv3.patch: use SSLv23_client_method()
      so the best method gets automatically negotiated in
      src/common/ssl.c.
 -- Marc Deslauriers <email address hidden> Mon, 20 Oct 2014 11:56:17 -0400

Changed in xchat (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Update Released

The verification of the Stable Release Update for xchat has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.1

---------------
xchat-gnome (1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.1) trusty; urgency=medium

  * Don't force the use of SSLv3 (LP: #1381484)
    - debian/patches/dont_force_sslv3.patch: use SSLv23_client_method() so
      the best method gets automatically negotiated in src/common/ssl.c.
 -- Marc Deslauriers <email address hidden> Mon, 20 Oct 2014 10:30:21 -0400

Changed in xchat-gnome (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat - 2.8.8-7.1ubuntu5.1

---------------
xchat (2.8.8-7.1ubuntu5.1) trusty; urgency=medium

  * Don't force the use of SSLv3 (LP: #1381484)
    - debian/patches/dont_force_sslv3.patch: use SSLv23_client_method()
      so the best method gets automatically negotiated in
      src/common/ssl.c.
 -- Marc Deslauriers <email address hidden> Mon, 20 Oct 2014 11:55:26 -0400

Changed in xchat (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Chris J Arges (arges) wrote : Please test proposed package

Hello Marius, or anyone else affected,

Accepted xchat-gnome into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/xchat-gnome/1:0.30.0~git20110821.e2a400-0.2ubuntu4.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in xchat-gnome (Ubuntu Precise):
status: In Progress → Fix Committed
tags: removed: verification-done
tags: added: verification-needed
Bug Watch Updater (bug-watch-updater)
Changed in xchat-gnome:
status: New → Fix Released
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote : [xchat-gnome/precise] verification still needed

The fix for this bug has been awaiting testing feedback in the -proposed repository for precise for more than 90 days. Please test this fix and update the bug appropriately with the results. In the event that the fix for this bug is still not verified 15 days from now, the package will be removed from the -proposed repository.

tags: added: removal-candidate
Revision history for this message
Marius Gedminas (mgedmin) wrote :

I booted an Ubuntu 12.04 LTS desktop live session with testdrive, apt-get installed xchat-gnome version 1:0.30.0~git20110821.e2a400-0.2ubuntu4.2 and attempted to connect slack.com's IRC gateway.

The connection was successful.

tags: added: verification-done
removed: removal-candidate verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xchat-gnome - 1:0.30.0~git20110821.e2a400-0.2ubuntu4.2

---------------
xchat-gnome (1:0.30.0~git20110821.e2a400-0.2ubuntu4.2) precise; urgency=medium

  * Don't force the use of SSLv3 (LP: #1381484)
    - debian/patches/dont_force_sslv3.patch: use SSLv23_client_method() so
      the best method gets automatically negotiated in src/common/ssl.c.
 -- Marc Deslauriers <email address hidden> Mon, 20 Oct 2014 10:32:45 -0400

Changed in xchat-gnome (Ubuntu Precise):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in xchat-gnome (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.