A CVE was requested for a security issue fixed upstream in hexchat: http://openwall.com/lists/oss-security/2015/01/29/23 If I understand the upstream bug report correctly, this was fixed in 2.9.8, so Cauldron should be OK. The message above links the upstream commit that fixed it. Apparently xchat and xchat-gnome are affected too. Xchat is dead upstream and probably won't be fixed unless someone makes a patch. I'm not sure about xchat-gnome. Reproducible: Steps to Reproduce:
I have uploaded a patched package for Mageia 4. Not sure how to test the hostname validation so I think you should just test that it still works (testing myself on x86_64 and seems to work OK). Suggested advisory: ======================== This update fixes the following security vulnerability: HexChat did not verify that the server hostname matched the domain name in the subject's Common Name (CN) or subjectAltName field in X.509 certificates. This could allow a man-in-the-middle attacker to spoof an SSL server if they had a certificate that was valid for any domain name. References: http://openwall.com/lists/oss-security/2015/01/29/23 https://github.com/hexchat/hexchat/issues/524 ======================== Updated packages in core/updates_testing: ======================== hexchat-2.9.6.1-3.1.mga4 hexchat-checksum-2.9.6.1-3.1.mga4 hexchat-devel-2.9.6.1-3.1.mga4 hexchat-doat-2.9.6.1-3.1.mga4 hexchat-fishlim-2.9.6.1-3.1.mga4 hexchat-perl-2.9.6.1-3.1.mga4 hexchat-python-2.9.6.1-3.1.mga4 hexchat-sysinfo-2.9.6.1-3.1.mga4 Source RPM: hexchat-2.9.6.1-3.1.mga4.src.rpm
Assignee: mageia => qa-bugsHardware: i586 => All
Are you using SSL connection Sander?
(In reply to claire robinson from comment #2) > Are you using SSL connection Sander? I don't think so :) Someone should test with SSL too.
CC: (none) => mageia
Testing on Mageia4x32, real hardware From current packages : --------------------- - hexchat-2.9.6.1-3.mga4.i586 - hexchat-checksum-2.9.6.1-3.mga4.i586 - hexchat-devel-2.9.6.1-3.mga4.i586 - hexchat-doat-2.9.6.1-3.mga4.i586 - hexchat-fishlim-2.9.6.1-3.mga4.i586 - hexchat-perl-2.9.6.1-3.mga4.i586 - hexchat-python-2.9.6.1-3.mga4.i586 - hexchat-sysinfo-2.9.6.1-3.mga4.i586 Connected to a network using an SSL-connection (irc.barafranca.com/+6679) On connecting, hexchat window showed : (...) * * Certification info: * Subject: * OU=Domain Control Validated * CN=irc.barafranca.com * Issuer: * C=US * ST=Arizona * L=Scottsdale * O=GoDaddy.com, Inc. * OU=http: * * certificates.godaddy.com * repository * CN=Go Daddy Secure Certification Authority * serialNumber=07969287 * Public key algorithm: rsaEncryption (2048 bits) * Sign algorithm sha1WithRSAEncryption * Valid since Jun 3 12:27:53 2013 GMT to Jun 3 12:27:53 2015 GMT * * Cipher info: * Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA (256 bits) (...) *** You are connected using SSL cipher "DHE-RSA-AES-256-CBC-SHA1" Updated to testing packages : --------------------------- - hexchat-2.9.6.1-3.1.mga4.i586 - hexchat-checksum-2.9.6.1-3.1.mga4.i586 - hexchat-devel-2.9.6.1-3.1.mga4.i586 - hexchat-doat-2.9.6.1-3.1.mga4.i586 - hexchat-fishlim-2.9.6.1-3.1.mga4.i586 - hexchat-perl-2.9.6.1-3.1.mga4.i586 - hexchat-python-2.9.6.1-3.1.mga4.i586 - hexchat-sysinfo-2.9.6.1-3.1.mga4.i586 Subject: * OU=Domain Control Validated * CN=irc.barafranca.com * Issuer: * C=US * ST=Arizona * L=Scottsdale * O=GoDaddy.com, Inc. * OU=http: * * certificates.godaddy.com * repository * CN=Go Daddy Secure Certification Authority * serialNumber=07969287 * Public key algorithm: rsaEncryption (2048 bits) * Sign algorithm sha1WithRSAEncryption * Valid since Jun 3 12:27:53 2013 GMT to Jun 3 12:27:53 2015 GMT * * Cipher info: * Version: TLSv1/SSLv3, cipher DHE-RSA-AES256-SHA (256 bits) Connected to same network using SSL-connection *** You are connected using SSL cipher "DHE-RSA-AES-256-CBC-SHA1" which showed I was using an SSL-connection. Doesn't know how to test it verifies the Certificate Common Name since messages are the same. Basic usage of hexchat all OK.
CC: (none) => olchal
In VirtualBox, M4, KDE, 32-bit Package(s) under test: hexchat default install of hexchat [root@localhost wilcal]# urpmi hexchat Package hexchat-2.9.6.1-3.mga4.i586 is already installed Hexchat desktop UI opens, connnects to freenode then to the Mageia channel install hexchat from updates_testing [root@localhost wilcal]# urpmi hexchat Package hexchat-2.9.6.1-3.1.mga4.i586 is already installed Hexchat desktop UI opens, connnects to freenode then to the Mageia channel hexchat-checksum, hexchat-devel, hexchat-devel, hexchat-doat, hexchat-fishlim, hexchat-perl, hexchat-python, hexchat-sysinfo all 2.9.6.1-3.1, all installed without error Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.intWhiteboard: (none) => MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: hexchat default install of hexchat [root@localhost wilcal]# urpmi hexchat Package hexchat-2.9.6.1-3.mga4.x86_64 is already installed Hexchat desktop UI opens, connnects to freenode then to the Mageia channel install hexchat from updates_testing [root@localhost wilcal]# urpmi hexchat Package hexchat-2.9.6.1-3.1.mga4.x86_64 is already installed Hexchat desktop UI opens, check "Use SSL for all the servers on this network" connnects to freenode with the SSL cert then to the Mageia channel hexchat-checksum, hexchat-devel, hexchat-devel, hexchat-doat, hexchat-fishlim, hexchat-perl, hexchat-python, hexchat-sysinfo all 2.9.6.1-3.1, all installed without error Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA4-32-OK => MGA4-32-OK MGA4-64-OK
In VirtualBox, M4, KDE, 32-bit [root@localhost wilcal]# urpmi hexchat Package hexchat-2.9.6.1-3.1.mga4.i586 is already installed Hexchat desktop UI opens, check "Use SSL for all the servers on this network" connnects to freenode with the SSL cert then to the Mageia channel
This update works fine. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA4-32-OK MGA4-64-OK => MGA4-32-OK MGA4-64-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0050.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => http://lwn.net/Vulnerabilities/632256/
CVE-2013-7449 has been assigned for this: http://openwall.com/lists/oss-security/2016/04/06/2
Summary: hexchat does not verify SSL certificates => hexchat does not verify SSL certificates (CVE-2013-7449)