Candidate: CVE-2013-7449 PublicDate: 2016-04-21 14:59:00 UTC References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7449 http://seclists.org/oss-sec/2016/q2/17 http://seclists.org/oss-sec/2015/q1/342 https://github.com/hexchat/hexchat/issues/524 https://launchpad.net/bugs/1565000 https://bugzilla.redhat.com/show_bug.cgi?id=1081839 Description: The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Ubuntu-Description: Notes: Bugs: Priority: medium Discovered-by: Assigned-to: CVSS: nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N [6.5 MEDIUM] Patches_xchat: upstream_xchat: needs-triage precise_xchat: ignored (reached end-of-life) precise/esm_xchat: DNE (precise was needs-triage) trusty_xchat: ignored (reached end-of-life) trusty/esm_xchat: DNE (trusty was needed) vivid/stable-phone-overlay_xchat: DNE vivid/ubuntu-core_xchat: DNE wily_xchat: ignored (reached end-of-life) xenial_xchat: DNE yakkety_xchat: DNE zesty_xchat: DNE artful_xchat: not-affected (2.8.8-10) bionic_xchat: not-affected (2.8.8-10) cosmic_xchat: not-affected (2.8.8-10) disco_xchat: not-affected (2.8.8-10) devel_xchat: not-affected (2.8.8-10) Patches_hexchat: upstream: https://github.com/hexchat/hexchat/commit/c9b63f7f9be01692b03fa15275135a4910a7e02d upstream: https://github.com/hexchat/hexchat/commit/50463ca8321c39f3966c278ab25ca158404d72f1 upstream_hexchat: released (2.10.2-1) precise_hexchat: DNE precise/esm_hexchat: DNE trusty_hexchat: released (2.9.6.1-2ubuntu0.1) trusty/esm_hexchat: DNE (trusty was released [2.9.6.1-2ubuntu0.1]) vivid/stable-phone-overlay_hexchat: DNE vivid/ubuntu-core_hexchat: DNE wily_hexchat: not-affected (2.10.2-1ubuntu2) xenial_hexchat: not-affected (2.10.2-1ubuntu2) yakkety_hexchat: not-affected (2.10.2-1ubuntu2) zesty_hexchat: not-affected (2.10.2-1ubuntu2) artful_hexchat: not-affected (2.10.2-1ubuntu2) bionic_hexchat: not-affected (2.10.2-1ubuntu2) cosmic_hexchat: not-affected (2.10.2-1ubuntu2) disco_hexchat: not-affected (2.10.2-1ubuntu2) devel_hexchat: not-affected (2.10.2-1ubuntu2) Patches_xchat-gnome: upstream_xchat-gnome: needs-triage precise_xchat-gnome: released (1:0.30.0~git20110821.e2a400-0.2ubuntu4.3) precise/esm_xchat-gnome: DNE (precise was released [1:0.30.0~git20110821.e2a400-0.2ubuntu4.3]) trusty_xchat-gnome: released (1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2) trusty/esm_xchat-gnome: DNE (trusty was released [1:0.30.0~git20131003.d20b8d+really20110821-0.2ubuntu12.2]) vivid/stable-phone-overlay_xchat-gnome: DNE vivid/ubuntu-core_xchat-gnome: DNE wily_xchat-gnome: released (1:0.30.0~git20141005.816798-0ubuntu6.2) xenial_xchat-gnome: not-affected (1:0.30.0~git20141005.816798-0ubuntu9) esm-infra/xenial_xchat-gnome: not-affected (1:0.30.0~git20141005.816798-0ubuntu9) yakkety_xchat-gnome: DNE zesty_xchat-gnome: DNE artful_xchat-gnome: not-affected (1:0.30.0~git20141005.816798-0ubuntu9) bionic_xchat-gnome: DNE cosmic_xchat-gnome: DNE disco_xchat-gnome: DNE devel_xchat-gnome: DNE