XChat....
Marc Deslauriers
marcdeslauriers at videotron.ca
Sun Mar 29 16:57:50 UTC 2015
On 2015-03-29 12:45 PM, Nick T. wrote:
> Hello,
> As some of you should know XChat is unmaintained.
It's still maintained in Debian and Ubuntu.
> First of all looking at the CVEs at
> http://www.cvedetails.com/vulnerability-list.php?vendor_id=552&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=4&trc=10&sha=9e5eed6234039ebc435bb6dfadc628228ac11b37
> I hope that all the fixes have been backported to the current version because
> that would be a different level of messed up.
Yes, the packages in Debian and Ubuntu have either been patched, or the CVE
didn't apply.
> Secondly XChat appears to be vulnerable to sslv3 attacks.
Both Debian and Ubuntu carry a patch to enable TLSv1.x support.
> Why is the package still in the repos? Even then, why isnt there a huge
> warning that the package is unmaintained and possibly vulnerable?
>
Because it is maintained, and it's not vulnerable.
Marc.
More information about the ubuntu-users
mailing list