XChat....
Nick T.
nick at nickscode.com
Sun Mar 29 17:02:29 UTC 2015
On 03/29/2015 07:57 PM, Marc Deslauriers wrote:
> On 2015-03-29 12:45 PM, Nick T. wrote:
>> Hello,
>> As some of you should know XChat is unmaintained.
> It's still maintained in Debian and Ubuntu.
>
>> First of all looking at the CVEs at
>> http://www.cvedetails.com/vulnerability-list.php?vendor_id=552&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=4&trc=10&sha=9e5eed6234039ebc435bb6dfadc628228ac11b37
>> I hope that all the fixes have been backported to the current version because
>> that would be a different level of messed up.
> Yes, the packages in Debian and Ubuntu have either been patched, or the CVE
> didn't apply.
>
>> Secondly XChat appears to be vulnerable to sslv3 attacks.
> Both Debian and Ubuntu carry a patch to enable TLSv1.x support.
>
>> Why is the package still in the repos? Even then, why isnt there a huge
>> warning that the package is unmaintained and possibly vulnerable?
>>
> Because it is maintained, and it's not vulnerable.
>
> Marc.
>
>
Is the code public? I cant seem to find any repo with code changes after
2013.
More information about the ubuntu-users
mailing list