XChat....
Marc Deslauriers
marcdeslauriers at videotron.ca
Sun Mar 29 17:53:10 UTC 2015
On 2015-03-29 01:02 PM, Nick T. wrote:
>
>
> On 03/29/2015 07:57 PM, Marc Deslauriers wrote:
>> On 2015-03-29 12:45 PM, Nick T. wrote:
>>> Hello,
>>> As some of you should know XChat is unmaintained.
>> It's still maintained in Debian and Ubuntu.
>>
>>> First of all looking at the CVEs at
>>> http://www.cvedetails.com/vulnerability-list.php?vendor_id=552&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=4&trc=10&sha=9e5eed6234039ebc435bb6dfadc628228ac11b37
>>>
>>> I hope that all the fixes have been backported to the current version because
>>> that would be a different level of messed up.
>> Yes, the packages in Debian and Ubuntu have either been patched, or the CVE
>> didn't apply.
>>
>>> Secondly XChat appears to be vulnerable to sslv3 attacks.
>> Both Debian and Ubuntu carry a patch to enable TLSv1.x support.
>>
>>> Why is the package still in the repos? Even then, why isnt there a huge
>>> warning that the package is unmaintained and possibly vulnerable?
>>>
>> Because it is maintained, and it's not vulnerable.
>>
>> Marc.
>>
>>
>
> Is the code public? I cant seem to find any repo with code changes after 2013.
>
It's being maintained in the source package as patch files.
Marc.
More information about the ubuntu-users
mailing list